Nginx
無法通過 HTTPS 連接到站點 (SSL_ERROR_SYSCALL)
我有一台執行 Debian 8 的伺服器。是的,一個很舊的伺服器。但它確實有一些奇怪的地方。我無法通過 HTTPS 連接到它:
$ curl -sSLv https://example.com * Trying xx.yyy.xx.yyy:443... * Connected to example.com (xx.yyy.xx.yyy) port 443 (#0) * ALPN, offering h2 * ALPN, offering http/1.1 * CAfile: /etc/ssl/certs/ca-certificates.crt * CApath: none } [5 bytes data] * TLSv1.3 (OUT), TLS handshake, Client hello (1): } [512 bytes data] * OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to example.com:443 * Closing connection 0 curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to example.com:443 $ sslscan example.com Version: 2.0.11 OpenSSL 1.1.1m 14 Dec 2021 Connected to xx.yyy.xx.yyy Testing SSL server example.com on port 443 using SNI name example.com SSL/TLS Protocols: SSLv2 disabled SSLv3 disabled TLSv1.0 disabled TLSv1.1 disabled TLSv1.2 disabled TLSv1.3 disabled TLS Fallback SCSV: Connection failed - unable to determine TLS Fallback SCSV support TLS renegotiation: Session renegotiation not supported TLS Compression: OpenSSL version does not support compression Rebuild with zlib1g-dev package for zlib support Heartbleed: Supported Server Cipher(s): Certificate information cannot be retrieved. $ dpkg -l | grep openssl ii openssl 1.0.1t-1+deb8u12 amd64 Secure Sockets Layer toolkit - cryptographic utility $ cat /etc/nginx/nginx.conf | grep ssl ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE ssl_prefer_server_ciphers on; $ dpkg -l | grep nginx ii nginx 1.6.2-5 all small, powerful, scalable web/proxy server ii nginx-common 1.6.2-5 all small, powerful, scalable web/proxy server - common files ii nginx-full 1.6.2-5 amd64 nginx web/proxy server (standard version)
要將它與另一個 Debian 8 伺服器進行比較:
$ sslscan example2.com Version: 2.0.11 OpenSSL 1.1.1m 14 Dec 2021 Connected to xx.xxx.xx.xxx Testing SSL server example2.com on port 443 using SNI name example2.com SSL/TLS Protocols: SSLv2 disabled SSLv3 disabled TLSv1.0 enabled TLSv1.1 enabled TLSv1.2 enabled TLSv1.3 disabled TLS Fallback SCSV: Server supports TLS Fallback SCSV TLS renegotiation: Secure session renegotiation supported TLS Compression: OpenSSL version does not support compression Rebuild with zlib1g-dev package for zlib support Heartbleed: TLSv1.2 not vulnerable to heartbleed TLSv1.1 not vulnerable to heartbleed TLSv1.0 not vulnerable to heartbleed Supported Server Cipher(s): Preferred TLSv1.2 256 bits ECDHE-RSA-AES256-GCM-SHA384 Curve P-256 DHE 256 Accepted TLSv1.2 256 bits ECDHE-RSA-AES256-SHA384 Curve P-256 DHE 256 Accepted TLSv1.2 256 bits ECDHE-RSA-AES256-SHA Curve P-256 DHE 256 Accepted TLSv1.2 256 bits DHE-RSA-AES256-GCM-SHA384 DHE 1024 bits Accepted TLSv1.2 256 bits DHE-RSA-AES256-SHA256 DHE 1024 bits Accepted TLSv1.2 256 bits DHE-RSA-AES256-SHA DHE 1024 bits Accepted TLSv1.2 256 bits DHE-RSA-CAMELLIA256-SHA DHE 1024 bits Accepted TLSv1.2 256 bits AES256-GCM-SHA384 Accepted TLSv1.2 256 bits AES256-SHA256 Accepted TLSv1.2 256 bits AES256-SHA Accepted TLSv1.2 256 bits CAMELLIA256-SHA Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-GCM-SHA256 Curve P-256 DHE 256 Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-SHA256 Curve P-256 DHE 256 Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-SHA Curve P-256 DHE 256 Accepted TLSv1.2 128 bits DHE-RSA-AES128-GCM-SHA256 DHE 1024 bits Accepted TLSv1.2 128 bits DHE-RSA-AES128-SHA256 DHE 1024 bits Accepted TLSv1.2 128 bits DHE-RSA-AES128-SHA DHE 1024 bits Accepted TLSv1.2 128 bits DHE-RSA-CAMELLIA128-SHA DHE 1024 bits Accepted TLSv1.2 128 bits AES128-GCM-SHA256 Accepted TLSv1.2 128 bits AES128-SHA256 Accepted TLSv1.2 128 bits AES128-SHA Accepted TLSv1.2 128 bits CAMELLIA128-SHA Preferred TLSv1.1 256 bits ECDHE-RSA-AES256-SHA Curve P-256 DHE 256 Accepted TLSv1.1 256 bits DHE-RSA-AES256-SHA DHE 1024 bits Accepted TLSv1.1 256 bits DHE-RSA-CAMELLIA256-SHA DHE 1024 bits Accepted TLSv1.1 256 bits AES256-SHA Accepted TLSv1.1 256 bits CAMELLIA256-SHA Accepted TLSv1.1 128 bits ECDHE-RSA-AES128-SHA Curve P-256 DHE 256 Accepted TLSv1.1 128 bits DHE-RSA-AES128-SHA DHE 1024 bits Accepted TLSv1.1 128 bits DHE-RSA-CAMELLIA128-SHA DHE 1024 bits Accepted TLSv1.1 128 bits AES128-SHA Accepted TLSv1.1 128 bits CAMELLIA128-SHA Preferred TLSv1.0 256 bits ECDHE-RSA-AES256-SHA Curve P-256 DHE 256 Accepted TLSv1.0 256 bits DHE-RSA-AES256-SHA DHE 1024 bits Accepted TLSv1.0 256 bits DHE-RSA-CAMELLIA256-SHA DHE 1024 bits Accepted TLSv1.0 256 bits AES256-SHA Accepted TLSv1.0 256 bits CAMELLIA256-SHA Accepted TLSv1.0 128 bits ECDHE-RSA-AES128-SHA Curve P-256 DHE 256 Accepted TLSv1.0 128 bits DHE-RSA-AES128-SHA DHE 1024 bits Accepted TLSv1.0 128 bits DHE-RSA-CAMELLIA128-SHA DHE 1024 bits Accepted TLSv1.0 128 bits AES128-SHA Accepted TLSv1.0 128 bits CAMELLIA128-SHA Server Key Exchange Group(s): TLSv1.2 128 bits secp256r1 (NIST P-256) SSL Certificate: Signature Algorithm: sha256WithRSAEncryption RSA Key Strength: 4096 Subject: example2.com Altnames: DNS:example2.com Issuer: R3 Not valid before: Dec 17 21:00:13 2021 GMT Not valid after: Mar 17 21:00:12 2022 GMT $ dpkg -l | grep openssl ii openssl 1.0.1k-3+deb8u2 amd64 Secure Sockets Layer toolkit - cryptographic utility $ cat /etc/nginx/nginx.conf | grep ssl ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE ssl_prefer_server_ciphers on; $ dpkg -l | grep nginx ii nginx 1.6.2-5 all small, powerful, scalable web/proxy server ii nginx-common 1.6.2-5 all small, powerful, scalable web/proxy server - common files ii nginx-full 1.6.2-5 amd64 nginx web/proxy server (standard version)
第一個伺服器有什麼問題?如何使 https 工作?
其中一台伺服器(就 而言
nginx
)有listen 443 ssl
,但沒有ssl_*
指令。在這種情況下,您會出現問題中描述的症狀。也就是說,一台伺服器(虛擬主機)的問題正在影響另一台伺服器(其餘的)。在故障伺服器的錯誤日誌中,您將看到:
2022/01/12 02:44:46
$$ error $$445#0: *23 沒有“ssl_certificate”在 SSL 握手時監聽 SSL 埠的伺服器中定義,客戶端:xx.xxx.xx.xxx,伺服器:0.0.0.0:443