You are viewing a plain text version of this content. The canonical link for it is here.

Posted to notifications@apisix.apache.org by GitBox <gi...@apache.org> on 2022/04/13 06:07:30 UTC

[GitHub] [apisix] lianglinhuan opened a new issue, #6836: bug: [error] 67991#67991: 379048 [lua] init.lua:157: http_ssl_phase(): failed to fetch ssl config: failed to find SNI: please check if the client requests via IP or uses an outdated protocol. If you need to report an issue, provide a packet capture file of the TLS handshake., context: ssl_certificate_by_lua, client: 172.31.30.49, server: 0.0.0.0:9443

lianglinhuan opened a new issue, #6836:
URL: https://github.com/apache/apisix/issues/6836

   ### Current Behavior
   
   On the 2.11 version of apisix, I self-signed an https certificate through the domain name, the domain name format is 10.91.137.133, I put the generated certificate and private key in the certificate column on the apisix client, and the result is still reported ERR_SSL_PROTOCOL_ERROR error when accessing. If I generate a certificate with the domain name format not in the ip address format, and then put the certificate on apisix, the access can be successful by using the changed domain name to access.Using version 1.5, it is possible to self-sign the certificate in the ip address format and realize the path access of the https protocol. Does the new version do not support domain names in the ip address format?
   
   ### Expected Behavior
   
   I expect that generating a certificate with a domain name in the format of an ip address can also achieve access to the https protocol path
   
   ### Error Logs
   
   [error] 67991#67991: *379048 [lua] init.lua:157: http_ssl_phase(): failed to fetch ssl config: failed to find SNI: please check if the clienrequests via IP or uses an outdated protocol. If you need to report an issue, provide a packet capture file of the TLS handshake., context: ssl_certificate_by_l*, client: 172.31.30.49, server: 0.0.0.0:9443
   
   
   ### Steps to Reproduce
   
   1. On the 2.11 version of apisix, I self-signed an https certificate through the domain name, and the domain name format is 10.91.137.133.
   2. I put the generated certificate and private key in the certificate column of the apisix client, but the result is still an ERR_SSL_PROTOCOL_ERROR error when accessing.
   3. If I generate a certificate whose domain name format is not ip address format, and then put the certificate on apisix, the access with the changed domain name can be successful.
   4. Using version 1.5, it is possible to self-sign the certificate in the ip address format and realize the path access of the https protocol. Does the new version do not support domain names in the ip address format?
   
   ### Environment
   
   - APISIX version (run `apisix version`):2.11.0
   - Operating system (run `uname -a`):Red Hat Enterprise Linux Server release 7.4 (Maipo)
   - OpenResty / Nginx version (run `openresty -V` or `nginx -V`):
   - etcd version, if relevant (run `curl http://127.0.0.1:9090/v1/server_info`):
   - APISIX Dashboard version, if relevant:
   - Plugin runner version, for issues related to plugin runners:
   - LuaRocks version, for installation issues (run `luarocks --version`):
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] lianglinhuan commented on issue #6836: error：failed to find SNI: please check if the clienrequests via IP or uses an outdated protocol.

Posted by GitBox <gi...@apache.org>.

lianglinhuan commented on issue #6836:
URL: https://github.com/apache/apisix/issues/6836#issuecomment-1098847195

   @tokers 
   [file.md](https://github.com/apache/apisix/files/8487593/file.md)
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] tokers commented on issue #6836: error：failed to find SNI: please check if the clienrequests via IP or uses an outdated protocol.

Posted by "tokers (via GitHub)" <gi...@apache.org>.

tokers commented on issue #6836:
URL: https://github.com/apache/apisix/issues/6836#issuecomment-1413012450

   > why this not use the host header? curl -H 'Host:api-service.test.com' https://10.21.10.70 this is not work, curl --resolve 'api-service.test.com:443:10.21.10.70' https://api-service.test.com:443/ this is work. for tcpdump we find the work have the server_name,but the -H dont have it.
   
   HTTP Host is not identical with TLS SNI.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] tokers commented on issue #6836: error：failed to find SNI: please check if the clienrequests via IP or uses an outdated protocol.

Posted by GitBox <gi...@apache.org>.

tokers commented on issue #6836:
URL: https://github.com/apache/apisix/issues/6836#issuecomment-1099766249

   > @tzssangglass Yes, thank you very much, now I have some questions why? I can't use the domain name in ip format on version 2.11, but if you use the self-signed certificate of the domain name in non-ip format, Client Hello will bring the SIN and complete the normal handshake. Moreover, the 1.5 version of the self-signed certificate used before is a domain name in ip format or other domain names that support HTTPS access. Now I want to ask whether it is because the 2.11 version of apisix does not support self-signed certificates in ip format domain name?
   
   There is nothing related to APISIX, if the client doesn't take the SNI, APISIX won't know which certificate should be returned.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] lianglinhuan commented on issue #6836: error：failed to find SNI: please check if the clienrequests via IP or uses an outdated protocol.

Posted by GitBox <gi...@apache.org>.

lianglinhuan commented on issue #6836:
URL: https://github.com/apache/apisix/issues/6836#issuecomment-1107676148

   @ly-hash At present, we have decided to follow the official use steps to realize the STL handshake communication of HTTPS by customizing a domain name in non IP format, without modifying the relevant configuration.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] tzssangglass commented on issue #6836: error：failed to find SNI: please check if the clienrequests via IP or uses an outdated protocol.

Posted by GitBox <gi...@apache.org>.

tzssangglass commented on issue #6836:
URL: https://github.com/apache/apisix/issues/6836#issuecomment-1098194968

   Can you capture network package? about the requests sent during the SSL handshake.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

Re: [I] error：failed to find SNI: please check if the clienrequests via IP or uses an outdated protocol. [apisix]

Posted by "kayx23 (via GitHub)" <gi...@apache.org>.

kayx23 closed issue #6836: error：failed to find SNI: please check if the clienrequests via IP or uses an outdated protocol.
URL: https://github.com/apache/apisix/issues/6836


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] lianglinhuan commented on issue #6836: error：failed to find SNI: please check if the clienrequests via IP or uses an outdated protocol.

Posted by GitBox <gi...@apache.org>.

lianglinhuan commented on issue #6836:
URL: https://github.com/apache/apisix/issues/6836#issuecomment-1098846530

   [file.md](https://github.com/apache/apisix/files/8487583/file.md)
   @tokers 


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] ly-hash commented on issue #6836: error：failed to find SNI: please check if the clienrequests via IP or uses an outdated protocol.

Posted by GitBox <gi...@apache.org>.

ly-hash commented on issue #6836:
URL: https://github.com/apache/apisix/issues/6836#issuecomment-1107459999

   > @acx-1 OK, I see, thank you very much for clarifying the confusion, thank you very much.
   
   Hello, I also encountered this problem. Have you solved the problem that IP cannot authenticate HTTPS through the above method?


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] lianglinhuan commented on issue #6836: error：failed to find SNI: please check if the clienrequests via IP or uses an outdated protocol.

Posted by GitBox <gi...@apache.org>.

lianglinhuan commented on issue #6836:
URL: https://github.com/apache/apisix/issues/6836#issuecomment-1098823045

   @tokers @tzssangglass When using the self-signed certificate in the ip domain name format, during the TLS handshake, when the client sends a request for the first handshake Client Holle, the server reports an internal error.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] lianglinhuan commented on issue #6836: error：failed to find SNI: please check if the clienrequests via IP or uses an outdated protocol.

Posted by GitBox <gi...@apache.org>.

lianglinhuan commented on issue #6836:
URL: https://github.com/apache/apisix/issues/6836#issuecomment-1099768743

   @tokers But on version 1.5, the domain name in ip format can be used for self-signed HTTPS certificate, why is this?


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] Inasayang commented on issue #6836: error：failed to find SNI: please check if the clienrequests via IP or uses an outdated protocol.

Posted by "Inasayang (via GitHub)" <gi...@apache.org>.

Inasayang commented on issue #6836:
URL: https://github.com/apache/apisix/issues/6836#issuecomment-1437908676

   After setting `fallback_sni`(https://github.com/apache/apisix/blob/master/conf/config-default.yaml#L120), and adding `ssl` through SSL API(https://apisix.apache.org/docs/apisix/admin-api/#ssl). 
   
   Works fine now.
   
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] lianglinhuan commented on issue #6836: error：failed to find SNI: please check if the clienrequests via IP or uses an outdated protocol.

Posted by GitBox <gi...@apache.org>.

lianglinhuan commented on issue #6836:
URL: https://github.com/apache/apisix/issues/6836#issuecomment-1099959649

   @acx-1 Hello, thank you for clarifying my doubts, I would like to ask what the expression config.yaml-apisix-ssl-fallback_sni means, is it modified in the config.yaml file? If it is modified in the config.yaml file, can you tell me what the complete format of the modification is?


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] lianglinhuan commented on issue #6836: error：failed to find SNI: please check if the clienrequests via IP or uses an outdated protocol.

Posted by GitBox <gi...@apache.org>.

lianglinhuan commented on issue #6836:
URL: https://github.com/apache/apisix/issues/6836#issuecomment-1099804148

   @tzssangglass Thanks a lot, I'll look into it.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] kellyseeme commented on issue #6836: error：failed to find SNI: please check if the clienrequests via IP or uses an outdated protocol.

Posted by "kellyseeme (via GitHub)" <gi...@apache.org>.

kellyseeme commented on issue #6836:
URL: https://github.com/apache/apisix/issues/6836#issuecomment-1411867593

   why this not use the host header? 
   curl -H 'Host:api-service.test.com' https://10.21.10.70 this is not work,
   curl --resolve 'api-service.test.com:443:10.21.10.70' https://api-service.test.com:443/ this is work.
   for tcpdump we find the work have the server_name,but the -H dont have it.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] lianglinhuan commented on issue #6836: error：failed to find SNI: please check if the clienrequests via IP or uses an outdated protocol.

Posted by GitBox <gi...@apache.org>.

lianglinhuan commented on issue #6836:
URL: https://github.com/apache/apisix/issues/6836#issuecomment-1097874063

   @tokers 我是在放入证书与私钥之后在浏览器上进行https://10.91.137.133:9443,结果返回ERR_SSL_PROTOCOL_ERROR
   [client.pem.md](https://github.com/apache/apisix/files/8480515/client.pem.md)
   [client_private.key.md](https://github.com/apache/apisix/files/8480567/client_private.key.md)
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] lianglinhuan commented on issue #6836: error：failed to find SNI: please check if the clienrequests via IP or uses an outdated protocol.

Posted by GitBox <gi...@apache.org>.

lianglinhuan commented on issue #6836:
URL: https://github.com/apache/apisix/issues/6836#issuecomment-1099774404

   @tokers Ok, thank you very much, then I would like to ask, if the previous version 1.5 is compatible with the self-signed domain name using the ip format, why does the new version discard this function? In daily use, many companies should have a large demand for the use of IP domain names in daily project development. Otherwise, every server in the project will be assigned a domain name for it, isn't it beautiful?


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] acx-1 commented on issue #6836: error：failed to find SNI: please check if the clienrequests via IP or uses an outdated protocol.

Posted by GitBox <gi...@apache.org>.

acx-1 commented on issue #6836:
URL: https://github.com/apache/apisix/issues/6836#issuecomment-1099925929

   Hello,I found a solution in here https://github.com/apache/apisix/issues/6479 . I try it and it works.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] kellyseeme commented on issue #6836: error：failed to find SNI: please check if the clienrequests via IP or uses an outdated protocol.

Posted by "kellyseeme (via GitHub)" <gi...@apache.org>.

kellyseeme commented on issue #6836:
URL: https://github.com/apache/apisix/issues/6836#issuecomment-1411888913

   > @lianglinhuan you can check line 149 on [config.yaml](https://github.com/apache/apisix/blob/master/conf/config-default.yaml) .and i also add the ssl on dashboard.
   
   if have more certificate ,this method is useless.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] tokers commented on issue #6836: error：failed to find SNI: please check if the clienrequests via IP or uses an outdated protocol.

Posted by GitBox <gi...@apache.org>.

tokers commented on issue #6836:
URL: https://github.com/apache/apisix/issues/6836#issuecomment-1099770754

   > 
   
   1.5 is too old, I don't know if in 1.5 we have some special logic to get the default logic.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] tokers commented on issue #6836: error：failed to find SNI: please check if the clienrequests via IP or uses an outdated protocol.

Posted by GitBox <gi...@apache.org>.

tokers commented on issue #6836:
URL: https://github.com/apache/apisix/issues/6836#issuecomment-1098827700

   > @tokers @tzssangglass When using the self-signed certificate in the ip domain name format, during the TLS handshake, when the client sends a request for the first handshake Client Holle, the server reports an internal error.
   
   Thanks, but this is not enough, network packets will be desired with the Client Hello details.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] tokers commented on issue #6836: error：failed to find SNI: please check if the clienrequests via IP or uses an outdated protocol.

Posted by GitBox <gi...@apache.org>.

tokers commented on issue #6836:
URL: https://github.com/apache/apisix/issues/6836#issuecomment-1097739558

   @lianglinhuan How do you access APISIX? The match relies on the SNI and SAN in certificates, so you should provide the reproduce details for the troubleshooting.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] lianglinhuan commented on issue #6836: error：failed to find SNI: please check if the clienrequests via IP or uses an outdated protocol.

Posted by GitBox <gi...@apache.org>.

lianglinhuan commented on issue #6836:
URL: https://github.com/apache/apisix/issues/6836#issuecomment-1097859946

   > 
   
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] lianglinhuan commented on issue #6836: error：failed to find SNI: please check if the clienrequests via IP or uses an outdated protocol.

Posted by GitBox <gi...@apache.org>.

lianglinhuan commented on issue #6836:
URL: https://github.com/apache/apisix/issues/6836#issuecomment-1099752653

   @tzssangglass Yes, thank you very much, now I have some questions why? I can't use the domain name in ip format on version 2.11, but if you use the self-signed certificate of the domain name in non-ip format, Client Hello will bring the SIN and complete the normal handshake. Moreover, the 1.5 version of the self-signed certificate used before is a domain name in ip format or other domain names that support HTTPS access. Now I want to ask whether it is because the 2.11 version of apisix does not support self-signed certificates in ip format domain name?


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] Inasayang commented on issue #6836: error：failed to find SNI: please check if the clienrequests via IP or uses an outdated protocol.

Posted by "Inasayang (via GitHub)" <gi...@apache.org>.

Inasayang commented on issue #6836:
URL: https://github.com/apache/apisix/issues/6836#issuecomment-1437882903

   If ServerName is an IP address, ClientHello will not contain server_name.  https://github.com/golang/go/blob/master/src/crypto/tls/common.go#L635
   ![image](https://user-images.githubusercontent.com/30060632/220255537-c8c31970-aa2c-4d2c-915d-d8bec0f5b0af.png)
   ![image](https://user-images.githubusercontent.com/30060632/220255689-36f582cb-0d1e-4a9e-bceb-50203b003a31.png)
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] tzssangglass commented on issue #6836: error：failed to find SNI: please check if the clienrequests via IP or uses an outdated protocol.

Posted by GitBox <gi...@apache.org>.

tzssangglass commented on issue #6836:
URL: https://github.com/apache/apisix/issues/6836#issuecomment-1099053136

   From your network packet file, I noticed that Client Hello does not send SNI.
   
   A Client Hello with SNI looks like this:
   ```
   Handshake Protocol: Client Hello
       Handshake Type: Client Hello (1)
       Length: 415
       Version: TLS 1.2 (0x0303)
       Random: 31959c15cb141a3b6493f35ec3fe97b26c7824aa9f2703aada7712d20229b5a2
       Session ID Length: 32
       Session ID: 30d9629faee10e4e4dc7b6feccaac46e64e7a9fccf1de32e8fd4d3dd1c09f804
       Cipher Suites Length: 150
       Cipher Suites (75 suites)
       Compression Methods Length: 1
       Compression Methods (1 method)
       Extensions Length: 192
       Extension: server_name (len=14)
           Type: server_name (0)
           Length: 14
           Server Name Indication extension
               Server Name list length: 12
               Server Name Type: host_name (0)
               Server Name length: 9
               Server Name: 127.0.0.1
       Extension: ec_point_formats (len=4)
       Extension: supported_groups (len=4)
       Extension: session_ticket (len=0)
       Extension: encrypt_then_mac (len=0)
       Extension: extended_master_secret (len=0)
       Extension: signature_algorithms (len=48)
       Extension: supported_versions (len=9)
       Extension: psk_key_exchange_modes (len=2)
       Extension: key_share (len=71)
   ****
   ```
   
   ref: https://github.com/apache/apisix/issues/5103


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] tokers commented on issue #6836: error：failed to find SNI: please check if the clienrequests via IP or uses an outdated protocol.

Posted by GitBox <gi...@apache.org>.

tokers commented on issue #6836:
URL: https://github.com/apache/apisix/issues/6836#issuecomment-1097971725

   Not sure if the browser will carry the SNI in a TLS handshake, if you just use the IP address.
   
   Could you capture the TLS handshake packets?


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] acx-1 commented on issue #6836: error：failed to find SNI: please check if the clienrequests via IP or uses an outdated protocol.

Posted by GitBox <gi...@apache.org>.

acx-1 commented on issue #6836:
URL: https://github.com/apache/apisix/issues/6836#issuecomment-1100122189

   @lianglinhuan 
   you can check line 149 on  [config.yaml](https://github.com/apache/apisix/blob/master/conf/config-default.yaml) .and i also add the ssl on dashboard.
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] tzssangglass commented on issue #6836: error：failed to find SNI: please check if the clienrequests via IP or uses an outdated protocol.

Posted by GitBox <gi...@apache.org>.

tzssangglass commented on issue #6836:
URL: https://github.com/apache/apisix/issues/6836#issuecomment-1099784218

   > if the previous version 1.5 is compatible with the self-signed domain name using the ip format
   
   I'm not sure that's right, in a straightforward way, I think it's wrong. I did a quick review of the code and I don't see any indication that earlier versions support the kind of case you're talking about.
   
   You should look back at the comments above, the SNI is not sent in Client Hello and you should be concerned about this.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] lianglinhuan commented on issue #6836: error：failed to find SNI: please check if the clienrequests via IP or uses an outdated protocol.

Posted by GitBox <gi...@apache.org>.

lianglinhuan commented on issue #6836:
URL: https://github.com/apache/apisix/issues/6836#issuecomment-1100986569

   @acx-1 OK, I see, thank you very much for clarifying the confusion, thank you very much.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] happyoka commented on issue #6836: error：failed to find SNI: please check if the clienrequests via IP or uses an outdated protocol.

Posted by GitBox <gi...@apache.org>.

happyoka commented on issue #6836:
URL: https://github.com/apache/apisix/issues/6836#issuecomment-1377312829

   @lianglinhuan what is the official use steps?


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org