Nginx does not send SERVER CERTIFICATE after SERVER HELLO Announcing the arrival of Valued Associate #679: Cesar Manara Planned maintenance scheduled April 17/18, 2019 at 00:00UTC (8:00pm US/Eastern) Come Celebrate our 10 Year Anniversary!tcpdump Server Hello Certificate FilterNginx doesn't send certificate chainHow to configure IIS 7.5 SSL TLS to work with iOS 9 ATSDrupal 7 login does not work on NGINX after enabling SSL with LetsencryptHow to build Apache httpd 2.4.20 on CentOS 7 with http2 support?What's different between 'Using-Default-VirtualHost' and 'Using-Correctly-Named-VirtualHost'?Check if Windows Server 2008R2 can use TLS 1.2Troubleshooting Cipher handshake issueNeed help to establish secure ftp connection from linux to z/OS FTPS serverlftp 4.8.4 refuses to talk TLS1.2 with z/OS ftps host
Disable hyphenation for an entire paragraph
Bonus calculation: Am I making a mountain out of a molehill?
What makes black pepper strong or mild?
Should I use Javascript Classes or Apex Classes in Lightning Web Components?
Can Pao de Queijo, and similar foods, be kosher for Passover?
List *all* the tuples!
Output the ŋarâþ crîþ alphabet song without using (m)any letters
Storing hydrofluoric acid before the invention of plastics
If 'B is more likely given A', then 'A is more likely given B'
How can I make names more distinctive without making them longer?
Doubts about chords
Is a manifold-with-boundary with given interior and non-empty boundary essentially unique?
What LEGO pieces have "real-world" functionality?
What does the "x" in "x86" represent?
How to bypass password on Windows XP account?
Do I really need recursive chmod to restrict access to a folder?
If Jon Snow became King of the Seven Kingdoms what would his regnal number be?
What happens to sewage if there is no river near by?
Why is high voltage dangerous?
How do I mention the quality of my school without bragging
What would be the ideal power source for a cybernetic eye?
Should I discuss the type of campaign with my players?
Did Kevin spill real chili?
What is a Meta algorithm?
Nginx does not send SERVER CERTIFICATE after SERVER HELLO
Announcing the arrival of Valued Associate #679: Cesar Manara
Planned maintenance scheduled April 17/18, 2019 at 00:00UTC (8:00pm US/Eastern)
Come Celebrate our 10 Year Anniversary!tcpdump Server Hello Certificate FilterNginx doesn't send certificate chainHow to configure IIS 7.5 SSL TLS to work with iOS 9 ATSDrupal 7 login does not work on NGINX after enabling SSL with LetsencryptHow to build Apache httpd 2.4.20 on CentOS 7 with http2 support?What's different between 'Using-Default-VirtualHost' and 'Using-Correctly-Named-VirtualHost'?Check if Windows Server 2008R2 can use TLS 1.2Troubleshooting Cipher handshake issueNeed help to establish secure ftp connection from linux to z/OS FTPS serverlftp 4.8.4 refuses to talk TLS1.2 with z/OS ftps host
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box;
I have an NGINX site that randomly produces connection failures during the TLS handshake. I investigated the issue using curl --trace and found that every other request times out because the server does not continue with the server certificate after server hello of the SSL handshake protocol. Here's the curl trace log:
== Info: Trying 123.11.22.109...
== Info: TCP_NODELAY set
== Info: Connected to registry.my-server.com (123.11.22.109) port 443 (#0)
== Info: ALPN, offering h2
== Info: ALPN, offering http/1.1
== Info: successfully set certificate verify locations:
== Info: CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: /etc/ssl/certs
=> Send SSL data, 5 bytes (0x5)
0000: 16 03 01 00 de .....
== Info: TLSv1.2 (OUT), TLS handshake, Client hello (1):
=> Send SSL data, 222 bytes (0xde)
0000: 01 00 00 da 03 03 fa b3 b2 20 05 26 50 37 c2 4c ......... .&P7.L
0010: 7f e7 8d 3e 87 25 95 43 7f c2 bd 73 b2 1a ea c3 ..>.%.C..s....
(rest omitted...)
<= Recv SSL data, 5 bytes (0x5)
0000: 16 03 03 00 6c ....l
== Info: TLSv1.2 (IN), TLS handshake, Server hello (2):
<= Recv SSL data, 108 bytes (0x6c)
0000: 02 00 00 68 03 03 ab 7f 0e 88 9a b0 00 22 87 a4 ...h........"..
0010: cb f5 c7 64 46 62 e2 6e bc a7 52 2a 4b 26 a2 0f ...dFb.n..R*K&..
0020: d3 f9 e3 7e c5 c0 20 49 e9 89 dd 4b 73 92 21 28 ...~.. I...Ks.!(
0030: 82 24 df e8 dc ac 20 98 fe d0 36 6d 9f 49 7f 36 .$.... ...6m.I6
0040: 8a 8b 2b 54 f8 63 4c c0 30 00 00 20 00 00 00 00 ..+T.cL.0.. ....
0050: ff 01 00 01 00 00 0b 00 04 03 00 01 02 00 10 00 ................
0060: 0b 00 09 08 68 74 74 70 2f 31 2e 31 ....http/1.1
<= Recv SSL data, 5 bytes (0x5)
0000: 16 03 03 15 30 ....0
== Info: Operation timed out after 300869 milliseconds with 0 out of 0 bytes received
This does not occur with every connection, only maybe every 8th connection. I couldn't make out a pattern yet. The issue started occurring suddenly, the configuration ran without any problems for months before.
Any clues?
nginx ssl https
asked Apr 10 at 14:18
EfrainEfrain
1061
New contributor
Efrain is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
I have an NGINX site that randomly produces connection failures during the TLS handshake. I investigated the issue using curl --trace and found that every other request times out because the server does not continue with the server certificate after server hello of the SSL handshake protocol. Here's the curl trace log:
== Info: Trying 123.11.22.109...
== Info: TCP_NODELAY set
== Info: Connected to registry.my-server.com (123.11.22.109) port 443 (#0)
== Info: ALPN, offering h2
== Info: ALPN, offering http/1.1
== Info: successfully set certificate verify locations:
== Info: CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: /etc/ssl/certs
=> Send SSL data, 5 bytes (0x5)
0000: 16 03 01 00 de .....
== Info: TLSv1.2 (OUT), TLS handshake, Client hello (1):
=> Send SSL data, 222 bytes (0xde)
0000: 01 00 00 da 03 03 fa b3 b2 20 05 26 50 37 c2 4c ......... .&P7.L
0010: 7f e7 8d 3e 87 25 95 43 7f c2 bd 73 b2 1a ea c3 ..>.%.C..s....
(rest omitted...)
<= Recv SSL data, 5 bytes (0x5)
0000: 16 03 03 00 6c ....l
== Info: TLSv1.2 (IN), TLS handshake, Server hello (2):
<= Recv SSL data, 108 bytes (0x6c)
0000: 02 00 00 68 03 03 ab 7f 0e 88 9a b0 00 22 87 a4 ...h........"..
0010: cb f5 c7 64 46 62 e2 6e bc a7 52 2a 4b 26 a2 0f ...dFb.n..R*K&..
0020: d3 f9 e3 7e c5 c0 20 49 e9 89 dd 4b 73 92 21 28 ...~.. I...Ks.!(
0030: 82 24 df e8 dc ac 20 98 fe d0 36 6d 9f 49 7f 36 .$.... ...6m.I6
0040: 8a 8b 2b 54 f8 63 4c c0 30 00 00 20 00 00 00 00 ..+T.cL.0.. ....
0050: ff 01 00 01 00 00 0b 00 04 03 00 01 02 00 10 00 ................
0060: 0b 00 09 08 68 74 74 70 2f 31 2e 31 ....http/1.1
<= Recv SSL data, 5 bytes (0x5)
0000: 16 03 03 15 30 ....0
== Info: Operation timed out after 300869 milliseconds with 0 out of 0 bytes received
This does not occur with every connection, only maybe every 8th connection. I couldn't make out a pattern yet. The issue started occurring suddenly, the configuration ran without any problems for months before.
Any clues?
nginx ssl https
asked Apr 10 at 14:18
EfrainEfrain
1061
New contributor
Efrain is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
I cannot reproduce the issue anymore, it went over night.
– Efrain
Apr 11 at 11:55
Even in that case you can post your own answer and accept it.
– Lex Li
Apr 11 at 16:03
add a comment |
I have an NGINX site that randomly produces connection failures during the TLS handshake. I investigated the issue using curl --trace and found that every other request times out because the server does not continue with the server certificate after server hello of the SSL handshake protocol. Here's the curl trace log:
== Info: Trying 123.11.22.109...
== Info: TCP_NODELAY set
== Info: Connected to registry.my-server.com (123.11.22.109) port 443 (#0)
== Info: ALPN, offering h2
== Info: ALPN, offering http/1.1
== Info: successfully set certificate verify locations:
== Info: CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: /etc/ssl/certs
=> Send SSL data, 5 bytes (0x5)
0000: 16 03 01 00 de .....
== Info: TLSv1.2 (OUT), TLS handshake, Client hello (1):
=> Send SSL data, 222 bytes (0xde)
0000: 01 00 00 da 03 03 fa b3 b2 20 05 26 50 37 c2 4c ......... .&P7.L
0010: 7f e7 8d 3e 87 25 95 43 7f c2 bd 73 b2 1a ea c3 ..>.%.C..s....
(rest omitted...)
<= Recv SSL data, 5 bytes (0x5)
0000: 16 03 03 00 6c ....l
== Info: TLSv1.2 (IN), TLS handshake, Server hello (2):
<= Recv SSL data, 108 bytes (0x6c)
0000: 02 00 00 68 03 03 ab 7f 0e 88 9a b0 00 22 87 a4 ...h........"..
0010: cb f5 c7 64 46 62 e2 6e bc a7 52 2a 4b 26 a2 0f ...dFb.n..R*K&..
0020: d3 f9 e3 7e c5 c0 20 49 e9 89 dd 4b 73 92 21 28 ...~.. I...Ks.!(
0030: 82 24 df e8 dc ac 20 98 fe d0 36 6d 9f 49 7f 36 .$.... ...6m.I6
0040: 8a 8b 2b 54 f8 63 4c c0 30 00 00 20 00 00 00 00 ..+T.cL.0.. ....
0050: ff 01 00 01 00 00 0b 00 04 03 00 01 02 00 10 00 ................
0060: 0b 00 09 08 68 74 74 70 2f 31 2e 31 ....http/1.1
<= Recv SSL data, 5 bytes (0x5)
0000: 16 03 03 15 30 ....0
== Info: Operation timed out after 300869 milliseconds with 0 out of 0 bytes received
This does not occur with every connection, only maybe every 8th connection. I couldn't make out a pattern yet. The issue started occurring suddenly, the configuration ran without any problems for months before.
Any clues?
nginx ssl https
asked Apr 10 at 14:18
EfrainEfrain
1061
New contributor
Efrain is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
I have an NGINX site that randomly produces connection failures during the TLS handshake. I investigated the issue using curl --trace and found that every other request times out because the server does not continue with the server certificate after server hello of the SSL handshake protocol. Here's the curl trace log:
== Info: Trying 123.11.22.109...
== Info: TCP_NODELAY set
== Info: Connected to registry.my-server.com (123.11.22.109) port 443 (#0)
== Info: ALPN, offering h2
== Info: ALPN, offering http/1.1
== Info: successfully set certificate verify locations:
== Info: CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: /etc/ssl/certs
=> Send SSL data, 5 bytes (0x5)
0000: 16 03 01 00 de .....
== Info: TLSv1.2 (OUT), TLS handshake, Client hello (1):
=> Send SSL data, 222 bytes (0xde)
0000: 01 00 00 da 03 03 fa b3 b2 20 05 26 50 37 c2 4c ......... .&P7.L
0010: 7f e7 8d 3e 87 25 95 43 7f c2 bd 73 b2 1a ea c3 ..>.%.C..s....
(rest omitted...)
<= Recv SSL data, 5 bytes (0x5)
0000: 16 03 03 00 6c ....l
== Info: TLSv1.2 (IN), TLS handshake, Server hello (2):
<= Recv SSL data, 108 bytes (0x6c)
0000: 02 00 00 68 03 03 ab 7f 0e 88 9a b0 00 22 87 a4 ...h........"..
0010: cb f5 c7 64 46 62 e2 6e bc a7 52 2a 4b 26 a2 0f ...dFb.n..R*K&..
0020: d3 f9 e3 7e c5 c0 20 49 e9 89 dd 4b 73 92 21 28 ...~.. I...Ks.!(
0030: 82 24 df e8 dc ac 20 98 fe d0 36 6d 9f 49 7f 36 .$.... ...6m.I6
0040: 8a 8b 2b 54 f8 63 4c c0 30 00 00 20 00 00 00 00 ..+T.cL.0.. ....
0050: ff 01 00 01 00 00 0b 00 04 03 00 01 02 00 10 00 ................
0060: 0b 00 09 08 68 74 74 70 2f 31 2e 31 ....http/1.1
<= Recv SSL data, 5 bytes (0x5)
0000: 16 03 03 15 30 ....0
== Info: Operation timed out after 300869 milliseconds with 0 out of 0 bytes received
This does not occur with every connection, only maybe every 8th connection. I couldn't make out a pattern yet. The issue started occurring suddenly, the configuration ran without any problems for months before.
Any clues?
nginx ssl https
nginx ssl https
asked Apr 10 at 14:18
EfrainEfrain
1061
New contributor
Efrain is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked Apr 10 at 14:18
EfrainEfrain
1061
New contributor
Efrain is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked Apr 10 at 14:18
EfrainEfrain
1061
New contributor
Efrain is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked Apr 10 at 14:18
EfrainEfrain
1061
asked Apr 10 at 14:18
EfrainEfrain
1061
1061
New contributor
Efrain is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
New contributor
Efrain is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
Efrain is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
I cannot reproduce the issue anymore, it went over night.
– Efrain
Apr 11 at 11:55
Even in that case you can post your own answer and accept it.
– Lex Li
Apr 11 at 16:03
add a comment |
I cannot reproduce the issue anymore, it went over night.
– Efrain
Apr 11 at 11:55
Even in that case you can post your own answer and accept it.
– Lex Li
Apr 11 at 16:03
I cannot reproduce the issue anymore, it went over night.
– Efrain
Apr 11 at 11:55
I cannot reproduce the issue anymore, it went over night.
– Efrain
Apr 11 at 11:55
Even in that case you can post your own answer and accept it.
– Lex Li
Apr 11 at 16:03
Even in that case you can post your own answer and accept it.
– Lex Li
Apr 11 at 16:03
add a comment |
0
active
oldest
votes
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "2"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Efrain is a new contributor. Be nice, and check out our Code of Conduct.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f962439%2fnginx-does-not-send-server-certificate-after-server-hello%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
0
active
oldest
votes
0
active
oldest
votes
active
oldest
votes
active
oldest
votes
Efrain is a new contributor. Be nice, and check out our Code of Conduct.
Efrain is a new contributor. Be nice, and check out our Code of Conduct.
Efrain is a new contributor. Be nice, and check out our Code of Conduct.
Efrain is a new contributor. Be nice, and check out our Code of Conduct.
Thanks for contributing an answer to Server Fault!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f962439%2fnginx-does-not-send-server-certificate-after-server-hello%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
I cannot reproduce the issue anymore, it went over night.
– Efrain
Apr 11 at 11:55
Even in that case you can post your own answer and accept it.
– Lex Li
Apr 11 at 16:03