Nginx

無法通過 HTTPS 連接到站點 (SSL_ERROR_SYSCALL)

  • January 12, 2022

我有一台執行 Debian 8 的伺服器。是的,一個很舊的伺服器。但它確實有一些奇怪的地方。我無法通過 HTTPS 連接到它:

$ curl -sSLv https://example.com
*   Trying xx.yyy.xx.yyy:443...
* Connected to example.com (xx.yyy.xx.yyy) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: none
} [5 bytes data]
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to example.com:443 
* Closing connection 0
curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to example.com:443 

$ sslscan example.com
Version: 2.0.11
OpenSSL 1.1.1m  14 Dec 2021

Connected to xx.yyy.xx.yyy

Testing SSL server example.com on port 443 using SNI name example.com

 SSL/TLS Protocols:
SSLv2     disabled
SSLv3     disabled
TLSv1.0   disabled
TLSv1.1   disabled
TLSv1.2   disabled
TLSv1.3   disabled

 TLS Fallback SCSV:
Connection failed - unable to determine TLS Fallback SCSV support

 TLS renegotiation:
Session renegotiation not supported

 TLS Compression:
OpenSSL version does not support compression
Rebuild with zlib1g-dev package for zlib support

 Heartbleed:

 Supported Server Cipher(s):
Certificate information cannot be retrieved.

$ dpkg -l | grep openssl
ii  openssl                             1.0.1t-1+deb8u12             amd64        Secure Sockets Layer toolkit - cryptographic utility

$ cat /etc/nginx/nginx.conf | grep ssl
   ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
   ssl_prefer_server_ciphers on;

$ dpkg -l | grep nginx
ii  nginx                               1.6.2-5                      all          small, powerful, scalable web/proxy server
ii  nginx-common                        1.6.2-5                      all          small, powerful, scalable web/proxy server - common files
ii  nginx-full                          1.6.2-5                      amd64        nginx web/proxy server (standard version)

要將它與另一個 Debian 8 伺服器進行比較:

$ sslscan example2.com
Version: 2.0.11
OpenSSL 1.1.1m  14 Dec 2021

Connected to xx.xxx.xx.xxx

Testing SSL server example2.com on port 443 using SNI name example2.com

 SSL/TLS Protocols:
SSLv2     disabled
SSLv3     disabled
TLSv1.0   enabled
TLSv1.1   enabled
TLSv1.2   enabled
TLSv1.3   disabled

 TLS Fallback SCSV:
Server supports TLS Fallback SCSV

 TLS renegotiation:
Secure session renegotiation supported

 TLS Compression:
OpenSSL version does not support compression
Rebuild with zlib1g-dev package for zlib support

 Heartbleed:
TLSv1.2 not vulnerable to heartbleed
TLSv1.1 not vulnerable to heartbleed
TLSv1.0 not vulnerable to heartbleed

 Supported Server Cipher(s):
Preferred TLSv1.2  256 bits  ECDHE-RSA-AES256-GCM-SHA384   Curve P-256 DHE 256
Accepted  TLSv1.2  256 bits  ECDHE-RSA-AES256-SHA384       Curve P-256 DHE 256
Accepted  TLSv1.2  256 bits  ECDHE-RSA-AES256-SHA          Curve P-256 DHE 256
Accepted  TLSv1.2  256 bits  DHE-RSA-AES256-GCM-SHA384     DHE 1024 bits
Accepted  TLSv1.2  256 bits  DHE-RSA-AES256-SHA256         DHE 1024 bits
Accepted  TLSv1.2  256 bits  DHE-RSA-AES256-SHA            DHE 1024 bits
Accepted  TLSv1.2  256 bits  DHE-RSA-CAMELLIA256-SHA       DHE 1024 bits
Accepted  TLSv1.2  256 bits  AES256-GCM-SHA384            
Accepted  TLSv1.2  256 bits  AES256-SHA256                
Accepted  TLSv1.2  256 bits  AES256-SHA                   
Accepted  TLSv1.2  256 bits  CAMELLIA256-SHA              
Accepted  TLSv1.2  128 bits  ECDHE-RSA-AES128-GCM-SHA256   Curve P-256 DHE 256
Accepted  TLSv1.2  128 bits  ECDHE-RSA-AES128-SHA256       Curve P-256 DHE 256
Accepted  TLSv1.2  128 bits  ECDHE-RSA-AES128-SHA          Curve P-256 DHE 256
Accepted  TLSv1.2  128 bits  DHE-RSA-AES128-GCM-SHA256     DHE 1024 bits
Accepted  TLSv1.2  128 bits  DHE-RSA-AES128-SHA256         DHE 1024 bits
Accepted  TLSv1.2  128 bits  DHE-RSA-AES128-SHA            DHE 1024 bits
Accepted  TLSv1.2  128 bits  DHE-RSA-CAMELLIA128-SHA       DHE 1024 bits
Accepted  TLSv1.2  128 bits  AES128-GCM-SHA256            
Accepted  TLSv1.2  128 bits  AES128-SHA256                
Accepted  TLSv1.2  128 bits  AES128-SHA                   
Accepted  TLSv1.2  128 bits  CAMELLIA128-SHA              
Preferred TLSv1.1  256 bits  ECDHE-RSA-AES256-SHA          Curve P-256 DHE 256
Accepted  TLSv1.1  256 bits  DHE-RSA-AES256-SHA            DHE 1024 bits
Accepted  TLSv1.1  256 bits  DHE-RSA-CAMELLIA256-SHA       DHE 1024 bits
Accepted  TLSv1.1  256 bits  AES256-SHA                   
Accepted  TLSv1.1  256 bits  CAMELLIA256-SHA              
Accepted  TLSv1.1  128 bits  ECDHE-RSA-AES128-SHA          Curve P-256 DHE 256
Accepted  TLSv1.1  128 bits  DHE-RSA-AES128-SHA            DHE 1024 bits
Accepted  TLSv1.1  128 bits  DHE-RSA-CAMELLIA128-SHA       DHE 1024 bits
Accepted  TLSv1.1  128 bits  AES128-SHA                   
Accepted  TLSv1.1  128 bits  CAMELLIA128-SHA              
Preferred TLSv1.0  256 bits  ECDHE-RSA-AES256-SHA          Curve P-256 DHE 256
Accepted  TLSv1.0  256 bits  DHE-RSA-AES256-SHA            DHE 1024 bits
Accepted  TLSv1.0  256 bits  DHE-RSA-CAMELLIA256-SHA       DHE 1024 bits
Accepted  TLSv1.0  256 bits  AES256-SHA                   
Accepted  TLSv1.0  256 bits  CAMELLIA256-SHA              
Accepted  TLSv1.0  128 bits  ECDHE-RSA-AES128-SHA          Curve P-256 DHE 256
Accepted  TLSv1.0  128 bits  DHE-RSA-AES128-SHA            DHE 1024 bits
Accepted  TLSv1.0  128 bits  DHE-RSA-CAMELLIA128-SHA       DHE 1024 bits
Accepted  TLSv1.0  128 bits  AES128-SHA                   
Accepted  TLSv1.0  128 bits  CAMELLIA128-SHA              

 Server Key Exchange Group(s):
TLSv1.2  128 bits  secp256r1 (NIST P-256)

 SSL Certificate:
Signature Algorithm: sha256WithRSAEncryption
RSA Key Strength:    4096

Subject:  example2.com
Altnames: DNS:example2.com
Issuer:   R3

Not valid before: Dec 17 21:00:13 2021 GMT
Not valid after:  Mar 17 21:00:12 2022 GMT

$ dpkg -l | grep openssl
ii  openssl                          1.0.1k-3+deb8u2                                amd64        Secure Sockets Layer toolkit - cryptographic utility

$ cat /etc/nginx/nginx.conf | grep ssl
   ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
   ssl_prefer_server_ciphers on;

$ dpkg -l | grep nginx
ii  nginx                            1.6.2-5                                        all          small, powerful, scalable web/proxy server
ii  nginx-common                     1.6.2-5                                        all          small, powerful, scalable web/proxy server - common files
ii  nginx-full                       1.6.2-5                                        amd64        nginx web/proxy server (standard version)

第一個伺服器有什麼問題?如何使 https 工作?

其中一台伺服器(就 而言nginx)有listen 443 ssl,但沒有ssl_*指令。在這種情況下,您會出現問題中描述的症狀。也就是說,一台伺服器(虛擬主機)的問題正在影響另一台伺服器(其餘的)。

在故障伺服器的錯誤日誌中,您將看到:

2022/01/12 02:44:46

$$ error $$445#0: *23 沒有“ssl_certificate”在 SSL 握手時監聽 SSL 埠的伺服器中定義,客戶端:xx.xxx.xx.xxx,伺服器:0.0.0.0:443

引用自:https://serverfault.com/questions/1089729