Re: Intermittent SSL Handshake Errors

2016-02-11 Thread piyushmalhotra
I am facing the same problem. I had one ssl certificate setup for the following domains: firstdomain.com *.firstdomain.com a.firstdomain.com b.firstdomain.com a.seconddomain.com b.seconddomain.com When i read that it could be due to multiple different domains using the same ssl certificate, i rem

Re: Intermittent SSL Handshake Errors

2016-01-15 Thread flechamobile
do want to add the cert I was using was subdomain wildcard and the blocks where for different subdomains so that should not have been a problem with the cert.. maybe its an access issue to the cert? (nginx can't access it multiple times at the same moment or something) Posted at Nginx Forum: http

Re: Intermittent SSL Handshake Errors

2016-01-15 Thread flechamobile
Yeah I removed the double blocks and it solved the problem... The 'possible bug' though is that the problem seems completely random.. instead of giving error all the time sometimes it works and sometimes it doesn't... Just refreshing the site a few times and it worked.. So it looks like Nginx just

Re: Intermittent SSL Handshake Errors

2016-01-11 Thread piyushmalhotra
I am facing the same issue on my Debian 7 Server. I downgraded to 1.0.1e-2+deb7u12 version of libssl1.0.0 and restarted nginx but the issue is still occurring for me. I can still see the same logs. I also tried following these instructions(installed the deb packages made by these instructions) but

Re: Intermittent SSL Handshake Errors

2015-07-15 Thread Maxim Dounin
Hello! On Tue, Jul 14, 2015 at 09:58:52PM -0400, tempspace wrote: > Here's what we've learned so far: > > The issue is related to a new security feature that blocks TLS Fallback, > which is a client that connects with one version of TLS, then tries to > downgrade the connection and connect with

Re: Intermittent SSL Handshake Errors

2015-07-14 Thread tempspace
Here's what we've learned so far: The issue is related to a new security feature that blocks TLS Fallback, which is a client that connects with one version of TLS, then tries to downgrade the connection and connect with a lower TLS version.. It was a feature made in light of the Poodle SSL vulnera

Re: Intermittent SSL Handshake Errors

2015-07-12 Thread B.R.
Out of thin air, I suspect it is a certificate problem. You seem to have configured *the same* certificate (and private key) for those 2 domains. Since certificates are generally tied to a single domain, that could explain errors. Another idea: have you checked nginx has been built with SNI suppor

Re: Intermittent SSL Handshake Errors

2015-07-12 Thread flechamobile
I found myself with the same problem and found the cause (and obvious solution). On my nginx server I run various website and they all have their own server {} config block in separate files under 'sites-available' folder. Some sites are on different IP's and some are on the same IP. Now the caus

Re: Intermittent SSL Handshake Errors

2015-05-08 Thread DrMickeyLauer
First off, thanks to all who contributed to this thread. I must admit I did not understand much of it, however as someone plagued by this bug (we have a bunch of cherrypy REST servers talking to iOS and Android clients and have seen a lot of those fallback errors), I must admit I'm a bit of a loss

Re: Intermittent SSL Handshake Errors

2015-04-18 Thread ywarnier
Just an update: as of today, even Debian provides libssl1.0.0:1.0.1e-2+deb7u16 which still generates these error logs, so it looks like the only way is still to fallback to libssl1.0.0:1.0.1e-2+deb7u12. Posted at Nginx Forum: http://forum.nginx.org/read.php?2,256373,258186#msg-258186 ___

Re: Intermittent SSL Handshake Errors

2015-03-26 Thread ankneo
That surely helps. So as of now the only way to resolve the issue is going back to u12 version of libssl? Posted at Nginx Forum: http://forum.nginx.org/read.php?2,256373,257705#msg-257705 ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/

Re: Intermittent SSL Handshake Errors

2015-03-21 Thread Maxim Dounin
Hello! On Sat, Mar 21, 2015 at 11:59:17AM -0400, tempspace wrote: > I should specify that I agree with what is happening. We have clients that > are falling back under normal conditions, and the latest libssl that > implemented fallback prevention for TLS is stopping. I have downgraded our > lib

Re: Intermittent SSL Handshake Errors

2015-03-21 Thread tempspace
I should specify that I agree with what is happening. We have clients that are falling back under normal conditions, and the latest libssl that implemented fallback prevention for TLS is stopping. I have downgraded our libssl and I'm looking in my logs, and I see plenty of iOS 8 devices that auto-

Re: Intermittent SSL Handshake Errors

2015-03-21 Thread tempspace
Maxim, I have been playing with the ciphers as well, and it doesn't appear to be cipher related. It happens for every cipher I've tried. I tried with turning off the prefer on the server, and it uses the same cipher with the prefer on. I then turned prefer server ciphers back on, and tailed our acc

Re: Intermittent SSL Handshake Errors

2015-03-21 Thread Maxim Dounin
Hello! On Fri, Mar 20, 2015 at 02:15:42PM -0400, tempspace wrote: > I had to start looking at this issue again now that yet another openssl > security issue. Now that I know I can go back to a working setup just by > downgrading SSL, I am able to gather more information. > > This morning, I upda

Re: Intermittent SSL Handshake Errors

2015-03-20 Thread tempspace
I had to start looking at this issue again now that yet another openssl security issue. Now that I know I can go back to a working setup just by downgrading SSL, I am able to gather more information. This morning, I updated the libssl libraries and restarted nginx, and the errors started flooding

Re: Intermittent SSL Handshake Errors

2015-03-20 Thread ankneo
I am seeing similar error as well. It is showing up for lot of people and am not sure why it is happening and if actually the clients facing the error are actually able to browse through the website or not. Can someone please help me understanding that is it safe to downgrade to the earlier version

RE: Intermittent SSL Handshake Errors

2015-02-06 Thread Lukas Tribus
> We've been unable to reproduce it with any one browser or IP address. It > really is very intermittent. Fortunately, I believe we've gotten to the > bottom of this. It looks like our data center switched us over to anti-DDoS > route. This means all of our traffic has been passing through hardware

Re: RE: Intermittent SSL Handshake Errors

2015-02-06 Thread ericr
We've been unable to reproduce it with any one browser or IP address. It really is very intermittent. Fortunately, I believe we've gotten to the bottom of this. It looks like our data center switched us over to anti-DDoS route. This means all of our traffic has been passing through hardware that pe

Re: Intermittent SSL Handshake Errors

2015-02-03 Thread tempspace
You are absolutely correct, but I figured you would want a working environment while we work with nginx/openssl on figuring out how to fix this bug. Knowing that it worked for you also increases my own comfort that the issue is mitigated on my side and I won't have performance issues at my next pea

Re: Intermittent SSL Handshake Errors

2015-02-03 Thread ericr
The errors went away, and now the only errors I see in our logs relating to SSL are handshake timeouts when I turn debug logs on. Now that I think about it, though, isn't this to be expected? The errors immediately went away as soon as I downgraded far enough back to a version of OpenSSL that didn

RE: Intermittent SSL Handshake Errors

2015-02-03 Thread Lukas Tribus
> I just finished running an experiment that has shed some light on the issue. > It has not yet been solved though. > > I setup another nginx server with the same configuration with an upstream > app that always responds with HTTP 200. I included JS on each page load in > production to make a singl

Re: Intermittent SSL Handshake Errors

2015-02-03 Thread tempspace
Eric, Did you try to downgrade your libssl to the previous version I mentioned earlier? Would love to hear if your issues go away. Posted at Nginx Forum: http://forum.nginx.org/read.php?2,256373,256428#msg-256428 ___ nginx mailing list nginx@nginx.org

Re: Intermittent SSL Handshake Errors

2015-02-03 Thread ericr
I just finished running an experiment that has shed some light on the issue. It has not yet been solved though. I setup another nginx server with the same configuration with an upstream app that always responds with HTTP 200. I included JS on each page load in production to make a single request t

Re: Intermittent SSL Handshake Errors

2015-02-02 Thread tempspace
My first question is do these I have been fighting a similar issue with SSL handshake issues for the past few days. After reboots and upgrades for GHOST, we started seeing errors like this in our error logs constantly: *579 SSL_do_handshake() failed (SSL: error:140A1175:SSL routines:SSL_BYTES_TO_

Re: Intermittent SSL Handshake Errors

2015-02-02 Thread ericr
Prior to this issue starting, we had not changed our ciphers in several months. I have tried changing them once since. We have also tried restarting nginx several times on each server to clear the cache, but it has not helped. Posted at Nginx Forum: http://forum.nginx.org/read.php?2,256373,256406

Re: Intermittent SSL Handshake Errors

2015-01-31 Thread Etienne Champetier
Hi Le 31 janv. 2015 20:02, "Richard Stanway" a écrit : >> >> ... >> 2015/01/13 12:22:59 [crit] 11871#0: *140260577 SSL_do_handshake() >> failed (SSL: error:1408A0D7:SSL >> routines:SSL3_GET_CLIENT_HELLO:required cipher missing) while SSL >> handshaking, client: *.*.*.*, server: 0.0.0.0:443 >> > >

Re: Intermittent SSL Handshake Errors

2015-01-31 Thread Richard Stanway
> > ... > 2015/01/13 12:22:59 [crit] 11871#0: *140260577 SSL_do_handshake() > failed (SSL: error:1408A0D7:SSL > routines:SSL3_GET_CLIENT_HELLO:required cipher missing) while SSL > handshaking, client: *.*.*.*, server: 0.0.0.0:443 > > According to the openssl code, this occurs when a client attempts

Intermittent SSL Handshake Errors

2015-01-31 Thread Eric R.
Hi, We are using round-robin DNS to distribute requests to three servers all running identically configured nginx. Connections then go upstream to HAProxy and then to our Rails app. About two weeks ago, users began to experience intermittent SSL handshake errors. Users reported that these