Welcome! Log In Create A New Profile

Re: Client can't negotiate with TLS 1.0 and 1.1

Forum List Message List New Topic Print View

Fabiano Furtado Pessoa Coelho

August 24, 2022 08:20PM

Hi... same behavior! :(

secure.example.com = 10.0.0.1
insecure.example.com = 10.0.0.2

Using curl with "host" header:
$ curl -kv --tlsv1.0 --tls-max 1.1 -H 'host: insecure.example.com'
https://10.0.0.2/
* Trying 10.0.0.2:443...
* Connected to 10.0.0.2 (10.0.0.2) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
* TLSv1.0 (OUT), TLS header, Certificate Status (22):
* TLSv1.1 (OUT), TLS handshake, Client hello (1):
* TLSv1.1 (IN), TLS header, Unknown (21):
* TLSv1.1 (IN), TLS alert, internal error (592):
* error:0A000438:SSL routines::tlsv1 alert internal error
* Closing connection 0
curl: (35) error:0A000438:SSL routines::tlsv1 alert internal error

Using curl without "host" header:
$ curl -kv --tlsv1.0 --tls-max 1.1 https://10.0.0.2/
* Trying 10.0.0.2:443...
* Connected to 10.0.0.2 (10.0.0.2) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
* TLSv1.0 (OUT), TLS header, Certificate Status (22):
* TLSv1.1 (OUT), TLS handshake, Client hello (1):
* TLSv1.1 (IN), TLS header, Unknown (21):
* TLSv1.1 (IN), TLS alert, internal error (592):
* error:0A000438:SSL routines::tlsv1 alert internal error
* Closing connection 0
curl: (35) error:0A000438:SSL routines::tlsv1 alert internal error

On Wed, Aug 24, 2022 at 5:45 PM Maxim Dounin <mdounin@mdounin.ru> wrote:
>
> Hello!
>
> On Wed, Aug 24, 2022 at 05:22:10PM -0300, Fabiano Furtado Pessoa Coelho wrote:
>
> > I'm using NGINX 1.22.0 with OpenSSL 3.0.5 in a Linux x86_64 server
> > with one NIC and 2 IPs, with the following config:

[...]

> What's the IP address of "insecure.example.com" in your tests?
> What happens when you test with IP addresses you've configured,
> 10.0.0.1 and 10.0.0.2, rather than names?
>
> --
> Maxim Dounin
> http://mdounin.ru/
> _______________________________________________
> nginx mailing list -- nginx@nginx.org
> To unsubscribe send an email to nginx-leave@nginx.org
_______________________________________________
nginx mailing list -- nginx@nginx.org
To unsubscribe send an email to nginx-leave@nginx.org

Reply Quote

RSS

Subject	Author	Posted
Client can't negotiate with TLS 1.0 and 1.1	Fabiano Furtado Pessoa Coelho	August 24, 2022 04:24PM
Re: Client can't negotiate with TLS 1.0 and 1.1	Maxim Dounin	August 24, 2022 04:46PM
Re: Client can't negotiate with TLS 1.0 and 1.1	Fabiano Furtado Pessoa Coelho	August 24, 2022 08:20PM
Re: Client can't negotiate with TLS 1.0 and 1.1	Igor Ippolitov	August 24, 2022 04:48PM
Re: Client can't negotiate with TLS 1.0 and 1.1	noloader	August 24, 2022 05:10PM
Re: Client can't negotiate with TLS 1.0 and 1.1	Fabiano Furtado Pessoa Coelho	August 24, 2022 08:38PM
Re: Client can't negotiate with TLS 1.0 and 1.1	Sergey Kandaurov	August 25, 2022 12:00PM
Re: Client can't negotiate with TLS 1.0 and 1.1	Fabiano Furtado Pessoa Coelho	August 25, 2022 01:02PM
Re: Client can't negotiate with TLS 1.0 and 1.1	Lukas Tribus	August 25, 2022 03:32PM
Re: Client can't negotiate with TLS 1.0 and 1.1	Fabiano Furtado Pessoa Coelho	August 25, 2022 04:04PM

Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 311

Record Number of Users: 8 on April 13, 2023

Record Number of Guests: 421 on December 02, 2018