Aujourd'hui, nous avons installé un certificat SSL (de letsencrypt) sur notre serveur qui héberge un site Web très fréquenté.
Après quelques heures, nous avons remarqué que certains utilisateurs recevaient des erreurs de nginx:
2018/03/28 13:04:48 [crit] 8997#8997: *604175694 SSL_do_handshake() failed (SSL: error:1417D18C:SSL routines:tls_process_client_hello:version too low) while SSL handshaking, client: 2.178.99.86, server: 0.0.0.0:443
2018/03/28 13:06:03 [crit] 9937#9937: *604177779 SSL_do_handshake() failed (SSL: error:1417D18C:SSL routines:tls_process_client_hello:version too low) while SSL handshaking, client: 5.73.106.149, server: 0.0.0.0:443
2018/03/28 13:06:46 [crit] 9949#9949: *604179134 SSL_do_handshake() failed (SSL: error:1417D18C:SSL routines:tls_process_client_hello:version too low) while SSL handshaking, client: 192.15.212.150, server: 0.0.0.0:443
2018/03/28 13:10:33 [crit] 9942#9942: *604185439 SSL_do_handshake() failed (SSL: error:1417D18C:SSL routines:tls_process_client_hello:version too low) while SSL handshaking, client: 5.234.36.205, server: 0.0.0.0:443
À en juger par les adresses IP, il y a des utilisateurs qui utilisent probablement leur téléphone mobile pour naviguer, mais je n'ai aucune idée de leurs navigateurs. J'ai changé la journalisation des erreurs nginx en mode débogage et voici quelques parties de la sortie:
Server: nginx^M
Date: Wed, 28 Mar 2018 13:37:19 GMT^M
Content-Type: text/html; charset=UTF-8^M
Transfer-Encoding: chunked^M
Connection: keep-alive^M
Set-Cookie: PHPSESSID=r3mo9gh549obv41nkrf747l017; path=/^M
Expires: Thu, 19 Nov 1981 08:52:00 GMT^M
Cache-Control: no-store, no-cache, must-revalidate^M
Pragma: no-cache^M
Location: *******************************
X-Cache: MISS^M
2018/03/28 18:07:19 [debug] 24356#24356: *604585753 write new buf t:1 f:0 00007F06A5884708, pos 00007F06A5884708, size: 601 file: 0, size: 0
2018/03/28 18:07:19 [debug] 24356#24356: *604585753 http write filter: l:0 f:0 s:601
2018/03/28 18:07:19 [debug] 24356#24356: *604585753 http script var: "0"
2018/03/28 18:07:19 [debug] 24356#24356: *604585753 http file cache set header
2018/03/28 18:07:19 [debug] 24356#24356: *604585753 http cacheable: 1
2018/03/28 18:07:19 [debug] 24356#24356: *604585753 http upstream process upstream
2018/03/28 18:07:19 [debug] 24356#24356: *604585753 pipe read upstream: 1
2018/03/28 18:07:19 [debug] 24356#24356: *604585753 pipe preread: 23
2018/03/28 18:07:19 [debug] 24356#24356: *604585753 readv: 1, last:261440
2018/03/28 18:07:19 [debug] 24356#24356: *604585753 pipe recv chain: 0
2018/03/28 18:07:19 [debug] 24356#24356: *604585753 pipe buf free s:0 t:1 f:0 00007F06A56D0B50, pos 00007F06A56D0DF9, size: 23 file: 0, size: 0
2018/03/28 18:07:19 [debug] 24356#24356: *604585753 pipe length: -1
2018/03/28 18:07:19 [debug] 24356#24356: *604585753 http fastcgi record byte: 01
2018/03/28 18:07:19 [debug] 24356#24356: *604585753 http fastcgi record byte: 03
2018/03/28 18:07:19 [debug] 24356#24356: *604585753 http fastcgi record byte: 00
2018/03/28 18:07:19 [debug] 24356#24356: *604585753 http fastcgi record byte: 01
2018/03/28 18:07:19 [debug] 24356#24356: *604585753 http fastcgi record byte: 00
2018/03/28 18:07:19 [debug] 24356#24356: *604585753 http fastcgi record byte: 08
2018/03/28 18:07:19 [debug] 24356#24356: *604585753 http fastcgi record byte: 00
2018/03/28 18:07:19 [debug] 24356#24356: *604585753 http fastcgi record byte: 00
2018/03/28 18:07:19 [debug] 24356#24356: *604585753 http fastcgi record length: 8
2018/03/28 18:07:19 [debug] 24356#24356: *604585753 http fastcgi sent end request
2018/03/28 18:07:19 [debug] 24356#24356: *604585753 pipe write chain
2018/03/28 18:07:19 [debug] 24356#24356: *604585753 add cleanup: 00007F06A5884B20
2018/03/28 18:07:19 [debug] 24356#24356: *604585753 hashed path: /var/lib/nginx/fastcgi/7/54/0423471547
2018/03/28 18:07:19 [debug] 24356#24356: *604585753 temp fd:129
2018/03/28 18:07:19 [debug] 24356#24356: *604585753 write: 129, 00007F06A56D0B50, 681, 0
2018/03/28 18:07:19 [debug] 24356#24356: *604585753 pipe write downstream: 1
2018/03/28 18:07:19 [debug] 24356#24356: *604585753 pipe write downstream done
2018/03/28 18:07:19 [debug] 24356#24356: *604585753 event timer: 80, old: 1522244549474, new: 1522244549680
2018/03/28 18:07:19 [debug] 24356#24356: *604585753 http file cache update
2018/03/28 18:07:19 [debug] 24356#24356: *604585753 http file cache rename: "/var/lib/nginx/fastcgi/7/54/0423471547" to "/run/shm/nginx/f/d9/b295394f65a2a43ae0ec0adadd243d9f"
2018/03/28 18:07:19 [debug] 24356#24356: *604585753 malloc: 00007F06A5677B30:64
2018/03/28 18:07:19 [debug] 24356#24356: *604585753 malloc: 00007F06A588F5E0:681
2018/03/28 18:07:19 [debug] 24356#24356: *604585753 http upstream exit: 0000000000000000
2018/03/28 18:07:19 [debug] 24356#24356: *604585753 finalize http upstream request: 0
2018/03/28 18:07:19 [debug] 24356#24356: *604585753 finalize http fastcgi request
2018/03/28 18:07:19 [debug] 24356#24356: *604585753 free rr peer 1 0
2018/03/28 18:07:19 [debug] 24356#24356: *604585753 close http upstream connection: 80
2018/03/28 18:07:19 [debug] 24356#24356: *604585753 free: 00007F06A55C40A0, unused: 48
2018/03/28 18:07:19 [debug] 24356#24356: *604585753 event timer del: 80: 1522244549474
2018/03/28 18:07:19 [debug] 24356#24356: *604585753 reusable connection: 0
2018/03/28 18:07:19 [debug] 24356#24356: *604585753 http upstream temp fd: 129
2018/03/28 18:07:19 [debug] 24356#24356: *604585753 http output filter "/index.php?p=1187697"
2018/03/28 18:07:19 [debug] 24356#24356: *604585753 http copy filter: "/index.php?p=1187697"
2018/03/28 18:07:19 [debug] 24364#24364: *604587625 SSL_do_handshake: 1
2018/03/28 18:07:19 [debug] 24356#24356: *604585753 http postpone filter "/index.php?p=1187697" 00007FFD85DA3BF0
2018/03/28 18:07:19 [debug] 24356#24356: *604585753 http chunk: 0
2018/03/28 18:07:19 [debug] 24364#24364: *604587625 SSL: TLSv1.1, cipher: "ECDHE-RSA-AES128-SHA TLSv1 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA1"
2018/03/28 18:07:19 [debug] 24356#24356: *604585753 write old buf t:1 f:0 00007F06A5884708, pos 00007F06A5884708, size: 601 file: 0, size: 0
2018/03/28 18:07:19 [debug] 24364#24364: *604587625 reusable connection: 1
2018/03/28 18:07:19 [debug] 24356#24356: *604585753 write new buf t:0 f:0 0000000000000000, pos 00007F06A3953C9B, size: 5 file: 0, size: 0
2018/03/28 18:07:19 [debug] 24364#24364: *604587625 http wait request handler
2018/03/28 18:07:19 [debug] 24356#24356: *604585753 http write filter: l:1 f:0 s:606
2018/03/28 18:07:19 [debug] 24364#24364: *604587625 malloc: 00007F06A5668370:1024
2018/03/28 18:07:19 [debug] 24356#24356: *604585753 http write filter limit 0
2018/03/28 18:07:19 [debug] 24364#24364: *604587625 SSL_read: -1
2018/03/28 18:07:19 [debug] 24356#24356: *604585753 malloc: 00007F06A5722010:16384
2018/03/28 18:07:19 [debug] 24364#24364: *604587625 SSL_get_error: 2
2018/03/28 18:07:19 [debug] 24356#24356: *604585753 SSL buf copy: 601
2018/03/28 18:07:19 [debug] 24364#24364: *604587625 free: 00007F06A5668370
2018/03/28 18:07:19 [debug] 24356#24356: *604585753 SSL buf copy: 5
2018/03/28 18:07:19 [debug] 24364#24364: *604587624 SSL handshake handler: 0
2018/03/28 18:07:19 [debug] 24356#24356: *604585753 SSL to write: 606
2018/03/28 18:07:19 [debug] 24356#24356: *604585753 SSL_write: 606
2018/03/28 18:07:19 [debug] 24356#24356: *604585753 http write filter 0000000000000000
2018/03/28 18:07:19 [debug] 24356#24356: *604585753 http copy filter: 0 "/index.php?p=1187697"
2018/03/28 18:07:19 [debug] 24356#24356: *604585753 http finalize request: 0, "/index.php?p=1187697" a:1, c:1
2018/03/28 18:07:19 [debug] 24356#24356: *604585753 set http keepalive handler
2018/03/28 18:07:19 [debug] 24356#24356: *604585753 http close request
2018/03/28 18:07:19 [debug] 24356#24356: *604585753 http log handler
2018/03/28 18:07:19 [debug] 24356#24356: *604585753 posix_memalign: 00007F06A56C79D0:4096 @16
2018/03/28 18:07:19 [debug] 24356#24356: *604585753 run cleanup: 00007F06A5884B20
2018/03/28 18:07:19 [debug] 24356#24356: *604585753 file cleanup: fd:129
2018/03/28 18:07:19 [debug] 24356#24356: *604585753 run cleanup: 00007F06A579A998
2018/03/28 18:07:19 [debug] 24356#24356: *604585753 run cleanup: 00007F06A579A098
2018/03/28 18:07:19 [debug] 24356#24356: *604585753 close cached open file: *******************************
2018/03/28 18:07:19 [debug] 24356#24356: *604585753 expire cached open file: *******************************
2018/03/28 18:07:19 [debug] 24356#24356: *604585753 expire cached open file: *******************************
2018/03/28 18:07:19 [debug] 24356#24356: *604585753 run cleanup: 00007F06A5799E90
2018/03/28 18:07:19 [debug] 24356#24356: *604585753 close cached open file: *******************************
2018/03/28 18:07:19 [debug] 24356#24356: *604585753 expire cached open file: *******************************
2018/03/28 18:07:19 [debug] 24356#24356: *604585753 expire cached open file: *******************************
2018/03/28 18:07:19 [debug] 24356#24356: *604585753 close cached open file: *******************************
2018/03/28 18:07:19 [debug] 24356#24356: *604585753 free: 00007F06A56D0B50
2018/03/28 18:07:19 [debug] 24356#24356: *604585753 free: 00007F06A5846DC0, unused: 1
2018/03/28 18:07:19 [debug] 24356#24356: *604585753 free: 00007F06A57999C0, unused: 2
2018/03/28 18:07:19 [debug] 24356#24356: *604585753 free: 00007F06A5883DB0, unused: 61
2018/03/28 18:07:19 [debug] 24356#24356: *604585753 free: 00007F06A56C79D0, unused: 3689
2018/03/28 18:07:19 [debug] 24356#24356: *604585753 free: 00007F06A571F240
2018/03/28 18:07:19 [debug] 24356#24356: *604585753 hc free: 0000000000000000 0
2018/03/28 18:07:19 [debug] 24356#24356: *604585753 hc busy: 0000000000000000 0
2018/03/28 18:07:19 [debug] 24356#24356: *604585753 free: 00007F06A5722010
2018/03/28 18:07:19 [debug] 24356#24356: *604585753 reusable connection: 1
2018/03/28 18:07:19 [debug] 24356#24356: *604585753 event timer add: 36: 310000:1522244549680
2018/03/28 18:07:19 [debug] 24364#24364: *604587624 SSL_do_handshake: 1
2018/03/28 18:07:19 [debug] 24364#24364: *604587624 SSL: TLSv1.1, cipher: "ECDHE-RSA-AES128-SHA TLSv1 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA1"
2018/03/28 18:07:19 [debug] 24364#24364: *604587624 reusable connection: 1
2018/03/28 18:07:19 [debug] 24364#24364: *604587624 http wait request handler
2018/03/28 18:07:19 [debug] 24364#24364: *604587624 malloc: 00007F06A5668480:1024
2018/03/28 18:07:19 [debug] 24364#24364: *604587624 SSL_read: -1
2018/03/28 18:07:19 [debug] 24364#24364: *604587624 SSL_get_error: 2
2018/03/28 18:07:19 [debug] 24364#24364: *604587624 free: 00007F06A5668480
2018/03/28 18:07:19 [debug] 24360#24360: post event 00007F069F820070
2018/03/28 18:07:19 [debug] 24360#24360: delete posted event 00007F069F820070
2018/03/28 18:07:19 [debug] 24360#24360: accept on 0.0.0.0:443, ready: 1
2018/03/28 18:07:19 [debug] 24360#24360: posix_memalign: 00007F06A5621B50:512 @16
2018/03/28 18:07:19 [debug] 24360#24360: *604587635 accept: 5.213.82.78:10738 fd:53
2018/03/28 18:07:19 [debug] 24360#24360: *604587635 event timer add: 53: 10000:1522244249682
2018/03/28 18:07:19 [debug] 24360#24360: *604587635 reusable connection: 1
2018/03/28 18:07:19 [debug] 24360#24360: *604587635 epoll add event: fd:53 op:1 ev:80002001
2018/03/28 18:07:19 [debug] 24360#24360: accept() not ready (11: Resource temporarily unavailable)
2018/03/28 18:07:19 [debug] 24360#24360: *604587635 post event 00007F069F820A90
2018/03/28 18:07:19 [debug] 24360#24360: *604587635 delete posted event 00007F069F820A90
2018/03/28 18:07:19 [debug] 24360#24360: *604587635 http check ssl handshake
2018/03/28 18:07:19 [debug] 24360#24360: *604587635 http recv(): 1
2018/03/28 18:07:19 [debug] 24360#24360: *604587635 https ssl handshake: 0x16
2018/03/28 18:07:19 [debug] 24360#24360: *604587635 SSL_do_handshake: -1
2018/03/28 18:07:19 [debug] 24360#24360: *604587635 SSL_get_error: 1
2018/03/28 18:07:19 [crit] 24360#24360: *604587635 SSL_do_handshake() failed (SSL: error:1417D18C:SSL routines:tls_process_client_hello:version too low) while SSL handshaking, client: 5.213.82.78, server: 0.0.0.0:443
2018/03/28 18:07:19 [debug] 24360#24360: *604587635 close http connection: 53
2018/03/28 18:07:19 [debug] 24360#24360: *604587635 event timer del: 53: 1522244249682
2018/03/28 18:07:19 [debug] 24360#24360: *604587635 reusable connection: 0
2018/03/28 18:07:19 [debug] 24360#24360: *604587635 free: 00007F06A5621B50, unused: 152
2018/03/28 18:07:19 [debug] 24364#24364: *604587627 SSL handshake handler: 0
2018/03/28 18:07:19 [debug] 24364#24364: *604587627 SSL_do_handshake: 1
2018/03/28 18:07:19 [debug] 24364#24364: *604587627 SSL: TLSv1.1, cipher: "ECDHE-RSA-AES128-SHA TLSv1 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA1"
2018/03/28 18:07:19 [debug] 24364#24364: *604587627 reusable connection: 1
2018/03/28 18:07:19 [debug] 24364#24364: *604587627 http wait request handler
2018/03/28 18:07:19 [debug] 24364#24364: *604587627 malloc: 00007F06A56A0050:1024
2018/03/28 18:07:19 [debug] 24364#24364: *604587627 SSL_read: -1
2018/03/28 18:07:19 [debug] 24364#24364: *604587627 SSL_get_error: 2
2018/03/28 18:07:19 [debug] 24364#24364: *604587627 free: 00007F06A56A0050
2018/03/28 18:07:19 [debug] 24364#24364: *604587626 SSL handshake handler: 0
2018/03/28 18:07:19 [debug] 24364#24364: *604587626 SSL_do_handshake: 1
2018/03/28 18:07:19 [debug] 24364#24364: *604587626 SSL: TLSv1.1, cipher: "ECDHE-RSA-AES128-SHA TLSv1 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA1"
2018/03/28 18:07:19 [debug] 24364#24364: *604587626 reusable connection: 1
2018/03/28 18:07:19 [debug] 24364#24364: *604587626 http wait request handler
2018/03/28 18:07:19 [debug] 24364#24364: *604587626 malloc: 00007F06A56A0130:1024
2018/03/28 18:07:19 [debug] 24364#24364: *604587626 SSL_read: -1
2018/03/28 18:07:19 [debug] 24364#24364: *604587626 SSL_get_error: 2
2018/03/28 18:07:19 [debug] 24364#24364: *604587626 free: 00007F06A56A0130
2018/03/28 18:07:19 [debug] 24364#24364: *604587623 http wait request handler
2018/03/28 18:07:19 [debug] 24364#24364: *604587626 malloc: 00007F06A56A0130:1024
2018/03/28 18:07:19 [debug] 24364#24364: *604587626 SSL_read: -1
2018/03/28 18:07:19 [debug] 24364#24364: *604587626 SSL_get_error: 2
2018/03/28 18:07:19 [debug] 24364#24364: *604587626 free: 00007F06A56A0130
2018/03/28 18:07:19 [debug] 24364#24364: *604587623 http wait request handler
2018/03/28 18:07:19 [debug] 24364#24364: *604587623 malloc: 00007F06A56A0130:1024
2018/03/28 18:07:19 [debug] 24364#24364: *604587623 SSL_read: 823
2018/03/28 18:07:19 [debug] 24364#24364: *604587623 SSL_read: -1
2018/03/28 18:07:19 [debug] 24364#24364: *604587623 SSL_get_error: 2
2018/03/28 18:07:19 [debug] 24364#24364: *604587623 reusable connection: 0
2018/03/28 18:07:19 [debug] 24364#24364: *604587623 posix_memalign: 00007F06A568CAC0:4096 @16
2018/03/28 18:07:19 [debug] 24364#24364: *604587623 http process request line
2018/03/28 18:07:19 [debug] 24364#24364: *604587623 http request line: "GET /?p=1246163 HTTP/1.1"
2018/03/28 18:07:19 [debug] 24364#24364: *604587623 http uri: "/"
2018/03/28 18:07:19 [debug] 24364#24364: *604587623 http args: "p=1246163"
2018/03/28 18:07:19 [debug] 24364#24364: *604587623 http exten: ""
2018/03/28 18:07:19 [debug] 24364#24364: *604587623 posix_memalign: 00007F06A5677680:4096 @16
2018/03/28 18:07:19 [debug] 24364#24364: *604587623 http process request header line
2018/03/28 18:07:19 [debug] 24364#24364: *604587623 http header: "Host: www.e-estekhdam.com"
2018/03/28 18:07:19 [debug] 24364#24364: *604587623 http header: "Connection: keep-alive"
2018/03/28 18:07:19 [debug] 24364#24364: *604587623 http header: "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"
2018/03/28 18:07:19 [debug] 24364#24364: *604587623 http header: "User-Agent: Mozilla/5.0 (Linux; Android 4.2.2; C2305 Build/16.0.B.2.16) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.94 Mobile Safari/537.36"
2018/03/28 18:07:19 [debug] 24364#24364: *604587623 http header: "Accept-Encoding: gzip,deflate,sdch"
2018/03/28 18:07:19 [debug] 24364#24364: *604587623 http header: "Accept-Language: fa,en-US;q=0.8,en;q=0.6"
Il s'agit d'un ancien navigateur mobile Android ou d'une vue Web d'un ancien téléphone Android.
Je veux pouvoir prendre en charge ce type de navigateurs, j'ai donc décidé d'ajouter la prise en charge de TLSv1 & SSLv2 & SSLv3, j'ai donc ajouté ceci à mon fichier de configuration nginx:
ssl_protocols SSLv2 SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
Cependant, sur la base des inspections que j'ai faites, mon serveur ne prend pas encore en charge SSLv3 (et oui, je connais le POODLE) et il y a encore de nombreux utilisateurs obtenant une erreur de poignée de main basée sur le journal des erreurs nginx.
La question est: que dois-je faire pour prendre en charge ces types de navigateurs?
En regardant le nombre de tentatives de connexion effectuées sur mon site dans un court laps de temps, ce sont clairement des tentatives de compromettre la sécurité du serveur. Ne rétrogradez pas vos paramètres de sécurité pour le rendre facile pour ces gars-là. Il s'agit de 93 requêtes provenant de la même adresse IP en 2 secondes.
2018/06/11 04:22:00 [crit] 972#972: *315608 SSL_do_handshake() failed (SSL: error:1417D18C:SSL routines:tls_process_client_hello:version too low) while SSL handshaking, client: 172.104.154.126, server: 0.0.0.0:443
2018/06/11 04:22:00 [crit] 972#972: *315616 SSL_do_handshake() failed (SSL: error:1417D18C:SSL routines:tls_process_client_hello:version too low) while SSL handshaking, client: 172.104.154.126, server: 0.0.0.0:443
2018/06/11 04:22:00 [crit] 972#972: *315643 SSL_do_handshake() failed (SSL: error:1417D18C:SSL routines:tls_process_client_hello:version too low) while SSL handshaking, client: 172.104.154.126, server: 0.0.0.0:443
2018/06/11 04:22:00 [crit] 972#972: *315645 SSL_do_handshake() failed (SSL: error:1417D18C:SSL routines:tls_process_client_hello:version too low) while SSL handshaking, client: 172.104.154.126, server: 0.0.0.0:443
2018/06/11 04:22:00 [crit] 972#972: *315650 SSL_do_handshake() failed (SSL: error:1417D18C:SSL routines:tls_process_client_hello:version too low) while SSL handshaking, client: 172.104.154.126, server: 0.0.0.0:443
2018/06/11 04:22:00 [crit] 972#972: *315652 SSL_do_handshake() failed (SSL: error:1417D18C:SSL routines:tls_process_client_hello:version too low) while SSL handshaking, client: 172.104.154.126, server: 0.0.0.0:443
2018/06/11 04:22:00 [crit] 972#972: *315663 SSL_do_handshake() failed (SSL: error:1417D18C:SSL routines:tls_process_client_hello:version too low) while SSL handshaking, client: 172.104.154.126, server: 0.0.0.0:443
2018/06/11 04:22:00 [crit] 972#972: *315674 SSL_do_handshake() failed (SSL: error:1417D18C:SSL routines:tls_process_client_hello:version too low) while SSL handshaking, client: 172.104.154.126, server: 0.0.0.0:443
2018/06/11 04:22:00 [crit] 972#972: *315675 SSL_do_handshake() failed (SSL: error:1417D18C:SSL routines:tls_process_client_hello:version too low) while SSL handshaking, client: 172.104.154.126, server: 0.0.0.0:443
2018/06/11 04:22:00 [crit] 971#971: *315677 SSL_do_handshake() failed (SSL: error:1417D18C:SSL routines:tls_process_client_hello:version too low) while SSL handshaking, client: 172.104.154.126, server: 0.0.0.0:443
2018/06/11 04:22:00 [crit] 972#972: *315680 SSL_do_handshake() failed (SSL: error:1417D18C:SSL routines:tls_process_client_hello:version too low) while SSL handshaking, client: 172.104.154.126, server: 0.0.0.0:443
2018/06/11 04:22:00 [crit] 972#972: *315685 SSL_do_handshake() failed (SSL: error:1417D18C:SSL routines:tls_process_client_hello:version too low) while SSL handshaking, client: 172.104.154.126, server: 0.0.0.0:443
2018/06/11 04:22:00 [crit] 972#972: *315691 SSL_do_handshake() failed (SSL: error:1417D18C:SSL routines:tls_process_client_hello:version too low) while SSL handshaking, client: 172.104.154.126, server: 0.0.0.0:443
2018/06/11 04:22:00 [crit] 972#972: *315703 SSL_do_handshake() failed (SSL: error:1417D18C:SSL routines:tls_process_client_hello:version too low) while SSL handshaking, client: 172.104.154.126, server: 0.0.0.0:443
2018/06/11 04:22:00 [crit] 972#972: *315712 SSL_do_handshake() failed (SSL: error:1417D18C:SSL routines:tls_process_client_hello:version too low) while SSL handshaking, client: 172.104.154.126, server: 0.0.0.0:443
2018/06/11 04:22:00 [crit] 972#972: *315719 SSL_do_handshake() failed (SSL: error:1417D18C:SSL routines:tls_process_client_hello:version too low) while SSL handshaking, client: 172.104.154.126, server: 0.0.0.0:443
2018/06/11 04:22:00 [crit] 972#972: *315720 SSL_do_handshake() failed (SSL: error:1417D18C:SSL routines:tls_process_client_hello:version too low) while SSL handshaking, client: 172.104.154.126, server: 0.0.0.0:443
2018/06/11 04:22:00 [crit] 972#972: *315734 SSL_do_handshake() failed (SSL: error:1417D18C:SSL routines:tls_process_client_hello:version too low) while SSL handshaking, client: 172.104.154.126, server: 0.0.0.0:443
2018/06/11 04:22:00 [crit] 972#972: *315737 SSL_do_handshake() failed (SSL: error:1417D18C:SSL routines:tls_process_client_hello:version too low) while SSL handshaking, client: 172.104.154.126, server: 0.0.0.0:443
2018/06/11 04:22:00 [crit] 972#972: *315738 SSL_do_handshake() failed (SSL: error:1417D18C:SSL routines:tls_process_client_hello:version too low) while SSL handshaking, client: 172.104.154.126, server: 0.0.0.0:443
2018/06/11 04:22:00 [crit] 972#972: *315766 SSL_do_handshake() failed (SSL: error:1417D18C:SSL routines:tls_process_client_hello:version too low) while SSL handshaking, client: 172.104.154.126, server: 0.0.0.0:443
2018/06/11 04:22:00 [crit] 972#972: *315767 SSL_do_handshake() failed (SSL: error:1417D18C:SSL routines:tls_process_client_hello:version too low) while SSL handshaking, client: 172.104.154.126, server: 0.0.0.0:443
2018/06/11 04:22:00 [crit] 972#972: *315770 SSL_do_handshake() failed (SSL: error:1417D18C:SSL routines:tls_process_client_hello:version too low) while SSL handshaking, client: 172.104.154.126, server: 0.0.0.0:443
2018/06/11 04:22:00 [crit] 972#972: *315771 SSL_do_handshake() failed (SSL: error:1417D18C:SSL routines:tls_process_client_hello:version too low) while SSL handshaking, client: 172.104.154.126, server: 0.0.0.0:443
2018/06/11 04:22:00 [crit] 972#972: *315776 SSL_do_handshake() failed (SSL: error:1417D18C:SSL routines:tls_process_client_hello:version too low) while SSL handshaking, client: 172.104.154.126, server: 0.0.0.0:443
2018/06/11 04:22:00 [crit] 972#972: *315778 SSL_do_handshake() failed (SSL: error:1417D18C:SSL routines:tls_process_client_hello:version too low) while SSL handshaking, client: 172.104.154.126, server: 0.0.0.0:443
2018/06/11 04:22:00 [crit] 972#972: *315782 SSL_do_handshake() failed (SSL: error:1417D18C:SSL routines:tls_process_client_hello:version too low) while SSL handshaking, client: 172.104.154.126, server: 0.0.0.0:443
2018/06/11 04:22:00 [crit] 972#972: *315786 SSL_do_handshake() failed (SSL: error:1417D18C:SSL routines:tls_process_client_hello:version too low) while SSL handshaking, client: 172.104.154.126, server: 0.0.0.0:443
2018/06/11 04:22:00 [crit] 972#972: *315787 SSL_do_handshake() failed (SSL: error:1417D18C:SSL routines:tls_process_client_hello:version too low) while SSL handshaking, client: 172.104.154.126, server: 0.0.0.0:443
2018/06/11 04:22:00 [crit] 972#972: *315789 SSL_do_handshake() failed (SSL: error:1417D18C:SSL routines:tls_process_client_hello:version too low) while SSL handshaking, client: 172.104.154.126, server: 0.0.0.0:443
2018/06/11 04:22:00 [crit] 972#972: *315790 SSL_do_handshake() failed (SSL: error:1417D18C:SSL routines:tls_process_client_hello:version too low) while SSL handshaking, client: 172.104.154.126, server: 0.0.0.0:443
2018/06/11 04:22:00 [crit] 972#972: *315793 SSL_do_handshake() failed (SSL: error:1417D18C:SSL routines:tls_process_client_hello:version too low) while SSL handshaking, client: 172.104.154.126, server: 0.0.0.0:443
2018/06/11 04:22:00 [crit] 972#972: *315797 SSL_do_handshake() failed (SSL: error:1417D18C:SSL routines:tls_process_client_hello:version too low) while SSL handshaking, client: 172.104.154.126, server: 0.0.0.0:443
2018/06/11 04:22:01 [crit] 972#972: *315803 SSL_do_handshake() failed (SSL: error:1417D18C:SSL routines:tls_process_client_hello:version too low) while SSL handshaking, client: 172.104.154.126, server: 0.0.0.0:443
2018/06/11 04:22:01 [crit] 972#972: *315807 SSL_do_handshake() failed (SSL: error:1417D18C:SSL routines:tls_process_client_hello:version too low) while SSL handshaking, client: 172.104.154.126, server: 0.0.0.0:443
2018/06/11 04:22:01 [crit] 972#972: *315809 SSL_do_handshake() failed (SSL: error:1417D18C:SSL routines:tls_process_client_hello:version too low) while SSL handshaking, client: 172.104.154.126, server: 0.0.0.0:443
2018/06/11 04:22:01 [crit] 972#972: *315813 SSL_do_handshake() failed (SSL: error:1417D18C:SSL routines:tls_process_client_hello:version too low) while SSL handshaking, client: 172.104.154.126, server: 0.0.0.0:443
2018/06/11 04:22:01 [crit] 972#972: *315818 SSL_do_handshake() failed (SSL: error:1417D18C:SSL routines:tls_process_client_hello:version too low) while SSL handshaking, client: 172.104.154.126, server: 0.0.0.0:443
2018/06/11 04:22:01 [crit] 972#972: *315823 SSL_do_handshake() failed (SSL: error:1417D18C:SSL routines:tls_process_client_hello:version too low) while SSL handshaking, client: 172.104.154.126, server: 0.0.0.0:443
2018/06/11 04:22:01 [crit] 972#972: *315829 SSL_do_handshake() failed (SSL: error:1417D18C:SSL routines:tls_process_client_hello:version too low) while SSL handshaking, client: 172.104.154.126, server: 0.0.0.0:443
2018/06/11 04:22:01 [crit] 972#972: *315831 SSL_do_handshake() failed (SSL: error:1417D18C:SSL routines:tls_process_client_hello:version too low) while SSL handshaking, client: 172.104.154.126, server: 0.0.0.0:443
2018/06/11 04:22:01 [crit] 971#971: *315835 SSL_do_handshake() failed (SSL: error:1417D18C:SSL routines:tls_process_client_hello:version too low) while SSL handshaking, client: 172.104.154.126, server: 0.0.0.0:443
2018/06/11 04:22:01 [crit] 972#972: *315837 SSL_do_handshake() failed (SSL: error:1417D18C:SSL routines:tls_process_client_hello:version too low) while SSL handshaking, client: 172.104.154.126, server: 0.0.0.0:443
2018/06/11 04:22:01 [crit] 972#972: *315839 SSL_do_handshake() failed (SSL: error:1417D18C:SSL routines:tls_process_client_hello:version too low) while SSL handshaking, client: 172.104.154.126, server: 0.0.0.0:443
2018/06/11 04:22:01 [crit] 972#972: *315840 SSL_do_handshake() failed (SSL: error:1417D18C:SSL routines:tls_process_client_hello:version too low) while SSL handshaking, client: 172.104.154.126, server: 0.0.0.0:443
2018/06/11 04:22:01 [crit] 972#972: *315841 SSL_do_handshake() failed (SSL: error:1417D18C:SSL routines:tls_process_client_hello:version too low) while SSL handshaking, client: 172.104.154.126, server: 0.0.0.0:443
2018/06/11 04:22:01 [crit] 972#972: *315843 SSL_do_handshake() failed (SSL: error:1417D18C:SSL routines:tls_process_client_hello:version too low) while SSL handshaking, client: 172.104.154.126, server: 0.0.0.0:443
2018/06/11 04:22:01 [crit] 972#972: *315844 SSL_do_handshake() failed (SSL: error:1417D18C:SSL routines:tls_process_client_hello:version too low) while SSL handshaking, client: 172.104.154.126, server: 0.0.0.0:443
2018/06/11 04:22:01 [crit] 972#972: *315845 SSL_do_handshake() failed (SSL: error:1417D18C:SSL routines:tls_process_client_hello:version too low) while SSL handshaking, client: 172.104.154.126, server: 0.0.0.0:443
2018/06/11 04:22:01 [crit] 972#972: *315846 SSL_do_handshake() failed (SSL: error:1417D18C:SSL routines:tls_process_client_hello:version too low) while SSL handshaking, client: 172.104.154.126, server: 0.0.0.0:443
2018/06/11 04:22:01 [crit] 972#972: *315847 SSL_do_handshake() failed (SSL: error:1417D18C:SSL routines:tls_process_client_hello:version too low) while SSL handshaking, client: 172.104.154.126, server: 0.0.0.0:443
2018/06/11 04:22:01 [crit] 972#972: *315848 SSL_do_handshake() failed (SSL: error:1417D18C:SSL routines:tls_process_client_hello:version too low) while SSL handshaking, client: 172.104.154.126, server: 0.0.0.0:443
2018/06/11 04:22:01 [crit] 972#972: *315849 SSL_do_handshake() failed (SSL: error:1417D18C:SSL routines:tls_process_client_hello:version too low) while SSL handshaking, client: 172.104.154.126, server: 0.0.0.0:443
2018/06/11 04:22:01 [crit] 972#972: *315850 SSL_do_handshake() failed (SSL: error:1417D18C:SSL routines:tls_process_client_hello:version too low) while SSL handshaking, client: 172.104.154.126, server: 0.0.0.0:443
2018/06/11 04:22:01 [crit] 972#972: *315853 SSL_do_handshake() failed (SSL: error:1417D18C:SSL routines:tls_process_client_hello:version too low) while SSL handshaking, client: 172.104.154.126, server: 0.0.0.0:443
2018/06/11 04:22:01 [crit] 972#972: *315856 SSL_do_handshake() failed (SSL: error:1417D18C:SSL routines:tls_process_client_hello:version too low) while SSL handshaking, client: 172.104.154.126, server: 0.0.0.0:443
2018/06/11 04:22:01 [crit] 972#972: *315858 SSL_do_handshake() failed (SSL: error:1417D18C:SSL routines:tls_process_client_hello:version too low) while SSL handshaking, client: 172.104.154.126, server: 0.0.0.0:443
2018/06/11 04:22:01 [crit] 972#972: *315859 SSL_do_handshake() failed (SSL: error:1417D18C:SSL routines:tls_process_client_hello:version too low) while SSL handshaking, client: 172.104.154.126, server: 0.0.0.0:443
2018/06/11 04:22:01 [crit] 972#972: *315860 SSL_do_handshake() failed (SSL: error:1417D18C:SSL routines:tls_process_client_hello:version too low) while SSL handshaking, client: 172.104.154.126, server: 0.0.0.0:443
2018/06/11 04:22:01 [crit] 972#972: *315861 SSL_do_handshake() failed (SSL: error:1417D18C:SSL routines:tls_process_client_hello:version too low) while SSL handshaking, client: 172.104.154.126, server: 0.0.0.0:443
2018/06/11 04:22:01 [crit] 972#972: *315863 SSL_do_handshake() failed (SSL: error:1417D18C:SSL routines:tls_process_client_hello:version too low) while SSL handshaking, client: 172.104.154.126, server: 0.0.0.0:443
2018/06/11 04:22:01 [crit] 972#972: *315862 SSL_do_handshake() failed (SSL: error:1417D18C:SSL routines:tls_process_client_hello:version too low) while SSL handshaking, client: 172.104.154.126, server: 0.0.0.0:443
2018/06/11 04:22:01 [crit] 972#972: *315864 SSL_do_handshake() failed (SSL: error:1417D18C:SSL routines:tls_process_client_hello:version too low) while SSL handshaking, client: 172.104.154.126, server: 0.0.0.0:443
2018/06/11 04:22:01 [crit] 972#972: *315866 SSL_do_handshake() failed (SSL: error:1417D18C:SSL routines:tls_process_client_hello:version too low) while SSL handshaking, client: 172.104.154.126, server: 0.0.0.0:443
2018/06/11 04:22:01 [crit] 972#972: *315867 SSL_do_handshake() failed (SSL: error:1417D18C:SSL routines:tls_process_client_hello:version too low) while SSL handshaking, client: 172.104.154.126, server: 0.0.0.0:443
2018/06/11 04:22:01 [crit] 972#972: *315868 SSL_do_handshake() failed (SSL: error:1417D18C:SSL routines:tls_process_client_hello:version too low) while SSL handshaking, client: 172.104.154.126, server: 0.0.0.0:443
2018/06/11 04:22:01 [crit] 972#972: *315870 SSL_do_handshake() failed (SSL: error:1417D18C:SSL routines:tls_process_client_hello:version too low) while SSL handshaking, client: 172.104.154.126, server: 0.0.0.0:443
2018/06/11 04:22:01 [crit] 972#972: *315871 SSL_do_handshake() failed (SSL: error:1417D18C:SSL routines:tls_process_client_hello:version too low) while SSL handshaking, client: 172.104.154.126, server: 0.0.0.0:443
2018/06/11 04:22:01 [crit] 972#972: *315872 SSL_do_handshake() failed (SSL: error:1417D18C:SSL routines:tls_process_client_hello:version too low) while SSL handshaking, client: 172.104.154.126, server: 0.0.0.0:443
2018/06/11 04:22:01 [crit] 972#972: *315873 SSL_do_handshake() failed (SSL: error:1417D18C:SSL routines:tls_process_client_hello:version too low) while SSL handshaking, client: 172.104.154.126, server: 0.0.0.0:443
2018/06/11 04:22:01 [crit] 972#972: *315874 SSL_do_handshake() failed (SSL: error:1417D18C:SSL routines:tls_process_client_hello:version too low) while SSL handshaking, client: 172.104.154.126, server: 0.0.0.0:443
2018/06/11 04:22:01 [crit] 972#972: *315875 SSL_do_handshake() failed (SSL: error:1417D18C:SSL routines:tls_process_client_hello:version too low) while SSL handshaking, client: 172.104.154.126, server: 0.0.0.0:443
2018/06/11 04:22:01 [crit] 972#972: *315876 SSL_do_handshake() failed (SSL: error:1417D18C:SSL routines:tls_process_client_hello:version too low) while SSL handshaking, client: 172.104.154.126, server: 0.0.0.0:443
2018/06/11 04:22:01 [crit] 972#972: *315877 SSL_do_handshake() failed (SSL: error:1417D18C:SSL routines:tls_process_client_hello:version too low) while SSL handshaking, client: 172.104.154.126, server: 0.0.0.0:443
2018/06/11 04:22:01 [crit] 972#972: *315878 SSL_do_handshake() failed (SSL: error:1417D18C:SSL routines:tls_process_client_hello:version too low) while SSL handshaking, client: 172.104.154.126, server: 0.0.0.0:443
2018/06/11 04:22:01 [crit] 972#972: *315879 SSL_do_handshake() failed (SSL: error:1417D18C:SSL routines:tls_process_client_hello:version too low) while SSL handshaking, client: 172.104.154.126, server: 0.0.0.0:443
2018/06/11 04:22:01 [crit] 972#972: *315880 SSL_do_handshake() failed (SSL: error:1417D18C:SSL routines:tls_process_client_hello:version too low) while SSL handshaking, client: 172.104.154.126, server: 0.0.0.0:443
2018/06/11 04:22:01 [crit] 972#972: *315881 SSL_do_handshake() failed (SSL: error:1417D18C:SSL routines:tls_process_client_hello:version too low) while SSL handshaking, client: 172.104.154.126, server: 0.0.0.0:443
2018/06/11 04:22:01 [crit] 972#972: *315882 SSL_do_handshake() failed (SSL: error:1417D18C:SSL routines:tls_process_client_hello:version too low) while SSL handshaking, client: 172.104.154.126, server: 0.0.0.0:443
2018/06/11 04:22:01 [crit] 972#972: *315883 SSL_do_handshake() failed (SSL: error:1417D18C:SSL routines:tls_process_client_hello:version too low) while SSL handshaking, client: 172.104.154.126, server: 0.0.0.0:443
2018/06/11 04:22:01 [crit] 972#972: *315887 SSL_do_handshake() failed (SSL: error:1417D18C:SSL routines:tls_process_client_hello:version too low) while SSL handshaking, client: 172.104.154.126, server: 0.0.0.0:443
2018/06/11 04:22:01 [crit] 972#972: *315888 SSL_do_handshake() failed (SSL: error:1417D18C:SSL routines:tls_process_client_hello:version too low) while SSL handshaking, client: 172.104.154.126, server: 0.0.0.0:443
2018/06/11 04:22:01 [crit] 972#972: *315889 SSL_do_handshake() failed (SSL: error:1417D18C:SSL routines:tls_process_client_hello:version too low) while SSL handshaking, client: 172.104.154.126, server: 0.0.0.0:443
2018/06/11 04:22:01 [crit] 972#972: *315890 SSL_do_handshake() failed (SSL: error:1417D18C:SSL routines:tls_process_client_hello:version too low) while SSL handshaking, client: 172.104.154.126, server: 0.0.0.0:443
2018/06/11 04:22:01 [crit] 972#972: *315893 SSL_do_handshake() failed (SSL: error:1417D18C:SSL routines:tls_process_client_hello:version too low) while SSL handshaking, client: 172.104.154.126, server: 0.0.0.0:443
2018/06/11 04:22:01 [crit] 972#972: *315896 SSL_do_handshake() failed (SSL: error:1417D18C:SSL routines:tls_process_client_hello:version too low) while SSL handshaking, client: 172.104.154.126, server: 0.0.0.0:443
2018/06/11 04:22:01 [crit] 972#972: *315897 SSL_do_handshake() failed (SSL: error:1417D18C:SSL routines:tls_process_client_hello:version too low) while SSL handshaking, client: 172.104.154.126, server: 0.0.0.0:443
2018/06/11 04:22:01 [crit] 972#972: *315898 SSL_do_handshake() failed (SSL: error:1417D18C:SSL routines:tls_process_client_hello:version too low) while SSL handshaking, client: 172.104.154.126, server: 0.0.0.0:443
2018/06/11 04:22:01 [crit] 972#972: *315899 SSL_do_handshake() failed (SSL: error:1417D18C:SSL routines:tls_process_client_hello:version too low) while SSL handshaking, client: 172.104.154.126, server: 0.0.0.0:443
2018/06/11 04:22:01 [crit] 972#972: *315900 SSL_do_handshake() failed (SSL: error:1417D18C:SSL routines:tls_process_client_hello:version too low) while SSL handshaking, client: 172.104.154.126, server: 0.0.0.0:443
2018/06/11 04:22:01 [crit] 972#972: *315902 SSL_do_handshake() failed (SSL: error:1417D18C:SSL routines:tls_process_client_hello:version too low) while SSL handshaking, client: 172.104.154.126, server: 0.0.0.0:443
2018/06/11 04:22:01 [crit] 972#972: *315903 SSL_do_handshake() failed (SSL: error:1417D18C:SSL routines:tls_process_client_hello:version too low) while SSL handshaking, client: 172.104.154.126, server: 0.0.0.0:443
2018/06/11 04:22:01 [crit] 972#972: *315904 SSL_do_handshake() failed (SSL: error:1417D18C:SSL routines:tls_process_client_hello:version too low) while SSL handshaking, client: 172.104.154.126, server: 0.0.0.0:443
Je suis pratiquement sure routines:tls_process_client_hello:version too low
indique que le client n'est pas en mesure d'utiliser les chiffres configurés sur votre système pour se connecter. De plus, si le navigateur ne fait pas confiance à l'AC racine Let's Encrypt, il échouera la connexion.
Je ne suis pas d'accord avec la dégradation de la sécurité de votre site Web pour permettre à certains clients avec un matériel très ancien, qu'ils auraient dû mettre à niveau il y a longtemps, afin de leur permettre de se connecter. Vous sacrifiez littéralement la sécurité uniquement pour une poignée de clients.
Il n'est pas non plus improbable que ce ne soient même pas de vrais clients. Il peut s'agir de "clients" malveillants tentant de forcer une connexion déclassée afin de commencer à briser votre sécurité pour voler des informations, la clé privée, etc ...
Je soutiens pleinement la déclaration d'Andrew, presque personne ne prend en charge SSLv2/3 ou les clients sans SNI. Mais si vous le souhaitez, au risque d'exposer les données de tous vos autres utilisateurs, faites le test ssl ici https://www.ssllabs.com/ssltest/ et ajustez vos chiffres jusqu'à ce qu'ils soient compatibles avec tous les navigateurs répertoriés. Ignorez le Android 2.x et Java 1.6.x vous n'arriverez jamais à diminuer votre sécurité autant sans fournir sans fin d'adresses IPv4 et il est préférable de désactivez HTTPS si vous envisagez de le faire, de cette façon au moins vos utilisateurs ne seront pas dupes de l'hypothèse que la connexion est sécurisée.
Sur ubuntu 18.04 et nginx 1.14+ .... Comme indiqué ci-dessus par @Daniel, "je soutiens pleinement la déclaration d'Andrew" selon laquelle "presque personne ne prend en charge SSLv2/3 ou les clients sans SNI".
S'il existe un système hérité, c'est un problème de pare-feu à mon humble avis.
Ce qui a poussé bon nombre d'entre nous à faire une boucle, c'est le code hérité créé, comme include /etc/nginx/custom-name-here/
ou /etc/nginx/conf.d/
le dossier les inclut et les a ajoutés dans /etc/nginx/nginx.conf
et sites-enabled/example-org
. Les mises à niveau suivantes ont ensuite provoqué des erreurs telles que vues par nginx -t
Je ne suis pas sûr de bien articuler cela, mais il y avait un moment le 14.04 et le 16.04 où nous devions spécifier manuellement les chiffres. Les valeurs par défaut des versions plus récentes de NGINX ont provoqué une redondance et ont donc généré des erreurs. Les nouveaux paramètres de chiffrement nginx, y compris pour certbot/letsencrypt, le 18.04 sont beaucoup plus sécurisés ... mais ils nous ont obligés à supprimer nos restrictions de certificats personnalisées.
Si c'est toujours un problème, je vous recommande de supprimer (google d'abord!) Permet de crypter et de réinstaller certbot. https://certbot.eff.org/ et tirez parti du /etc/nginx/snippets/
dossier pour les inclus dans vos dossiers disponibles sur les sites/slash/activés sur les sites.