Nginx SSL_do_handshake()がSSLに失敗しました:エラー:1417D18C:SSL
今日、非常に忙しいWebサイトをホストするサーバーに(letsencryptからの)SSL証明書をインストールしました。
数時間後、nginxからエラーが発生するユーザーがいることに気付きました。
2018/03/28 13:04:48 [crit] 8997#8997: *604175694 SSL_do_handshake() failed (SSL: error:1417D18C:SSL routines:tls_process_client_hello:version too low) while SSL handshaking, client: 2.178.99.86, server: 0.0.0.0:443
2018/03/28 13:06:03 [crit] 9937#9937: *604177779 SSL_do_handshake() failed (SSL: error:1417D18C:SSL routines:tls_process_client_hello:version too low) while SSL handshaking, client: 5.73.106.149, server: 0.0.0.0:443
2018/03/28 13:06:46 [crit] 9949#9949: *604179134 SSL_do_handshake() failed (SSL: error:1417D18C:SSL routines:tls_process_client_hello:version too low) while SSL handshaking, client: 192.15.212.150, server: 0.0.0.0:443
2018/03/28 13:10:33 [crit] 9942#9942: *604185439 SSL_do_handshake() failed (SSL: error:1417D18C:SSL routines:tls_process_client_hello:version too low) while SSL handshaking, client: 5.234.36.205, server: 0.0.0.0:443
IPアドレスから判断すると、おそらく閲覧に携帯電話を使用しているユーザーがいますが、ブラウザーについてはわかりません。 nginxエラーログをデバッグモードに変更しました。出力の一部を次に示します。
Server: nginx^M
Date: Wed, 28 Mar 2018 13:37:19 GMT^M
Content-Type: text/html; charset=UTF-8^M
Transfer-Encoding: chunked^M
Connection: keep-alive^M
Set-Cookie: PHPSESSID=r3mo9gh549obv41nkrf747l017; path=/^M
Expires: Thu, 19 Nov 1981 08:52:00 GMT^M
Cache-Control: no-store, no-cache, must-revalidate^M
Pragma: no-cache^M
Location: *******************************
X-Cache: MISS^M
2018/03/28 18:07:19 [debug] 24356#24356: *604585753 write new buf t:1 f:0 00007F06A5884708, pos 00007F06A5884708, size: 601 file: 0, size: 0
2018/03/28 18:07:19 [debug] 24356#24356: *604585753 http write filter: l:0 f:0 s:601
2018/03/28 18:07:19 [debug] 24356#24356: *604585753 http script var: "0"
2018/03/28 18:07:19 [debug] 24356#24356: *604585753 http file cache set header
2018/03/28 18:07:19 [debug] 24356#24356: *604585753 http cacheable: 1
2018/03/28 18:07:19 [debug] 24356#24356: *604585753 http upstream process upstream
2018/03/28 18:07:19 [debug] 24356#24356: *604585753 pipe read upstream: 1
2018/03/28 18:07:19 [debug] 24356#24356: *604585753 pipe preread: 23
2018/03/28 18:07:19 [debug] 24356#24356: *604585753 readv: 1, last:261440
2018/03/28 18:07:19 [debug] 24356#24356: *604585753 pipe recv chain: 0
2018/03/28 18:07:19 [debug] 24356#24356: *604585753 pipe buf free s:0 t:1 f:0 00007F06A56D0B50, pos 00007F06A56D0DF9, size: 23 file: 0, size: 0
2018/03/28 18:07:19 [debug] 24356#24356: *604585753 pipe length: -1
2018/03/28 18:07:19 [debug] 24356#24356: *604585753 http fastcgi record byte: 01
2018/03/28 18:07:19 [debug] 24356#24356: *604585753 http fastcgi record byte: 03
2018/03/28 18:07:19 [debug] 24356#24356: *604585753 http fastcgi record byte: 00
2018/03/28 18:07:19 [debug] 24356#24356: *604585753 http fastcgi record byte: 01
2018/03/28 18:07:19 [debug] 24356#24356: *604585753 http fastcgi record byte: 00
2018/03/28 18:07:19 [debug] 24356#24356: *604585753 http fastcgi record byte: 08
2018/03/28 18:07:19 [debug] 24356#24356: *604585753 http fastcgi record byte: 00
2018/03/28 18:07:19 [debug] 24356#24356: *604585753 http fastcgi record byte: 00
2018/03/28 18:07:19 [debug] 24356#24356: *604585753 http fastcgi record length: 8
2018/03/28 18:07:19 [debug] 24356#24356: *604585753 http fastcgi sent end request
2018/03/28 18:07:19 [debug] 24356#24356: *604585753 pipe write chain
2018/03/28 18:07:19 [debug] 24356#24356: *604585753 add cleanup: 00007F06A5884B20
2018/03/28 18:07:19 [debug] 24356#24356: *604585753 hashed path: /var/lib/nginx/fastcgi/7/54/0423471547
2018/03/28 18:07:19 [debug] 24356#24356: *604585753 temp fd:129
2018/03/28 18:07:19 [debug] 24356#24356: *604585753 write: 129, 00007F06A56D0B50, 681, 0
2018/03/28 18:07:19 [debug] 24356#24356: *604585753 pipe write downstream: 1
2018/03/28 18:07:19 [debug] 24356#24356: *604585753 pipe write downstream done
2018/03/28 18:07:19 [debug] 24356#24356: *604585753 event timer: 80, old: 1522244549474, new: 1522244549680
2018/03/28 18:07:19 [debug] 24356#24356: *604585753 http file cache update
2018/03/28 18:07:19 [debug] 24356#24356: *604585753 http file cache rename: "/var/lib/nginx/fastcgi/7/54/0423471547" to "/run/shm/nginx/f/d9/b295394f65a2a43ae0ec0adadd243d9f"
2018/03/28 18:07:19 [debug] 24356#24356: *604585753 malloc: 00007F06A5677B30:64
2018/03/28 18:07:19 [debug] 24356#24356: *604585753 malloc: 00007F06A588F5E0:681
2018/03/28 18:07:19 [debug] 24356#24356: *604585753 http upstream exit: 0000000000000000
2018/03/28 18:07:19 [debug] 24356#24356: *604585753 finalize http upstream request: 0
2018/03/28 18:07:19 [debug] 24356#24356: *604585753 finalize http fastcgi request
2018/03/28 18:07:19 [debug] 24356#24356: *604585753 free rr peer 1 0
2018/03/28 18:07:19 [debug] 24356#24356: *604585753 close http upstream connection: 80
2018/03/28 18:07:19 [debug] 24356#24356: *604585753 free: 00007F06A55C40A0, unused: 48
2018/03/28 18:07:19 [debug] 24356#24356: *604585753 event timer del: 80: 1522244549474
2018/03/28 18:07:19 [debug] 24356#24356: *604585753 reusable connection: 0
2018/03/28 18:07:19 [debug] 24356#24356: *604585753 http upstream temp fd: 129
2018/03/28 18:07:19 [debug] 24356#24356: *604585753 http output filter "/index.php?p=1187697"
2018/03/28 18:07:19 [debug] 24356#24356: *604585753 http copy filter: "/index.php?p=1187697"
2018/03/28 18:07:19 [debug] 24364#24364: *604587625 SSL_do_handshake: 1
2018/03/28 18:07:19 [debug] 24356#24356: *604585753 http postpone filter "/index.php?p=1187697" 00007FFD85DA3BF0
2018/03/28 18:07:19 [debug] 24356#24356: *604585753 http chunk: 0
2018/03/28 18:07:19 [debug] 24364#24364: *604587625 SSL: TLSv1.1, cipher: "ECDHE-RSA-AES128-SHA TLSv1 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA1"
2018/03/28 18:07:19 [debug] 24356#24356: *604585753 write old buf t:1 f:0 00007F06A5884708, pos 00007F06A5884708, size: 601 file: 0, size: 0
2018/03/28 18:07:19 [debug] 24364#24364: *604587625 reusable connection: 1
2018/03/28 18:07:19 [debug] 24356#24356: *604585753 write new buf t:0 f:0 0000000000000000, pos 00007F06A3953C9B, size: 5 file: 0, size: 0
2018/03/28 18:07:19 [debug] 24364#24364: *604587625 http wait request handler
2018/03/28 18:07:19 [debug] 24356#24356: *604585753 http write filter: l:1 f:0 s:606
2018/03/28 18:07:19 [debug] 24364#24364: *604587625 malloc: 00007F06A5668370:1024
2018/03/28 18:07:19 [debug] 24356#24356: *604585753 http write filter limit 0
2018/03/28 18:07:19 [debug] 24364#24364: *604587625 SSL_read: -1
2018/03/28 18:07:19 [debug] 24356#24356: *604585753 malloc: 00007F06A5722010:16384
2018/03/28 18:07:19 [debug] 24364#24364: *604587625 SSL_get_error: 2
2018/03/28 18:07:19 [debug] 24356#24356: *604585753 SSL buf copy: 601
2018/03/28 18:07:19 [debug] 24364#24364: *604587625 free: 00007F06A5668370
2018/03/28 18:07:19 [debug] 24356#24356: *604585753 SSL buf copy: 5
2018/03/28 18:07:19 [debug] 24364#24364: *604587624 SSL handshake handler: 0
2018/03/28 18:07:19 [debug] 24356#24356: *604585753 SSL to write: 606
2018/03/28 18:07:19 [debug] 24356#24356: *604585753 SSL_write: 606
2018/03/28 18:07:19 [debug] 24356#24356: *604585753 http write filter 0000000000000000
2018/03/28 18:07:19 [debug] 24356#24356: *604585753 http copy filter: 0 "/index.php?p=1187697"
2018/03/28 18:07:19 [debug] 24356#24356: *604585753 http finalize request: 0, "/index.php?p=1187697" a:1, c:1
2018/03/28 18:07:19 [debug] 24356#24356: *604585753 set http keepalive handler
2018/03/28 18:07:19 [debug] 24356#24356: *604585753 http close request
2018/03/28 18:07:19 [debug] 24356#24356: *604585753 http log handler
2018/03/28 18:07:19 [debug] 24356#24356: *604585753 posix_memalign: 00007F06A56C79D0:4096 @16
2018/03/28 18:07:19 [debug] 24356#24356: *604585753 run cleanup: 00007F06A5884B20
2018/03/28 18:07:19 [debug] 24356#24356: *604585753 file cleanup: fd:129
2018/03/28 18:07:19 [debug] 24356#24356: *604585753 run cleanup: 00007F06A579A998
2018/03/28 18:07:19 [debug] 24356#24356: *604585753 run cleanup: 00007F06A579A098
2018/03/28 18:07:19 [debug] 24356#24356: *604585753 close cached open file: *******************************
2018/03/28 18:07:19 [debug] 24356#24356: *604585753 expire cached open file: *******************************
2018/03/28 18:07:19 [debug] 24356#24356: *604585753 expire cached open file: *******************************
2018/03/28 18:07:19 [debug] 24356#24356: *604585753 run cleanup: 00007F06A5799E90
2018/03/28 18:07:19 [debug] 24356#24356: *604585753 close cached open file: *******************************
2018/03/28 18:07:19 [debug] 24356#24356: *604585753 expire cached open file: *******************************
2018/03/28 18:07:19 [debug] 24356#24356: *604585753 expire cached open file: *******************************
2018/03/28 18:07:19 [debug] 24356#24356: *604585753 close cached open file: *******************************
2018/03/28 18:07:19 [debug] 24356#24356: *604585753 free: 00007F06A56D0B50
2018/03/28 18:07:19 [debug] 24356#24356: *604585753 free: 00007F06A5846DC0, unused: 1
2018/03/28 18:07:19 [debug] 24356#24356: *604585753 free: 00007F06A57999C0, unused: 2
2018/03/28 18:07:19 [debug] 24356#24356: *604585753 free: 00007F06A5883DB0, unused: 61
2018/03/28 18:07:19 [debug] 24356#24356: *604585753 free: 00007F06A56C79D0, unused: 3689
2018/03/28 18:07:19 [debug] 24356#24356: *604585753 free: 00007F06A571F240
2018/03/28 18:07:19 [debug] 24356#24356: *604585753 hc free: 0000000000000000 0
2018/03/28 18:07:19 [debug] 24356#24356: *604585753 hc busy: 0000000000000000 0
2018/03/28 18:07:19 [debug] 24356#24356: *604585753 free: 00007F06A5722010
2018/03/28 18:07:19 [debug] 24356#24356: *604585753 reusable connection: 1
2018/03/28 18:07:19 [debug] 24356#24356: *604585753 event timer add: 36: 310000:1522244549680
2018/03/28 18:07:19 [debug] 24364#24364: *604587624 SSL_do_handshake: 1
2018/03/28 18:07:19 [debug] 24364#24364: *604587624 SSL: TLSv1.1, cipher: "ECDHE-RSA-AES128-SHA TLSv1 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA1"
2018/03/28 18:07:19 [debug] 24364#24364: *604587624 reusable connection: 1
2018/03/28 18:07:19 [debug] 24364#24364: *604587624 http wait request handler
2018/03/28 18:07:19 [debug] 24364#24364: *604587624 malloc: 00007F06A5668480:1024
2018/03/28 18:07:19 [debug] 24364#24364: *604587624 SSL_read: -1
2018/03/28 18:07:19 [debug] 24364#24364: *604587624 SSL_get_error: 2
2018/03/28 18:07:19 [debug] 24364#24364: *604587624 free: 00007F06A5668480
2018/03/28 18:07:19 [debug] 24360#24360: post event 00007F069F820070
2018/03/28 18:07:19 [debug] 24360#24360: delete posted event 00007F069F820070
2018/03/28 18:07:19 [debug] 24360#24360: accept on 0.0.0.0:443, ready: 1
2018/03/28 18:07:19 [debug] 24360#24360: posix_memalign: 00007F06A5621B50:512 @16
2018/03/28 18:07:19 [debug] 24360#24360: *604587635 accept: 5.213.82.78:10738 fd:53
2018/03/28 18:07:19 [debug] 24360#24360: *604587635 event timer add: 53: 10000:1522244249682
2018/03/28 18:07:19 [debug] 24360#24360: *604587635 reusable connection: 1
2018/03/28 18:07:19 [debug] 24360#24360: *604587635 epoll add event: fd:53 op:1 ev:80002001
2018/03/28 18:07:19 [debug] 24360#24360: accept() not ready (11: Resource temporarily unavailable)
2018/03/28 18:07:19 [debug] 24360#24360: *604587635 post event 00007F069F820A90
2018/03/28 18:07:19 [debug] 24360#24360: *604587635 delete posted event 00007F069F820A90
2018/03/28 18:07:19 [debug] 24360#24360: *604587635 http check ssl handshake
2018/03/28 18:07:19 [debug] 24360#24360: *604587635 http recv(): 1
2018/03/28 18:07:19 [debug] 24360#24360: *604587635 https ssl handshake: 0x16
2018/03/28 18:07:19 [debug] 24360#24360: *604587635 SSL_do_handshake: -1
2018/03/28 18:07:19 [debug] 24360#24360: *604587635 SSL_get_error: 1
2018/03/28 18:07:19 [crit] 24360#24360: *604587635 SSL_do_handshake() failed (SSL: error:1417D18C:SSL routines:tls_process_client_hello:version too low) while SSL handshaking, client: 5.213.82.78, server: 0.0.0.0:443
2018/03/28 18:07:19 [debug] 24360#24360: *604587635 close http connection: 53
2018/03/28 18:07:19 [debug] 24360#24360: *604587635 event timer del: 53: 1522244249682
2018/03/28 18:07:19 [debug] 24360#24360: *604587635 reusable connection: 0
2018/03/28 18:07:19 [debug] 24360#24360: *604587635 free: 00007F06A5621B50, unused: 152
2018/03/28 18:07:19 [debug] 24364#24364: *604587627 SSL handshake handler: 0
2018/03/28 18:07:19 [debug] 24364#24364: *604587627 SSL_do_handshake: 1
2018/03/28 18:07:19 [debug] 24364#24364: *604587627 SSL: TLSv1.1, cipher: "ECDHE-RSA-AES128-SHA TLSv1 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA1"
2018/03/28 18:07:19 [debug] 24364#24364: *604587627 reusable connection: 1
2018/03/28 18:07:19 [debug] 24364#24364: *604587627 http wait request handler
2018/03/28 18:07:19 [debug] 24364#24364: *604587627 malloc: 00007F06A56A0050:1024
2018/03/28 18:07:19 [debug] 24364#24364: *604587627 SSL_read: -1
2018/03/28 18:07:19 [debug] 24364#24364: *604587627 SSL_get_error: 2
2018/03/28 18:07:19 [debug] 24364#24364: *604587627 free: 00007F06A56A0050
2018/03/28 18:07:19 [debug] 24364#24364: *604587626 SSL handshake handler: 0
2018/03/28 18:07:19 [debug] 24364#24364: *604587626 SSL_do_handshake: 1
2018/03/28 18:07:19 [debug] 24364#24364: *604587626 SSL: TLSv1.1, cipher: "ECDHE-RSA-AES128-SHA TLSv1 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA1"
2018/03/28 18:07:19 [debug] 24364#24364: *604587626 reusable connection: 1
2018/03/28 18:07:19 [debug] 24364#24364: *604587626 http wait request handler
2018/03/28 18:07:19 [debug] 24364#24364: *604587626 malloc: 00007F06A56A0130:1024
2018/03/28 18:07:19 [debug] 24364#24364: *604587626 SSL_read: -1
2018/03/28 18:07:19 [debug] 24364#24364: *604587626 SSL_get_error: 2
2018/03/28 18:07:19 [debug] 24364#24364: *604587626 free: 00007F06A56A0130
2018/03/28 18:07:19 [debug] 24364#24364: *604587623 http wait request handler
2018/03/28 18:07:19 [debug] 24364#24364: *604587626 malloc: 00007F06A56A0130:1024
2018/03/28 18:07:19 [debug] 24364#24364: *604587626 SSL_read: -1
2018/03/28 18:07:19 [debug] 24364#24364: *604587626 SSL_get_error: 2
2018/03/28 18:07:19 [debug] 24364#24364: *604587626 free: 00007F06A56A0130
2018/03/28 18:07:19 [debug] 24364#24364: *604587623 http wait request handler
2018/03/28 18:07:19 [debug] 24364#24364: *604587623 malloc: 00007F06A56A0130:1024
2018/03/28 18:07:19 [debug] 24364#24364: *604587623 SSL_read: 823
2018/03/28 18:07:19 [debug] 24364#24364: *604587623 SSL_read: -1
2018/03/28 18:07:19 [debug] 24364#24364: *604587623 SSL_get_error: 2
2018/03/28 18:07:19 [debug] 24364#24364: *604587623 reusable connection: 0
2018/03/28 18:07:19 [debug] 24364#24364: *604587623 posix_memalign: 00007F06A568CAC0:4096 @16
2018/03/28 18:07:19 [debug] 24364#24364: *604587623 http process request line
2018/03/28 18:07:19 [debug] 24364#24364: *604587623 http request line: "GET /?p=1246163 HTTP/1.1"
2018/03/28 18:07:19 [debug] 24364#24364: *604587623 http uri: "/"
2018/03/28 18:07:19 [debug] 24364#24364: *604587623 http args: "p=1246163"
2018/03/28 18:07:19 [debug] 24364#24364: *604587623 http exten: ""
2018/03/28 18:07:19 [debug] 24364#24364: *604587623 posix_memalign: 00007F06A5677680:4096 @16
2018/03/28 18:07:19 [debug] 24364#24364: *604587623 http process request header line
2018/03/28 18:07:19 [debug] 24364#24364: *604587623 http header: "Host: www.e-estekhdam.com"
2018/03/28 18:07:19 [debug] 24364#24364: *604587623 http header: "Connection: keep-alive"
2018/03/28 18:07:19 [debug] 24364#24364: *604587623 http header: "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"
2018/03/28 18:07:19 [debug] 24364#24364: *604587623 http header: "User-Agent: Mozilla/5.0 (Linux; Android 4.2.2; C2305 Build/16.0.B.2.16) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.94 Mobile Safari/537.36"
2018/03/28 18:07:19 [debug] 24364#24364: *604587623 http header: "Accept-Encoding: gzip,deflate,sdch"
2018/03/28 18:07:19 [debug] 24364#24364: *604587623 http header: "Accept-Language: fa,en-US;q=0.8,en;q=0.6"
これは古いAndroidモバイルブラウザまたは古いAndroid電話のウェブビューです。
これらの種類のブラウザーをサポートできるようにしたいので、TLSv1&SSLv2&SSLv3のサポートを追加することにしたので、これをnginx構成ファイルに追加しました:
ssl_protocols SSLv2 SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
しかし、私が作った検査に基づいて、サーバーがまだSSLv3をサポートしていない(そして私はPOODLEについて知っています)ので、nginxエラーログに基づいてハンドシェイクエラーが発生するユーザーはまだたくさんいます。
問題は、これらの種類のブラウザーをサポートするために何をすべきかです。
それらを無視する
短期間に私のサイトに対して行われた接続試行の数を見ると、これらは明らかにサーバーのセキュリティを危険にさらす試みです。セキュリティ設定をダウングレードしないでください。 これは2秒以内に同じIPアドレスからの93リクエストです
2018/06/11 04:22:00 [crit] 972#972: *315608 SSL_do_handshake() failed (SSL: error:1417D18C:SSL routines:tls_process_client_hello:version too low) while SSL handshaking, client: 172.104.154.126, server: 0.0.0.0:443
2018/06/11 04:22:00 [crit] 972#972: *315616 SSL_do_handshake() failed (SSL: error:1417D18C:SSL routines:tls_process_client_hello:version too low) while SSL handshaking, client: 172.104.154.126, server: 0.0.0.0:443
2018/06/11 04:22:00 [crit] 972#972: *315643 SSL_do_handshake() failed (SSL: error:1417D18C:SSL routines:tls_process_client_hello:version too low) while SSL handshaking, client: 172.104.154.126, server: 0.0.0.0:443
2018/06/11 04:22:00 [crit] 972#972: *315645 SSL_do_handshake() failed (SSL: error:1417D18C:SSL routines:tls_process_client_hello:version too low) while SSL handshaking, client: 172.104.154.126, server: 0.0.0.0:443
2018/06/11 04:22:00 [crit] 972#972: *315650 SSL_do_handshake() failed (SSL: error:1417D18C:SSL routines:tls_process_client_hello:version too low) while SSL handshaking, client: 172.104.154.126, server: 0.0.0.0:443
2018/06/11 04:22:00 [crit] 972#972: *315652 SSL_do_handshake() failed (SSL: error:1417D18C:SSL routines:tls_process_client_hello:version too low) while SSL handshaking, client: 172.104.154.126, server: 0.0.0.0:443
2018/06/11 04:22:00 [crit] 972#972: *315663 SSL_do_handshake() failed (SSL: error:1417D18C:SSL routines:tls_process_client_hello:version too low) while SSL handshaking, client: 172.104.154.126, server: 0.0.0.0:443
2018/06/11 04:22:00 [crit] 972#972: *315674 SSL_do_handshake() failed (SSL: error:1417D18C:SSL routines:tls_process_client_hello:version too low) while SSL handshaking, client: 172.104.154.126, server: 0.0.0.0:443
2018/06/11 04:22:00 [crit] 972#972: *315675 SSL_do_handshake() failed (SSL: error:1417D18C:SSL routines:tls_process_client_hello:version too low) while SSL handshaking, client: 172.104.154.126, server: 0.0.0.0:443
2018/06/11 04:22:00 [crit] 971#971: *315677 SSL_do_handshake() failed (SSL: error:1417D18C:SSL routines:tls_process_client_hello:version too low) while SSL handshaking, client: 172.104.154.126, server: 0.0.0.0:443
2018/06/11 04:22:00 [crit] 972#972: *315680 SSL_do_handshake() failed (SSL: error:1417D18C:SSL routines:tls_process_client_hello:version too low) while SSL handshaking, client: 172.104.154.126, server: 0.0.0.0:443
2018/06/11 04:22:00 [crit] 972#972: *315685 SSL_do_handshake() failed (SSL: error:1417D18C:SSL routines:tls_process_client_hello:version too low) while SSL handshaking, client: 172.104.154.126, server: 0.0.0.0:443
2018/06/11 04:22:00 [crit] 972#972: *315691 SSL_do_handshake() failed (SSL: error:1417D18C:SSL routines:tls_process_client_hello:version too low) while SSL handshaking, client: 172.104.154.126, server: 0.0.0.0:443
2018/06/11 04:22:00 [crit] 972#972: *315703 SSL_do_handshake() failed (SSL: error:1417D18C:SSL routines:tls_process_client_hello:version too low) while SSL handshaking, client: 172.104.154.126, server: 0.0.0.0:443
2018/06/11 04:22:00 [crit] 972#972: *315712 SSL_do_handshake() failed (SSL: error:1417D18C:SSL routines:tls_process_client_hello:version too low) while SSL handshaking, client: 172.104.154.126, server: 0.0.0.0:443
2018/06/11 04:22:00 [crit] 972#972: *315719 SSL_do_handshake() failed (SSL: error:1417D18C:SSL routines:tls_process_client_hello:version too low) while SSL handshaking, client: 172.104.154.126, server: 0.0.0.0:443
2018/06/11 04:22:00 [crit] 972#972: *315720 SSL_do_handshake() failed (SSL: error:1417D18C:SSL routines:tls_process_client_hello:version too low) while SSL handshaking, client: 172.104.154.126, server: 0.0.0.0:443
2018/06/11 04:22:00 [crit] 972#972: *315734 SSL_do_handshake() failed (SSL: error:1417D18C:SSL routines:tls_process_client_hello:version too low) while SSL handshaking, client: 172.104.154.126, server: 0.0.0.0:443
2018/06/11 04:22:00 [crit] 972#972: *315737 SSL_do_handshake() failed (SSL: error:1417D18C:SSL routines:tls_process_client_hello:version too low) while SSL handshaking, client: 172.104.154.126, server: 0.0.0.0:443
2018/06/11 04:22:00 [crit] 972#972: *315738 SSL_do_handshake() failed (SSL: error:1417D18C:SSL routines:tls_process_client_hello:version too low) while SSL handshaking, client: 172.104.154.126, server: 0.0.0.0:443
2018/06/11 04:22:00 [crit] 972#972: *315766 SSL_do_handshake() failed (SSL: error:1417D18C:SSL routines:tls_process_client_hello:version too low) while SSL handshaking, client: 172.104.154.126, server: 0.0.0.0:443
2018/06/11 04:22:00 [crit] 972#972: *315767 SSL_do_handshake() failed (SSL: error:1417D18C:SSL routines:tls_process_client_hello:version too low) while SSL handshaking, client: 172.104.154.126, server: 0.0.0.0:443
2018/06/11 04:22:00 [crit] 972#972: *315770 SSL_do_handshake() failed (SSL: error:1417D18C:SSL routines:tls_process_client_hello:version too low) while SSL handshaking, client: 172.104.154.126, server: 0.0.0.0:443
2018/06/11 04:22:00 [crit] 972#972: *315771 SSL_do_handshake() failed (SSL: error:1417D18C:SSL routines:tls_process_client_hello:version too low) while SSL handshaking, client: 172.104.154.126, server: 0.0.0.0:443
2018/06/11 04:22:00 [crit] 972#972: *315776 SSL_do_handshake() failed (SSL: error:1417D18C:SSL routines:tls_process_client_hello:version too low) while SSL handshaking, client: 172.104.154.126, server: 0.0.0.0:443
2018/06/11 04:22:00 [crit] 972#972: *315778 SSL_do_handshake() failed (SSL: error:1417D18C:SSL routines:tls_process_client_hello:version too low) while SSL handshaking, client: 172.104.154.126, server: 0.0.0.0:443
2018/06/11 04:22:00 [crit] 972#972: *315782 SSL_do_handshake() failed (SSL: error:1417D18C:SSL routines:tls_process_client_hello:version too low) while SSL handshaking, client: 172.104.154.126, server: 0.0.0.0:443
2018/06/11 04:22:00 [crit] 972#972: *315786 SSL_do_handshake() failed (SSL: error:1417D18C:SSL routines:tls_process_client_hello:version too low) while SSL handshaking, client: 172.104.154.126, server: 0.0.0.0:443
2018/06/11 04:22:00 [crit] 972#972: *315787 SSL_do_handshake() failed (SSL: error:1417D18C:SSL routines:tls_process_client_hello:version too low) while SSL handshaking, client: 172.104.154.126, server: 0.0.0.0:443
2018/06/11 04:22:00 [crit] 972#972: *315789 SSL_do_handshake() failed (SSL: error:1417D18C:SSL routines:tls_process_client_hello:version too low) while SSL handshaking, client: 172.104.154.126, server: 0.0.0.0:443
2018/06/11 04:22:00 [crit] 972#972: *315790 SSL_do_handshake() failed (SSL: error:1417D18C:SSL routines:tls_process_client_hello:version too low) while SSL handshaking, client: 172.104.154.126, server: 0.0.0.0:443
2018/06/11 04:22:00 [crit] 972#972: *315793 SSL_do_handshake() failed (SSL: error:1417D18C:SSL routines:tls_process_client_hello:version too low) while SSL handshaking, client: 172.104.154.126, server: 0.0.0.0:443
2018/06/11 04:22:00 [crit] 972#972: *315797 SSL_do_handshake() failed (SSL: error:1417D18C:SSL routines:tls_process_client_hello:version too low) while SSL handshaking, client: 172.104.154.126, server: 0.0.0.0:443
2018/06/11 04:22:01 [crit] 972#972: *315803 SSL_do_handshake() failed (SSL: error:1417D18C:SSL routines:tls_process_client_hello:version too low) while SSL handshaking, client: 172.104.154.126, server: 0.0.0.0:443
2018/06/11 04:22:01 [crit] 972#972: *315807 SSL_do_handshake() failed (SSL: error:1417D18C:SSL routines:tls_process_client_hello:version too low) while SSL handshaking, client: 172.104.154.126, server: 0.0.0.0:443
2018/06/11 04:22:01 [crit] 972#972: *315809 SSL_do_handshake() failed (SSL: error:1417D18C:SSL routines:tls_process_client_hello:version too low) while SSL handshaking, client: 172.104.154.126, server: 0.0.0.0:443
2018/06/11 04:22:01 [crit] 972#972: *315813 SSL_do_handshake() failed (SSL: error:1417D18C:SSL routines:tls_process_client_hello:version too low) while SSL handshaking, client: 172.104.154.126, server: 0.0.0.0:443
2018/06/11 04:22:01 [crit] 972#972: *315818 SSL_do_handshake() failed (SSL: error:1417D18C:SSL routines:tls_process_client_hello:version too low) while SSL handshaking, client: 172.104.154.126, server: 0.0.0.0:443
2018/06/11 04:22:01 [crit] 972#972: *315823 SSL_do_handshake() failed (SSL: error:1417D18C:SSL routines:tls_process_client_hello:version too low) while SSL handshaking, client: 172.104.154.126, server: 0.0.0.0:443
2018/06/11 04:22:01 [crit] 972#972: *315829 SSL_do_handshake() failed (SSL: error:1417D18C:SSL routines:tls_process_client_hello:version too low) while SSL handshaking, client: 172.104.154.126, server: 0.0.0.0:443
2018/06/11 04:22:01 [crit] 972#972: *315831 SSL_do_handshake() failed (SSL: error:1417D18C:SSL routines:tls_process_client_hello:version too low) while SSL handshaking, client: 172.104.154.126, server: 0.0.0.0:443
2018/06/11 04:22:01 [crit] 971#971: *315835 SSL_do_handshake() failed (SSL: error:1417D18C:SSL routines:tls_process_client_hello:version too low) while SSL handshaking, client: 172.104.154.126, server: 0.0.0.0:443
2018/06/11 04:22:01 [crit] 972#972: *315837 SSL_do_handshake() failed (SSL: error:1417D18C:SSL routines:tls_process_client_hello:version too low) while SSL handshaking, client: 172.104.154.126, server: 0.0.0.0:443
2018/06/11 04:22:01 [crit] 972#972: *315839 SSL_do_handshake() failed (SSL: error:1417D18C:SSL routines:tls_process_client_hello:version too low) while SSL handshaking, client: 172.104.154.126, server: 0.0.0.0:443
2018/06/11 04:22:01 [crit] 972#972: *315840 SSL_do_handshake() failed (SSL: error:1417D18C:SSL routines:tls_process_client_hello:version too low) while SSL handshaking, client: 172.104.154.126, server: 0.0.0.0:443
2018/06/11 04:22:01 [crit] 972#972: *315841 SSL_do_handshake() failed (SSL: error:1417D18C:SSL routines:tls_process_client_hello:version too low) while SSL handshaking, client: 172.104.154.126, server: 0.0.0.0:443
2018/06/11 04:22:01 [crit] 972#972: *315843 SSL_do_handshake() failed (SSL: error:1417D18C:SSL routines:tls_process_client_hello:version too low) while SSL handshaking, client: 172.104.154.126, server: 0.0.0.0:443
2018/06/11 04:22:01 [crit] 972#972: *315844 SSL_do_handshake() failed (SSL: error:1417D18C:SSL routines:tls_process_client_hello:version too low) while SSL handshaking, client: 172.104.154.126, server: 0.0.0.0:443
2018/06/11 04:22:01 [crit] 972#972: *315845 SSL_do_handshake() failed (SSL: error:1417D18C:SSL routines:tls_process_client_hello:version too low) while SSL handshaking, client: 172.104.154.126, server: 0.0.0.0:443
2018/06/11 04:22:01 [crit] 972#972: *315846 SSL_do_handshake() failed (SSL: error:1417D18C:SSL routines:tls_process_client_hello:version too low) while SSL handshaking, client: 172.104.154.126, server: 0.0.0.0:443
2018/06/11 04:22:01 [crit] 972#972: *315847 SSL_do_handshake() failed (SSL: error:1417D18C:SSL routines:tls_process_client_hello:version too low) while SSL handshaking, client: 172.104.154.126, server: 0.0.0.0:443
2018/06/11 04:22:01 [crit] 972#972: *315848 SSL_do_handshake() failed (SSL: error:1417D18C:SSL routines:tls_process_client_hello:version too low) while SSL handshaking, client: 172.104.154.126, server: 0.0.0.0:443
2018/06/11 04:22:01 [crit] 972#972: *315849 SSL_do_handshake() failed (SSL: error:1417D18C:SSL routines:tls_process_client_hello:version too low) while SSL handshaking, client: 172.104.154.126, server: 0.0.0.0:443
2018/06/11 04:22:01 [crit] 972#972: *315850 SSL_do_handshake() failed (SSL: error:1417D18C:SSL routines:tls_process_client_hello:version too low) while SSL handshaking, client: 172.104.154.126, server: 0.0.0.0:443
2018/06/11 04:22:01 [crit] 972#972: *315853 SSL_do_handshake() failed (SSL: error:1417D18C:SSL routines:tls_process_client_hello:version too low) while SSL handshaking, client: 172.104.154.126, server: 0.0.0.0:443
2018/06/11 04:22:01 [crit] 972#972: *315856 SSL_do_handshake() failed (SSL: error:1417D18C:SSL routines:tls_process_client_hello:version too low) while SSL handshaking, client: 172.104.154.126, server: 0.0.0.0:443
2018/06/11 04:22:01 [crit] 972#972: *315858 SSL_do_handshake() failed (SSL: error:1417D18C:SSL routines:tls_process_client_hello:version too low) while SSL handshaking, client: 172.104.154.126, server: 0.0.0.0:443
2018/06/11 04:22:01 [crit] 972#972: *315859 SSL_do_handshake() failed (SSL: error:1417D18C:SSL routines:tls_process_client_hello:version too low) while SSL handshaking, client: 172.104.154.126, server: 0.0.0.0:443
2018/06/11 04:22:01 [crit] 972#972: *315860 SSL_do_handshake() failed (SSL: error:1417D18C:SSL routines:tls_process_client_hello:version too low) while SSL handshaking, client: 172.104.154.126, server: 0.0.0.0:443
2018/06/11 04:22:01 [crit] 972#972: *315861 SSL_do_handshake() failed (SSL: error:1417D18C:SSL routines:tls_process_client_hello:version too low) while SSL handshaking, client: 172.104.154.126, server: 0.0.0.0:443
2018/06/11 04:22:01 [crit] 972#972: *315863 SSL_do_handshake() failed (SSL: error:1417D18C:SSL routines:tls_process_client_hello:version too low) while SSL handshaking, client: 172.104.154.126, server: 0.0.0.0:443
2018/06/11 04:22:01 [crit] 972#972: *315862 SSL_do_handshake() failed (SSL: error:1417D18C:SSL routines:tls_process_client_hello:version too low) while SSL handshaking, client: 172.104.154.126, server: 0.0.0.0:443
2018/06/11 04:22:01 [crit] 972#972: *315864 SSL_do_handshake() failed (SSL: error:1417D18C:SSL routines:tls_process_client_hello:version too low) while SSL handshaking, client: 172.104.154.126, server: 0.0.0.0:443
2018/06/11 04:22:01 [crit] 972#972: *315866 SSL_do_handshake() failed (SSL: error:1417D18C:SSL routines:tls_process_client_hello:version too low) while SSL handshaking, client: 172.104.154.126, server: 0.0.0.0:443
2018/06/11 04:22:01 [crit] 972#972: *315867 SSL_do_handshake() failed (SSL: error:1417D18C:SSL routines:tls_process_client_hello:version too low) while SSL handshaking, client: 172.104.154.126, server: 0.0.0.0:443
2018/06/11 04:22:01 [crit] 972#972: *315868 SSL_do_handshake() failed (SSL: error:1417D18C:SSL routines:tls_process_client_hello:version too low) while SSL handshaking, client: 172.104.154.126, server: 0.0.0.0:443
2018/06/11 04:22:01 [crit] 972#972: *315870 SSL_do_handshake() failed (SSL: error:1417D18C:SSL routines:tls_process_client_hello:version too low) while SSL handshaking, client: 172.104.154.126, server: 0.0.0.0:443
2018/06/11 04:22:01 [crit] 972#972: *315871 SSL_do_handshake() failed (SSL: error:1417D18C:SSL routines:tls_process_client_hello:version too low) while SSL handshaking, client: 172.104.154.126, server: 0.0.0.0:443
2018/06/11 04:22:01 [crit] 972#972: *315872 SSL_do_handshake() failed (SSL: error:1417D18C:SSL routines:tls_process_client_hello:version too low) while SSL handshaking, client: 172.104.154.126, server: 0.0.0.0:443
2018/06/11 04:22:01 [crit] 972#972: *315873 SSL_do_handshake() failed (SSL: error:1417D18C:SSL routines:tls_process_client_hello:version too low) while SSL handshaking, client: 172.104.154.126, server: 0.0.0.0:443
2018/06/11 04:22:01 [crit] 972#972: *315874 SSL_do_handshake() failed (SSL: error:1417D18C:SSL routines:tls_process_client_hello:version too low) while SSL handshaking, client: 172.104.154.126, server: 0.0.0.0:443
2018/06/11 04:22:01 [crit] 972#972: *315875 SSL_do_handshake() failed (SSL: error:1417D18C:SSL routines:tls_process_client_hello:version too low) while SSL handshaking, client: 172.104.154.126, server: 0.0.0.0:443
2018/06/11 04:22:01 [crit] 972#972: *315876 SSL_do_handshake() failed (SSL: error:1417D18C:SSL routines:tls_process_client_hello:version too low) while SSL handshaking, client: 172.104.154.126, server: 0.0.0.0:443
2018/06/11 04:22:01 [crit] 972#972: *315877 SSL_do_handshake() failed (SSL: error:1417D18C:SSL routines:tls_process_client_hello:version too low) while SSL handshaking, client: 172.104.154.126, server: 0.0.0.0:443
2018/06/11 04:22:01 [crit] 972#972: *315878 SSL_do_handshake() failed (SSL: error:1417D18C:SSL routines:tls_process_client_hello:version too low) while SSL handshaking, client: 172.104.154.126, server: 0.0.0.0:443
2018/06/11 04:22:01 [crit] 972#972: *315879 SSL_do_handshake() failed (SSL: error:1417D18C:SSL routines:tls_process_client_hello:version too low) while SSL handshaking, client: 172.104.154.126, server: 0.0.0.0:443
2018/06/11 04:22:01 [crit] 972#972: *315880 SSL_do_handshake() failed (SSL: error:1417D18C:SSL routines:tls_process_client_hello:version too low) while SSL handshaking, client: 172.104.154.126, server: 0.0.0.0:443
2018/06/11 04:22:01 [crit] 972#972: *315881 SSL_do_handshake() failed (SSL: error:1417D18C:SSL routines:tls_process_client_hello:version too low) while SSL handshaking, client: 172.104.154.126, server: 0.0.0.0:443
2018/06/11 04:22:01 [crit] 972#972: *315882 SSL_do_handshake() failed (SSL: error:1417D18C:SSL routines:tls_process_client_hello:version too low) while SSL handshaking, client: 172.104.154.126, server: 0.0.0.0:443
2018/06/11 04:22:01 [crit] 972#972: *315883 SSL_do_handshake() failed (SSL: error:1417D18C:SSL routines:tls_process_client_hello:version too low) while SSL handshaking, client: 172.104.154.126, server: 0.0.0.0:443
2018/06/11 04:22:01 [crit] 972#972: *315887 SSL_do_handshake() failed (SSL: error:1417D18C:SSL routines:tls_process_client_hello:version too low) while SSL handshaking, client: 172.104.154.126, server: 0.0.0.0:443
2018/06/11 04:22:01 [crit] 972#972: *315888 SSL_do_handshake() failed (SSL: error:1417D18C:SSL routines:tls_process_client_hello:version too low) while SSL handshaking, client: 172.104.154.126, server: 0.0.0.0:443
2018/06/11 04:22:01 [crit] 972#972: *315889 SSL_do_handshake() failed (SSL: error:1417D18C:SSL routines:tls_process_client_hello:version too low) while SSL handshaking, client: 172.104.154.126, server: 0.0.0.0:443
2018/06/11 04:22:01 [crit] 972#972: *315890 SSL_do_handshake() failed (SSL: error:1417D18C:SSL routines:tls_process_client_hello:version too low) while SSL handshaking, client: 172.104.154.126, server: 0.0.0.0:443
2018/06/11 04:22:01 [crit] 972#972: *315893 SSL_do_handshake() failed (SSL: error:1417D18C:SSL routines:tls_process_client_hello:version too low) while SSL handshaking, client: 172.104.154.126, server: 0.0.0.0:443
2018/06/11 04:22:01 [crit] 972#972: *315896 SSL_do_handshake() failed (SSL: error:1417D18C:SSL routines:tls_process_client_hello:version too low) while SSL handshaking, client: 172.104.154.126, server: 0.0.0.0:443
2018/06/11 04:22:01 [crit] 972#972: *315897 SSL_do_handshake() failed (SSL: error:1417D18C:SSL routines:tls_process_client_hello:version too low) while SSL handshaking, client: 172.104.154.126, server: 0.0.0.0:443
2018/06/11 04:22:01 [crit] 972#972: *315898 SSL_do_handshake() failed (SSL: error:1417D18C:SSL routines:tls_process_client_hello:version too low) while SSL handshaking, client: 172.104.154.126, server: 0.0.0.0:443
2018/06/11 04:22:01 [crit] 972#972: *315899 SSL_do_handshake() failed (SSL: error:1417D18C:SSL routines:tls_process_client_hello:version too low) while SSL handshaking, client: 172.104.154.126, server: 0.0.0.0:443
2018/06/11 04:22:01 [crit] 972#972: *315900 SSL_do_handshake() failed (SSL: error:1417D18C:SSL routines:tls_process_client_hello:version too low) while SSL handshaking, client: 172.104.154.126, server: 0.0.0.0:443
2018/06/11 04:22:01 [crit] 972#972: *315902 SSL_do_handshake() failed (SSL: error:1417D18C:SSL routines:tls_process_client_hello:version too low) while SSL handshaking, client: 172.104.154.126, server: 0.0.0.0:443
2018/06/11 04:22:01 [crit] 972#972: *315903 SSL_do_handshake() failed (SSL: error:1417D18C:SSL routines:tls_process_client_hello:version too low) while SSL handshaking, client: 172.104.154.126, server: 0.0.0.0:443
2018/06/11 04:22:01 [crit] 972#972: *315904 SSL_do_handshake() failed (SSL: error:1417D18C:SSL routines:tls_process_client_hello:version too low) while SSL handshaking, client: 172.104.154.126, server: 0.0.0.0:443
私はかなり確信しています routines:tls_process_client_hello:version too lowは、クライアントがシステムに設定された暗号を使用して接続できないことを示します。さらに、ブラウザーがLet's Encrypt Root CAを信頼しない場合、接続は失敗します。
古いハードウェアを使用している一部のクライアントに、接続を許可するためにずっと前にアップグレードする必要があったため、Webサイトのセキュリティをダウングレードすることに同意しません。あなたはほんの一握りのクライアントのために文字通りセキュリティを犠牲にしています。
また、これらが実際のクライアントでさえないことも考えられます。これらは悪意のある「クライアント」であり、ダウングレードされた接続を強制して、情報や秘密鍵などを盗むためにセキュリティを破ろうとする可能性があります。
Andrewの声明を完全にサポートします。SSLv2/ 3またはSNIのないクライアントのサポートを提供している人はほとんどいません。ただし、他のすべてのユーザーのデータを公開するリスクがある場合でも、ここでsslテストを実行してください https://www.ssllabs.com/ssltest/ 互換性があるまで暗号を調整しますリストされているすべてのブラウザ。 Android 2.xとJava 1.6.xは無視してください。IPv4アドレスを無限に提供しなければ、セキュリティを大幅にダウングレードすることはできません。 HTTPSを無効にする場合は、完全に無効にしてください。そうすることで、少なくともユーザーが接続が安全であるという想定に惑わされることはありません。
Ubuntu 18.04およびnginx 1.14+の場合.... @Danielが述べたように、「私はAndrewからの声明を完全にサポートしています」、「ほとんど誰もSSLv2/3またはSNIのないクライアントのサポートを提供していません」。
レガシーシステムがある場合、それはファイアウォールの問題です。
ループの原因となったのは、includes /etc/nginx/custom-name-here/または/etc/nginx/conf.d/フォルダインクルードなどのレガシーコードが作成され、/etc/nginx/nginx.confおよびsites-enabled/example-orgに追加されたことです。その後のアップグレードにより、nginx -tで確認できるエラーが発生しました
これを明確に説明しているのかどうかはわかりませんが、14.04と16.04で手動で暗号を指定する必要があった時期がありました。 NGINXの最新バージョンのデフォルトでは冗長性が発生し、エラーが発生しました。 18.04のcertbot/letsencryptを含む新しいnginx暗号のデフォルトははるかに安全ですが、カスタム証明書の制限を削除する必要がありました。
これがまだ問題である場合は、certbotを暗号化して再インストールすることをお勧めします(グーグルで最初に!)。 https://certbot.eff.org/ そして、/etc/nginx/snippets/フォルダーを活用して、sites-available/slash /サイト対応フォルダーに組み込みます。