Hello!

On Fri, Aug 16, 2019 at 02:15:22PM -0400, benztoy wrote:

> I want to run two nginx services on one host. They are nginxA and nginxB
> nginxA listening on https443 port. Only the tslv1.3 protocol is available.
> The configuration file is as follows:

[...]

>     Server {
>         Listen 443 ssl;
>         Server_name localhost;
>
>         Ssl_certificate cert.pem;
>         Ssl_certificate_key cert.key;
>
>         Ssl_session_cache shared: SSL: 1m;
>         Ssl_session_timeout 5m;
> Ssl_protocols TLSv1.3;

So only TLSv1.3 is enabled on the 443 port.

[...]

> location / {
> proxy_pass https://127.0.0.1/;
> proxy_ssl_session_reuse off;
> }

And no proxy_ssl_protocols set for proxying, so it only has TLSv1,
TLSv1.1, and TLSv1.2 enabled by default.

[...]

> But when I visit https://127.0.0.1:444
> Return to 502 Bad Gateway
> Among them, nginx serving port 444 has error.log:
> SSL_do_handshake() failed (SSL: error:1409442E:SSL
> routines:ssl3_read_bytes:tlsv1 alert protocol version:SSL alert number 70)
> while SSL handshaking to upstream, client: 127.0.0.1, server: localhost,
> request: "GET / HTTP/1.1 ", upstream: "https://127.0.0.1:443/", host:
> "127.0.0.1:444"
>
>
> Dear friends, What is the reason for this?
> My first service ssl protocol version of nginxA must be tslv1.3 only. There
> is no other lower version. Can I successfully access https://127.0.0.1:444
> by modifying the nginxA or nginxB configuration file?

The problem is that you are trying to connect to a TLSv1.3-only
port by using the proxy not configured to use TLSv1.3. You have
to enable TLSv1.3 in your proxy configuration, something like:

proxy_ssl_protocol TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;

should work. See http://nginx.org/r/proxy_ssl_protocols for
additional details.

--
Maxim Dounin
http://mdounin.ru/
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx