间歇ssl_error_no_cypher_overlap
在过去的一周里,客户在使用火狐时随机地得到了间歇性的ssl_error_no_cypher_overlap错误。Safari和Chrome中也出现了连接问题。我找不到在这个问题开始时发生的任何包或代码更新。
我们在三个服务器之间负载平衡,这三个服务器都有相同版本的nignx (1.6.2-1.el5.ngx)和openssl (0.9.8e-32.el5_11),以及指定支持哪些协议和密码的相同配置(按照Mozilla推荐的nginx配置)。
我不知道我在这里错过了什么。
在所有服务器上共享nginx配置:
ssl on;
ssl_certificate /etc/nginx/ssl/wildcard.pem;
ssl_certificate_key /etc/nginx/ssl/wildcard.key;
ssl_session_timeout 5m;
ssl_session_cache shared:SSL:50m;
ssl_protocols TLSv1;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
ssl_prefer_server_ciphers on;在我们的日志中:
2015/01/21 11:16:05 [crit] 3428#0: *150887640 SSL_do_handshake() failed (SSL: error:1408A0D7:SSL routines:SSL3_GET_CLIENT_HELLO:required cipher missing) while SSL handshaking, client: *.*.*.*, server: 0.0.0.0:443
2015/01/21 11:17:34 [crit] 3429#0: *150929634 SSL_do_handshake() failed (SSL: error:1408A0D7:SSL routines:SSL3_GET_CLIENT_HELLO:required cipher missing) while SSL handshaking, client: *.*.*.*, server: 0.0.0.0:443
2015/01/21 11:18:23 [crit] 3434#0: *150952369 SSL_do_handshake() failed (SSL: error:1408A0D7:SSL routines:SSL3_GET_CLIENT_HELLO:required cipher missing) while SSL handshaking, client: *.*.*.*, server: 0.0.0.0:443
2015/01/21 11:18:23 [crit] 3434#0: *150952368 SSL_do_handshake() failed (SSL: error:1408A0D7:SSL routines:SSL3_GET_CLIENT_HELLO:required cipher missing) while SSL handshaking, client: *.*.*.*, server: 0.0.0.0:443
2015/01/21 11:18:30 [crit] 3428#0: *150955385 SSL_do_handshake() failed (SSL: error:1408A0D7:SSL routines:SSL3_GET_CLIENT_HELLO:required cipher missing) while SSL handshaking, client: *.*.*.*, server: 0.0.0.0:443
2015/01/21 11:18:43 [crit] 3433#0: *150961363 SSL_do_handshake() failed (SSL: error:1408A0D7:SSL routines:SSL3_GET_CLIENT_HELLO:required cipher missing) while SSL handshaking, client: *.*.*.*, server: 0.0.0.0:443
2015/01/21 11:18:53 [crit] 3428#0: *150965840 SSL_do_handshake() failed (SSL: error:1408A0D7:SSL routines:SSL3_GET_CLIENT_HELLO:required cipher missing) while SSL handshaking, client: *.*.*.*, server: 0.0.0.0:443从快速扫描来看:
Supported Server Cipher(s):
Accepted TLSv1 256 bits DHE-RSA-AES256-SHA
Accepted TLSv1 256 bits AES256-SHA
Accepted TLSv1 128 bits DHE-RSA-AES128-SHA
Accepted TLSv1 128 bits AES128-SHA
Accepted TLSv1 168 bits DES-CBC3-SHA
Prefered Server Cipher(s):
TLSv1 128 bits DHE-RSA-AES128-SHA回答 2
Server Fault用户
发布于 2015-01-21 17:54:32
您在密码字符串中提供的许多密码器(如GCM、SHA384和EC)在您使用的旧OpenSSL版本中都不可用。这只剩下几个密码。公司的客户通常支持一些(可能是透明的)代理进行SSL拦截(即中间人攻击),以分析加密内容中的恶意软件。在这种情况下,可用的密码不是由浏览器决定的,而是由截取代理来决定的。可能您提供的几个密码是不够的,因为它们不受拦截设备的支持,从而导致了required cipher missing。
Server Fault用户
发布于 2015-01-21 17:32:41
日志显示,客户端正试图通过SSLv3进行连接,但由于服务器不支持SSLv3,因此无法连接。这可能是因为他们正在尝试TLSv1.2,然后是TLSv1.1,然后跳到SSLv3,因为您不支持TLSv1.1或1.2。
将您的ssl_protocols行切换到TLSv1 TLSv1.1 TLSv1.2。
https://serverfault.com/questions/661312
复制相似问题
腾讯云开发者
Copyright © 2013 - 2026 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有
深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 
粤公网安备44030502008569号
腾讯云计算(北京)有限责任公司 京ICP证150476号 | 京ICP备11018762号