anna-is-cute
commented
6 years ago I can confirm this issue.
Seen in nginx logs:
2018/05/14 16:04:33 [crit] 1927#1927: *2661 SSL_do_handshake() failed (SSL: error:1422A0EA:SSL routines:custom_ext_add:callback failed) while SSL handshaking, client: 196.52.17.200, server: 0.0.0.0:443http {
include mime.types;
default_type application/octet-stream;
server_tokens off;
sendfile on;
keepalive_timeout 65;
gzip on;
brotli on;
brotli_comp_level 4;
brotli_types text/plain text/css application/javascript application/json image/svg+xml application/xml+rss;
ssl_dhparam /etc/ssl/dhparam.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers 'TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA';
ssl_prefer_server_ciphers on;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
ssl_ecdh_curve X25519:secp384r1;
ssl_stapling on;
ssl_stapling_verify on;
resolver 1.1.1.1;
include ../sites/*;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name domain.tld;
ssl_certificate path/to/fullchain.pem;
ssl_certificate_key path/to/privkey.pem;
ssl_ct on;
ssl_ct_static_scts path/to/scts;
...
}
I using last nginx-ct with nginx 1.13.9 and openssl 1.1.1(alpha2) when using ct we have a bug in chrome 64.0.3282.186 when you open site the all is good, but don’t close the tab and wait 5-10min and than refresh site with f5 and you will get ssl error(ERR_SSL_VERSION_INTERFERENCE on windows) and can’t open site while not close browser or restart nginx. Also ct works with that openssl only if you write ct vars in block with default_server.