NGINX缓存代理因SSL23_GET_SERVER_HELLO:sslv3警报握手失败而失败 [英] NGINX caching proxy fails with SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure

问题描述

当通过HTTPS从CloudFront服务器获取内容时，充当缓存代理的NGINX遇到问题:

NGINX acting as a caching proxy encounters problems when fetching content from CloudFront server over HTTPS:

这是NGINX错误日志的摘录:

This is the extract from the NGINX's error log:

2014/08/14 16:08:26 [错误] 27534#0:* 11560993 SSL_do_handshake()失败(SSL:错误:14077410:SSL例程:SSL23_GET_SERVER_HELLO:sslv3警报握手失败)，同时与上游SSL握手，客户端:82.33.49.135，服务器:本地主机，请求:"GET/static/images/media-logos/best.png HTTP/1.1"，上游:"

2014/08/14 16:08:26 [error] 27534#0: *11560993 SSL_do_handshake() failed (SSL: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure) while SSL handshaking to upstream, client: 82.33.49.135, server: localhost, request: "GET /static/images/media-logos/best.png HTTP/1.1", upstream: "https://x.x.x.x:443/static/images/media-logos/best.png",

我尝试了不同的代理设置，例如proxy_ssl_protocols和proxy_ssl_ciphers，但没有任何组合.

I tried different proxy setting like proxy_ssl_protocols and proxy_ssl_ciphers but no combination worked.

有什么想法吗?

推荐答案

我遇到了完全相同的问题，花了几个小时... 我猜您正在使用较旧的Nginx版本(低于1.7)? 在nginx 1.7中，您可以使用此指令:

I had the exactly same problem and spent a couple of hours... I guess you are using older version of nginx (lower than 1.7)? In nginx 1.7 you can use this directive:

proxy_ssl_server_name on;

这将迫使nginx使用 SNI 另外，您应该设置SSL协议:

This will force nginx to use SNI Also, you should set the SSL protocols:

proxy_ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

对于较早的版本，您可以使用此修补程序(但我无法验证该修补程序是否有效):

For earlier versions you may be able to use this patch (but I can't verify that that is working):

http://trac.nginx.org/nginx/ticket/229

2019更新:您应避免使用TLSv1和TLSv1.1，并尽可能禁用它们.我将它们留在答案中，因为它们对于SNI仍然有效.

2019 Update: You should avoid TLSv1 and TLSv1.1 and disable them if possible. I'll leave them in the answer as they are still valid for SNI.

这篇关于NGINX缓存代理因SSL23_GET_SERVER_HELLO:sslv3警报握手失败而失败的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！