NGINX - SSL routines:ssl3_read_bytes:tlsv1 alert protocol version


  • Eines der Probleme, was aufgetaucht ist wie ich einige Server zu meinem Proxmox umgezogen habe, war das hier.

    root@frank-MS-7C37:/var/log# curl -I -v --tlsv1.3 --tls-max 1.3 https://frank-mankel.de
    *   Trying 2a01:4f8:160:XXXX::XXX:443...
    * TCP_NODELAY set
    * Connected to frank-mankel.de (2a01:4f8:160:XXX::XXX) port 443 (#0)
    * ALPN, offering h2
    * ALPN, offering http/1.1
    * successfully set certificate verify locations:
    *   CAfile: /etc/ssl/certs/ca-certificates.crt
      CApath: /etc/ssl/certs
    * TLSv1.3 (OUT), TLS handshake, Client hello (1):
    * TLSv1.3 (IN), TLS alert, protocol version (582):
    * error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version
    * Closing connection 0
    curl: (35) error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version
    

    Das Resultat war, das ich kein TLSv1.3 hinbekam sondern nur TLSv1.2. Das hat mich viele Stunden gekostet und ich weiß leider auch nicht 100% was es war. Ich hatte alle meine bestehenden Konfigurationen kopiert und hatte eigentlich gar kein Problem erwartet. Es sollte anders kommen.....

    Ich habe viele Stunden versucht das Problem zu erkennen, auch das Internet war nicht besonders hilfreich. So habe ich mich dann herangemacht, die ein oder andere Konfiguration neu zu machen und alles nochmal zu kontrollieren.

    Am Ende habe ich einige Umleitungen in Verdacht, das das nicht mehr so klappte. Warum? Ich habe keine Ahnung es hätte funktionieren müssen!?!?

    Das obige Beispiel sieht wie folgt aus, wenn es funktioniert.

    root@frank-MS-7C37:/var/log# curl -I -v --tlsv1.3 --tls-max 1.3 https://frank-mankel.de
    *   Trying 136.243.29.253:443...
    * TCP_NODELAY set
    * Connected to frank-mankel.de (136.243.29.253) port 443 (#0)
    * ALPN, offering h2
    * ALPN, offering http/1.1
    * successfully set certificate verify locations:
    *   CAfile: /etc/ssl/certs/ca-certificates.crt
      CApath: /etc/ssl/certs
    * TLSv1.3 (OUT), TLS handshake, Client hello (1):
    * TLSv1.3 (IN), TLS handshake, Server hello (2):
    * TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
    * TLSv1.3 (IN), TLS handshake, Certificate (11):
    * TLSv1.3 (IN), TLS handshake, CERT verify (15):
    * TLSv1.3 (IN), TLS handshake, Finished (20):
    * TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
    * TLSv1.3 (OUT), TLS handshake, Finished (20):
    * SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
    * ALPN, server accepted to use h2
    * Server certificate:
    *  subject: CN=frank-mankel.de
    *  start date: Sep 11 15:08:52 2021 GMT
    *  expire date: Dec 10 15:08:51 2021 GMT
    *  subjectAltName: host "frank-mankel.de" matched cert's "frank-mankel.de"
    *  issuer: C=US; O=Let's Encrypt; CN=R3
    *  SSL certificate verify ok.
    * Using HTTP2, server supports multi-use
    * Connection state changed (HTTP/2 confirmed)
    * Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
    * Using Stream ID: 1 (easy handle 0x55f56f398e10)
    > HEAD / HTTP/2
    > Host: frank-mankel.de
    > user-agent: curl/7.68.0
    > accept: */*
    > 
    * TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
    * TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
    * old SSL session ID is stale, removing
    * Connection state changed (MAX_CONCURRENT_STREAMS == 128)!
    < HTTP/2 200 
    HTTP/2 200 
    < server: nginx
    server: nginx
    < date: Sun, 12 Sep 2021 16:34:10 GMT
    date: Sun, 12 Sep 2021 16:34:10 GMT
    < content-type: text/html; charset=utf-8
    content-type: text/html; charset=utf-8
    < vary: Accept-Encoding
    vary: Accept-Encoding
    < set-cookie: d2e068f37e20df151d2a41a967850cb8=21ufmbr6exxxxxxxx44hog0bm; path=/; HttpOnly
    set-cookie: d2e068f37e20df151dxxxxxxxxxxxxcb8=21ufmbr6edb3926qa644hog0bm; path=/; HttpOnly
    < link: </templates/cassiopeia/css/global/colors_standard.min.css>; rel="prefetch"; as="style"
    link: </templates/cassiopeia/css/global/colors_standard.min.css>; rel="prefetch"; as="style"
    < expires: Wed, 17 Aug 2005 00:00:00 GMT
    expires: Wed, 17 Aug 2005 00:00:00 GMT
    < last-modified: Sun, 12 Sep 2021 16:34:10 GMT
    last-modified: Sun, 12 Sep 2021 16:34:10 GMT
    < cache-control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
    cache-control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
    < pragma: no-cache
    pragma: no-cache
    < strict-transport-security: max-age=31536000; includeSubDomains; preload; always
    strict-transport-security: max-age=31536000; includeSubDomains; preload; always
    < x-frame-options: sameorigin
    x-frame-options: sameorigin
    < referrer-policy: no-referrer
    referrer-policy: no-referrer
    < x-robots-tag: none
    x-robots-tag: none
    < x-download-options: noopen
    x-download-options: noopen
    < x-permitted-cross-domain-policies: none
    x-permitted-cross-domain-policies: none
    < x-content-type-options: nosniff
    x-content-type-options: nosniff
    < x-ua-compatible: IE=Edge
    x-ua-compatible: IE=Edge
    < x-xss-protection: 1; mode=block
    x-xss-protection: 1; mode=block
    
    < 
    * Connection #0 to host frank-mankel.de left intact
    

    Aber am Ende war alles gut und man bekommt TLSv1.3, so wie es sich gehört.

  • 3
  • 3
  • 1
  • 1
  • 1
  • 2
  • 1