Hello!

On Thu, Jun 25, 2015 at 06:16:42PM +0900, Edho Arief wrote:

> I noticed that trac.nginx.org has https/SNI configured for the host
> but no actual ssl configuration (how do you even do that):

The trac.nginx.org domain isn't available via https.

The IP address trac.nginx.org maps to does have other sites
answering on https/SNI though, and to avoid sending invalid
certificate the "ssl_ciphers aNULL;" is used in the default server
configuration. This is what causes the message you see.

> $ openssl s_client -connect trac.nginx.org:443 -servername trac.nginx.org
> CONNECTED(00000003)
> 140010415498912:error:14077410:SSL
> routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake
> failure:s23_clnt.c:770:
> ---
> no peer certificate available
> ---
> No client certificate CA names sent
> ---
> SSL handshake has read 7 bytes and written 318 bytes
> ---
> New, (NONE), Cipher is (NONE)
> Secure Renegotiation IS NOT supported
> Compression: NONE
> Expansion: NONE
> ---

JFYI:

You can use something like

$ openssl s_client -connect trac.nginx.org:443 -servername trac.nginx.org -cipher aNULL

to establish a connection. (Requests won't work though, as the
same server also have "return 444;" in the configuration.)

> Relevant (which is how I noticed it in the first place):
>
> https://github.com/EFForg/https-everywhere/pull/1993

When people try to use something they weren't asked to, it
strikes back.

--
Maxim Dounin
http://nginx.org/

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx