NGINX IPv4 SSL23_GET_SERVER_HELLO:알 수 없음

tag-icon tag-icon linux nginx ssl openssl ubuntu-18.04
NGINX IPv4 SSL23_GET_SERVER_HELLO:알 수 없음

ipv4 및 ipv6을 사용하여 Ubuntu 18.04 서버를 실행하고 있습니다. 시스템은 ipv4 및 ipv6을 통해 연결(ssh)할 수 있습니다. 유효한 유료 인증서로 NGINX가 실행되고 있습니다.

ipv6을 사용하는 클라이언트는 설정을 사용하는 데 전혀 문제가 없습니다. 반면에 ipv4를 사용하는 클라이언트에는 SSL 문제가 있어 연결을 설정할 수 없습니다.

일하고 있는

curl -ipv6 --verbose --trace-time -I https://clients.fanciety.com

01:18:14.653230 * Rebuilt URL to: https://clients.fanciety.com/
01:18:14.684108 *   Trying 2a01:4f8:231:d4b::2...
01:18:14.684156 * TCP_NODELAY set
01:18:14.702125 * Connected to clients.fanciety.com (2a01:4f8:231:d4b::2) port 443 (#0)
01:18:14.702296 * ALPN, offering h2
01:18:14.702333 * ALPN, offering http/1.1
01:18:14.702415 * Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
01:18:14.708653 * successfully set certificate verify locations:
01:18:14.708698 *   CAfile: /etc/ssl/cert.pem
  CApath: none
01:18:14.708792 * TLSv1.2 (OUT), TLS handshake, Client hello (1):
01:18:14.728231 * TLSv1.2 (IN), TLS handshake, Server hello (2):
01:18:14.728529 * TLSv1.2 (IN), TLS handshake, Certificate (11):
01:18:14.754838 * TLSv1.2 (IN), TLS handshake, Server key exchange (12):
01:18:14.755787 * TLSv1.2 (IN), TLS handshake, Server finished (14):
01:18:14.759776 * TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
01:18:14.759809 * TLSv1.2 (OUT), TLS change cipher, Client hello (1):
01:18:14.759898 * TLSv1.2 (OUT), TLS handshake, Finished (20):
01:18:14.776641 * TLSv1.2 (IN), TLS change cipher, Client hello (1):
01:18:14.776778 * TLSv1.2 (IN), TLS handshake, Finished (20):
01:18:14.776813 * SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
01:18:14.776850 * ALPN, server accepted to use http/1.1
01:18:14.776881 * Server certificate:
01:18:14.776917 *  subject: CN=clients.fanciety.com
01:18:14.776950 *  start date: Aug 24 00:00:00 2018 GMT
01:18:14.776976 *  expire date: Aug 23 12:00:00 2020 GMT
01:18:14.777025 *  subjectAltName: host "clients.fanciety.com" matched cert's "clients.fanciety.com"
01:18:14.777059 *  issuer: C=US; O=DigiCert Inc; OU=www.digicert.com; CN=Thawte TLS RSA CA G1
01:18:14.777084 *  SSL certificate verify ok.
01:18:14.777146 > HEAD / HTTP/1.1
01:18:14.777146 > Host: clients.fanciety.com
01:18:14.777146 > User-Agent: curl/7.54.0
01:18:14.777146 > Accept: */*
01:18:14.777146 > 
01:18:14.798724 < HTTP/1.1 200 OK
HTTP/1.1 200 OK
01:18:14.798820 < Server: nginx/1.14.0 (Ubuntu)
Server: nginx/1.14.0 (Ubuntu)
01:18:14.798852 < Date: Fri, 31 Aug 2018 23:18:14 GMT
Date: Fri, 31 Aug 2018 23:18:14 GMT
01:18:14.798883 < Content-Type: text/html; charset=UTF-8
Content-Type: text/html; charset=UTF-8
01:18:14.798914 < Content-Length: 7
Content-Length: 7
01:18:14.798945 < Connection: keep-alive
Connection: keep-alive
01:18:14.798976 < X-Powered-By: Express
X-Powered-By: Express
01:18:14.799010 < Accept-Ranges: bytes
Accept-Ranges: bytes
01:18:14.799042 < Cache-Control: public, max-age=0
Cache-Control: public, max-age=0
01:18:14.799087 < Last-Modified: Fri, 31 Aug 2018 19:55:04 GMT
Last-Modified: Fri, 31 Aug 2018 19:55:04 GMT
01:18:14.799123 < ETag: W/"7-165918da924"
ETag: W/"7-165918da924"
01:18:14.799164 < Vary: Accept-Encoding
Vary: Accept-Encoding

01:18:14.799205 < 
01:18:14.799266 * Connection #0 to host clients.fanciety.com left intact

작동 안함

curl -ipv4 --verbose --trace-time -I https://clients.fanciety.com

01:33:21.196560 * Rebuilt URL to: https://clients.fanciety.com/
01:33:21.202064 *   Trying 159.69.61.244...
01:33:21.202128 * TCP_NODELAY set
01:33:21.239275 * Connected to clients.fanciety.com (159.69.61.244) port 443 (#0)
01:33:21.239447 * ALPN, offering h2
01:33:21.239481 * ALPN, offering http/1.1
01:33:21.239561 * Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
01:33:21.243809 * successfully set certificate verify locations:
01:33:21.243842 *   CAfile: /etc/ssl/cert.pem
  CApath: none
01:33:21.243919 * TLSv1.2 (OUT), TLS handshake, Client hello (1):
01:33:21.275023 * error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
01:33:21.275129 * stopped the pause stream!
01:33:21.275224 * Closing connection 0
curl: (35) error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol

작동 안함

curl -ipv4 -3 --verbose --trace-time -I https://clients.fanciety.com

01:31:38.919241 * Rebuilt URL to: https://clients.fanciety.com/
01:31:38.924589 *   Trying 159.69.61.244...
01:31:38.924632 * TCP_NODELAY set
01:31:38.961890 * Connected to clients.fanciety.com (159.69.61.244) port 443 (#0)
01:31:38.962064 * ALPN, offering h2
01:31:38.962102 * ALPN, offering http/1.1
01:31:38.962183 * Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
01:31:38.966495 * successfully set certificate verify locations:
01:31:38.966530 *   CAfile: /etc/ssl/cert.pem
  CApath: none
01:31:38.966638 * SSLv3 (OUT), TLS handshake, Client hello (1):
01:31:38.997553 * SSLv3 (OUT), TLS alert, Server hello (2):
01:31:38.997718 * error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number
01:31:38.997801 * stopped the pause stream!
01:31:38.997879 * Closing connection 0
curl: (35) error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number

ipv4 또는 ipv6을 통해 openssl을 사용할 때 프로토콜 차이가 있습니까?

openssl s_client -connect clients.fanciety.com:443 -state -debug


...
SSL_connect:SSLv2/v3 write client hello A
read from 0x11942e0 [0x11998c0] (7 bytes => 7 (0x7))
0000 - 48 54 54 50 2f 31 2e                              HTTP/1.
SSL_connect:error in SSLv2/v3 read server hello A
140130130867864:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:794:
...

NGINX SSL 구성

listen [::]:443 ssl;
listen 443 ssl;
ssl on;
ssl_certificate /etc/nginx/ssl/cert.pem;
ssl_certificate_key /etc/nginx/ssl/key.pem;
ssl_dhparam /etc/nginx/ssl/dhparam.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DHE+AES128:!ADH:!AECDH:!MD5;
ssl_session_cache shared:SSL:20m;
ssl_session_timeout 120m;
ssl_prefer_server_ciphers on;

NGINX 로그

2018/09/01 00:45:06 [error] 1381#1381: *35 connect() failed (111: Connection refused) while connecting to upstream, client: 2003:e1:9717:1500:5858:af84:640e:bf02, server: clients.fanciety.com, request: "GET / HTTP/1.1", upstream: "http://127.0.0.1:9999/", host: "clients.fanciety.com:443"
2018/09/01 01:35:30 [crit] 3794#3794: *26 SSL_do_handshake() failed (SSL: error:1417D18C:SSL routines:tls_process_client_hello:version too low) while SSL handshaking, client: 2600:c02:1020:4202::ac10:8269, server: [::]:443

wget은 SSL 없이 포트 443으로 ipv4를 사용하여 콘텐츠를 수신하는 것 같습니다. 서버는 SSL 없이 http를 전혀 제공하지 않습니다.

답변1

나는 이것이 당신이 보여주는 완전한 구성이 아니라고 확신합니다. 또는 그 사이에 일부 잘못 구성된 미들박스(예: 로드 밸런서)가 있습니다. 서버는 IPv4 포트 443의 HTTPS를 이해하지 못하지만 실제로는 일반적인 HTTPS 포트 443에서 IPv4의 HTTP에 응답합니다. 그리고 IPv4의 포트 80(기본 일반 HTTP)에 대한 액세스를 거부하지만 실제로는 포트에 응답합니다. IPv6에서는 80입니다.

즉, 구성에 문제가 있지만 표시되는 부분에는 없습니다.

# HTTP (port 80) on IPv6 works, redirects to HTTPS (port 443)
$ curl -ipv6 -v http://clients.fanciety.com/
...
HTTP/1.1 301 Moved Permanently


# HTTPS (port 443) on IPv6 works
$ curl -ipv6 -v https://clients.fanciety.com/
...
HTTP/1.1 200 OK


# HTTP (port 80) on IPv4 results in connection refused
$ curl -ipv4 -v http://clients.fanciety.com/
...
curl: (7) Failed to connect to clients.fanciety.com port 80: Connection refused


# HTTPS (port 443) on IPv4 results in TLS error
$ curl -ipv4 -v https://clients.fanciety.com/
...
curl: (35) error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol


# but HTTP on to the default HTTPS port (443) works
$ curl -ipv4 -v http://clients.fanciety.com:443/
...
HTTP/1.1 200 OK

관련 정보