You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@apisix.apache.org by GitBox <gi...@apache.org> on 2022/10/19 10:23:53 UTC
[GitHub] [apisix] wangfeng22 opened a new issue, #8126: help request: I got a lot of SSL_do_handshake() failed errors
wangfeng22 opened a new issue, #8126:
URL: https://github.com/apache/apisix/issues/8126
### Description
I had a https://{domain} upstream, and many errors happened.
```60380#60380: *3539468988 SSL_do_handshake() failed (SSL: error:1408F10B:SSL routines:ssl3_get_record:wrong version number) while SSL handshaking to upstream
```
Some people say that it may be related to this parameter `proxy_ssl_session_reuse` , but I don't know why. How can I close this option?
### Environment
- APISIX version (run `apisix version`): 2.13.2
- Operating system (run `uname -a`):
- OpenResty / Nginx version (run `openresty -V` or `nginx -V`):
- etcd version, if relevant (run `curl http://127.0.0.1:9090/v1/server_info`):
- APISIX Dashboard version, if relevant:
- Plugin runner version, for issues related to plugin runners:
- LuaRocks version, for installation issues (run `luarocks --version`):
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] tokers commented on issue #8126: help request: I got a lot of SSL_do_handshake() failed errors
Posted by GitBox <gi...@apache.org>.
tokers commented on issue #8126:
URL: https://github.com/apache/apisix/issues/8126#issuecomment-1283798200
Which TLS version are you trying to use? Also, please check apisix config.yaml to know the supported TLS versions.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] wangfeng22 commented on issue #8126: help request: I got a lot of SSL_do_handshake() failed errors
Posted by GitBox <gi...@apache.org>.
wangfeng22 commented on issue #8126:
URL: https://github.com/apache/apisix/issues/8126#issuecomment-1285558496
> Which TLS version are you trying to use? Also, please check apisix config.yaml to know the supported TLS versions.
I use the config-default.yaml configuration.
```
ssl_protocols: TLSv1.2 TLSv1.3
ssl_ciphers: ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
ssl_session_tickets: false # disable ssl_session_tickets by default for 'ssl_session_tickets' would make Perfect Forward Secrecy useless.
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] tzssangglass commented on issue #8126: help request: I got a lot of SSL_do_handshake() failed errors
Posted by GitBox <gi...@apache.org>.
tzssangglass commented on issue #8126:
URL: https://github.com/apache/apisix/issues/8126#issuecomment-1286418483
> Some of `TLSv1 TLSv1.1 TLSv1.2` have Security vulnerabilities, so my upstream cancel some of them.
try to add
```yaml
nginx_config:
http_server_location_configuration_snippet: |
proxy_ssl_protocols TLSv1.2 TLSv1.3;
```
to `config.yaml`, `proxy_ssl_protocols` used to specified protocols for handshake with upstream, ref: http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_ssl_protocols
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] wangfeng22 commented on issue #8126: help request: I got a lot of SSL_do_handshake() failed errors
Posted by GitBox <gi...@apache.org>.
wangfeng22 commented on issue #8126:
URL: https://github.com/apache/apisix/issues/8126#issuecomment-1286433003
>
Ok, I get it. I will close this issue. Thank you very much. @tzssangglass @tokers
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] wangfeng22 closed issue #8126: help request: I got a lot of SSL_do_handshake() failed errors
Posted by GitBox <gi...@apache.org>.
wangfeng22 closed issue #8126: help request: I got a lot of SSL_do_handshake() failed errors
URL: https://github.com/apache/apisix/issues/8126
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] mscb402 commented on issue #8126: help request: I got a lot of SSL_do_handshake() failed errors
Posted by GitBox <gi...@apache.org>.
mscb402 commented on issue #8126:
URL: https://github.com/apache/apisix/issues/8126#issuecomment-1284806278
Does your upstream server support HTTPS access? Did you write the wrong upstream server port during the configuration?
Please share more detail.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] monkeyDluffy6017 commented on issue #8126: help request: I got a lot of SSL_do_handshake() failed errors
Posted by GitBox <gi...@apache.org>.
monkeyDluffy6017 commented on issue #8126:
URL: https://github.com/apache/apisix/issues/8126#issuecomment-1284833707
Could you provide a minimum case so that we can reproduce your problem?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] wangfeng22 commented on issue #8126: help request: I got a lot of SSL_do_handshake() failed errors
Posted by GitBox <gi...@apache.org>.
wangfeng22 commented on issue #8126:
URL: https://github.com/apache/apisix/issues/8126#issuecomment-1286366593
> > > Which TLS version are you trying to use? Also, please check apisix config.yaml to know the supported TLS versions.
> >
> >
> > This is my openssl version.
> > ```
> > openssl version
> > OpenSSL 1.0.2k-fips 26 Jan 2017
> > ```
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> > I use the config-default.yaml configuration.
> > ```
> > ssl_protocols: TLSv1.2 TLSv1.3
> > ssl_ciphers: ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
> > ssl_session_tickets: false # disable ssl_session_tickets by default for 'ssl_session_tickets' would make Perfect Forward Secrecy useless.
> > ```
>
> Oops. I didn't notice it's a TLS handshaking error with upstream. The default SSL protocol APISIX uses to communicate with upstream is `TLSv1 TLSv1.1 TLSv1.2`. Please make sure if your upstream service doesn't support some of them.
So should I change `ssl_protocols: TLSv1.2 TLSv1.3` to `ssl_protocols: TLSv1 TLSv1.1 TLSv1.2` ?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] tokers commented on issue #8126: help request: I got a lot of SSL_do_handshake() failed errors
Posted by GitBox <gi...@apache.org>.
tokers commented on issue #8126:
URL: https://github.com/apache/apisix/issues/8126#issuecomment-1286340294
> > Which TLS version are you trying to use? Also, please check apisix config.yaml to know the supported TLS versions.
>
> This is my openssl version.
>
> ```
> openssl version
> OpenSSL 1.0.2k-fips 26 Jan 2017
> ```
>
> I use the config-default.yaml configuration.
>
> ```
> ssl_protocols: TLSv1.2 TLSv1.3
> ssl_ciphers: ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
> ssl_session_tickets: false # disable ssl_session_tickets by default for 'ssl_session_tickets' would make Perfect Forward Secrecy useless.
> ```
Oops. I didn't notice it's a TLS handshaking error with upstream. The default SSL protocol APISIX uses to communicate with upstream is `TLSv1 TLSv1.1 TLSv1.2`. Please make sure if your upstream service doesn't support some of them.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org