Hi Team,
I just setup nginx version on Ubuntu 24.0 and configured proxy_pass settings however page is not getting opened and consistently getting below error
2024/04/01 18:10:37 [crit] 73898#73898: *5247 SSL_do_handshake() failed (SSL: error:0A0000BF:SSL routines::no protocols available) while SSL handshaking to upstream, client: xx.xx.xx, server: eb.example.com, request: "GET / HTTP/2.0", upstream: "https://xx.xx.xx.xx:443/", host: "eb.example.com"
Then I done a debug but not sure what is the issue. One thing I came to know that settings on backend server is pretty low and here is what I achieved through openssl from my proxy_server. Can someone please suggest what settings I need to consider on my nginx version. Upgrading server is next to impossible hence wondering how can I achieve from my end?
openssl s_client -connect eb.exmaple.co:443 -verify 3 -cipher "DEFAULT:@SECLEVEL=3"
The same error appears for Depth 3,2,1
verify depth is 3
CONNECTED(00000003)
140407554741440:error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocol:../ssl/statem/statem_lib.c:1941:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 65 bytes and written 293 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
But When I do "0"
verify depth is 3
CONNECTED(00000003)
depth=0 CN = *.example.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = *.example.com
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:CN = *.example.com
i:C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGJDCCBQygAwIBAgIRANyAOsFl1gpt8wjimmI77tIwDQYJKoZIhvcNAQELBQAw
gY8xCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAO
BgNVBAcTB1NhbGZvcmQxGDAWBgNVBAoTD1NlY3RpZ28gTGltaXRlZDE3MDUGA1UE
AxMuU2VjdGlnbyBSU0EgRG9tYWluIFZhbGlkYXRpb24gU2VjdXJlIFNlcnZlciBD
QTAeFw0yMzEwMTMwMDAwMDBaFw0yNDExMTIyMzU5NTlaMBQxEjAQBgNVBAMMCSou
ZG5zYi5pbjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANZZIGpjN8uZ
oaGHjCBuZoA2bcr3KP8GqDTddJNC60WIPtIC+mHm8GaRw0xtOdo4AI59D6PaIISR
(Redacted)
-----END CERTIFICATE-----
subject=CN = *.example.com
issuer=C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA
---
No client certificate CA names sent
Peer signing digest: MD5-SHA1
Peer signature type: RSA
Server Temp Key: DH, 1024 bits
---
SSL handshake has read 2481 bytes and written 516 bytes
Verification error: unable to verify the first certificate
---
New, SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID: 3C630FBB568360A155D8...........................
Session-ID-ctx:
Master-Key: 020511075BC573C.........................
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket:
0000 - 0a a8 26 26 4a eb bc e5-d1 45 f6 78 42 42 b0 1e ..&&J....E.xBB..
0010 - e1 46 e7 d5 c7 b3 73 51-ad b8 81 d3 3f 19 a9 e6 .F....sQ....?...
(Redacted)
Start Time: 1711977420
Timeout : 7200 (sec)
Verify return code: 21 (unable to verify the first certificate)
Extended master secret: no
Can someone please help?