Welcome! Log In Create A New Profile

Advanced

Openssl 1.1.1 + nginx 1.14.0 не работает tls1.1

December 11, 2018 08:43AM
Добрый день!
Подскажите, пожалуйста, решение следующей проблемы:
собран openssl 1.1.1a из исходников, собран nginx 1.14.0 из исходников.
В конфиге включена поддержка tls1.3 и некоторые шифры для него
Конфиг для ssl такой:

ssl_session_timeout 10m;
ssl_session_cache shared:SSL:100m;

ssl_dhparam /etc/nginx/dhparam.2048.pem;

ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
ssl_ciphers 'TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-GCM-SHA256:TLS13-AES-128-CCM-8-SHA256:TLS13-AES-128-CCM-SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:!DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
ssl_prefer_server_ciphers on;

Поддержка tls1.3 работает, клиенты подключаются. Так же работает 1.2.

А вот 1 и 1.1 перестали работать с ошибкой:

CONNECTED(00000003)
139733715125760:error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version:../ssl/record/rec_layer_s3.c:1528:SSL alert number 70
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 125 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.1
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1544535599
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
---
В логах соответственно:
2018/12/11 15:57:15 [crit] 26894#0: *460747266 SSL_do_handshake() failed (SSL: error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol) while SSL handshaking, client: 10.9.211.224, server: 0.0.0.0:443
2018/12/11 16:18:06 [crit] 26894#0: *460752738 SSL_do_handshake() failed (SSL: error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol) while SSL handshaking, client: 10.9.211.224, server: 0.0.0.0:443
2018/12/11 16:21:55 [crit] 26894#0: *460753742 SSL_do_handshake() failed (SSL: error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol) while SSL handshaking, client: 10.9.211.224, server: 0.0.0.0:443
2018/12/11 16:39:59 [crit] 26894#0: *460758488 SSL_do_handshake() failed (SSL: error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol) while SSL handshaking, client: 185.89.12.132, server: 0.0.0.0:443


openssl показывает поддержку tls1.1:

openssl ciphers -v | awk '{print $2}' | sort | uniq
SSLv3
TLSv1
TLSv1.2
TLSv1.3

Помогите, пожалуйста.
Subject Author Posted

Openssl 1.1.1 + nginx 1.14.0 не работает tls1.1

ingtar December 11, 2018 08:43AM

Re: Openssl 1.1.1 + nginx 1.14.0 не работает tls1.1

ingtar December 11, 2018 08:44AM

Re: Openssl 1.1.1 + nginx 1.14.0 не работает tls1.1

Evgeniy Berdnikov December 11, 2018 08:54AM

Re: Openssl 1.1.1 + nginx 1.14.0 не работает tls1.1

ingtar December 11, 2018 09:47AM

Re: Openssl 1.1.1 + nginx 1.14.0 не работает tls1.1

Илья Шипицин December 11, 2018 08:58AM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 99
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready