Hello!
On Thu, Jun 25, 2015 at 06:16:42PM +0900, Edho Arief wrote:
> I noticed that trac.nginx.org has https/SNI configured for the host
> but no actual ssl configuration (how do you even do that):
The trac.nginx.org domain isn't available via https.
The IP address trac.nginx.org maps to does have other sites
answering on https/SNI though, and to avoid sending invalid
certificate the "ssl_ciphers aNULL;" is used in the default server
configuration. This is what causes the message you see.
> $ openssl s_client -connect trac.nginx.org:443 -servername trac.nginx.org
> CONNECTED(00000003)
> 140010415498912:error:14077410:SSL
> routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake
> failure:s23_clnt.c:770:
> ---
> no peer certificate available
> ---
> No client certificate CA names sent
> ---
> SSL handshake has read 7 bytes and written 318 bytes
> ---
> New, (NONE), Cipher is (NONE)
> Secure Renegotiation IS NOT supported
> Compression: NONE
> Expansion: NONE
> ---
JFYI:
You can use something like
$ openssl s_client -connect trac.nginx.org:443 -servername trac.nginx.org -cipher aNULL
to establish a connection. (Requests won't work though, as the
same server also have "return 444;" in the configuration.)
> Relevant (which is how I noticed it in the first place):
>
> https://github.com/EFForg/https-everywhere/pull/1993
When people try to use something they weren't asked to, it
strikes back.
--
Maxim Dounin
http://nginx.org/
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
On Thu, Jun 25, 2015 at 06:16:42PM +0900, Edho Arief wrote:
> I noticed that trac.nginx.org has https/SNI configured for the host
> but no actual ssl configuration (how do you even do that):
The trac.nginx.org domain isn't available via https.
The IP address trac.nginx.org maps to does have other sites
answering on https/SNI though, and to avoid sending invalid
certificate the "ssl_ciphers aNULL;" is used in the default server
configuration. This is what causes the message you see.
> $ openssl s_client -connect trac.nginx.org:443 -servername trac.nginx.org
> CONNECTED(00000003)
> 140010415498912:error:14077410:SSL
> routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake
> failure:s23_clnt.c:770:
> ---
> no peer certificate available
> ---
> No client certificate CA names sent
> ---
> SSL handshake has read 7 bytes and written 318 bytes
> ---
> New, (NONE), Cipher is (NONE)
> Secure Renegotiation IS NOT supported
> Compression: NONE
> Expansion: NONE
> ---
JFYI:
You can use something like
$ openssl s_client -connect trac.nginx.org:443 -servername trac.nginx.org -cipher aNULL
to establish a connection. (Requests won't work though, as the
same server also have "return 444;" in the configuration.)
> Relevant (which is how I noticed it in the first place):
>
> https://github.com/EFForg/https-everywhere/pull/1993
When people try to use something they weren't asked to, it
strikes back.
--
Maxim Dounin
http://nginx.org/
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx