Hello! On Thu, Jun 25, 2015 at 06:16:42PM +0900, Edho Arief wrote:
> I noticed that trac.nginx.org has https/SNI configured for the host > but no actual ssl configuration (how do you even do that): The trac.nginx.org domain isn't available via https. The IP address trac.nginx.org maps to does have other sites answering on https/SNI though, and to avoid sending invalid certificate the "ssl_ciphers aNULL;" is used in the default server configuration. This is what causes the message you see. > $ openssl s_client -connect trac.nginx.org:443 -servername trac.nginx.org > CONNECTED(00000003) > 140010415498912:error:14077410:SSL > routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake > failure:s23_clnt.c:770: > --- > no peer certificate available > --- > No client certificate CA names sent > --- > SSL handshake has read 7 bytes and written 318 bytes > --- > New, (NONE), Cipher is (NONE) > Secure Renegotiation IS NOT supported > Compression: NONE > Expansion: NONE > --- JFYI: You can use something like $ openssl s_client -connect trac.nginx.org:443 -servername trac.nginx.org -cipher aNULL to establish a connection. (Requests won't work though, as the same server also have "return 444;" in the configuration.) > Relevant (which is how I noticed it in the first place): > > https://github.com/EFForg/https-everywhere/pull/1993 When people try to use something they weren't asked to, it strikes back. -- Maxim Dounin http://nginx.org/ _______________________________________________ nginx mailing list [email protected] http://mailman.nginx.org/mailman/listinfo/nginx
