Home > Back-end >  SSL alert number 70 with TLSv1.3
SSL alert number 70 with TLSv1.3

Time:02-12

# nginx -V
nginx version: nginx/1.21.4
built with OpenSSL 1.1.1f  31 Mar 2020

I've configured nginx to support TLSv1.3.

ssl_protocols  TLSv1.2 TLSv1.3;

but i can't reach my host using TLSv1.3:

# openssl s_client -connect hostname.com:443 -tls1_3
CONNECTED(00000003)
140544753464640:error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version:../ssl/record/rec_layer_s3.c:1543:SSL alert number 70
---
no peer certificate available
...

only TLSv1.2 works:

# openssl s_client -connect hostname.com:443 -tls1_2
CONNECTED(00000003)
...

Any host, like google.com or cloudflare.com connects fine using the same openssl command.

Of course, enter image description here

I've also read this thread and double-checked and I have one and only ssl_protocols line by cd /etc/nginx; grep -rl "ssl_protocols" which only outputs one file.

CodePudding user response:

I've found my issue, I've configured a default "catch all" server like this:

server {
    listen 443 ssl default_server;
    ssl_reject_handshake on;
}

As specified in the docs here: https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_reject_handshake

Problem is fixed by removing ssl_reject_handshake on; and instead return 444 on that server, like:

server {
    listen 443 ssl default_server;
    ssl_certificate ssl/cert.pem;
    return 444;
}

This is a known bug and should be fixed with OpenSSL 1.1.1h

Page link:https//www.codepudding.com/Backend/297641.html

Prev:Nginx for block attacking requests
Next:How to play audio continuously in xamarin forms
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding