ERR_SSL_PROTOCOL_ERROR

[lifeofguenter]

With the following generated config: https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1d&guideline=5.6

• nginx 1.18.0
• openssl 1.1.1k
• letsencrypt

I am getting on client side:

Windows 10 + Edge latest

net::ERR_SSL_PROTOCOL_ERROR

Windows 10 + Firefox latest

SSL_ERROR_ILLEGAL_PARAMETER_ALERT

Server side I see:

2021/04/18 12:37:21 [crit] 28131#28131: *15 SSL_do_handshake() failed (SSL: error:142090BA:SSL routines:tls_early_post_process_client_hello:bad cipher) while SSL handshaking, client: 192.168.42.1, server: 0.0.0.0:443

Access via curl works, but many other clients fail.

Setting ssl_prefer_server_ciphers to on solves the issue though.

[lifeofguenter]

Aha, the issue was other interfering vhosts: https://github.com/mozilla/ssl-config-generator/issues/76#issuecomment-579265280

After removing curve config option everywhere it worked :)

[gene1wood]

@lifeofguenter Is there an improvement that could be made to the config that the tool offers to prevent others from having the same issue where there was interference from another vhost?

[lifeofguenter]

@gene1wood in my case I completely forgot about other vhost configs and assumed I only had one that server, so even if there was a warning, it was only me double checking where I realized the issue.

I did put 1+1 together quite quick, because I saw the github issue earlier. So maybe explicitly setting:

# Be aware of nginx <> openssl bugs with different config values in other server blocks.
# See: https://github.com/mozilla/ssl-config-generator/issues/76#issuecomment-579265280
ssl_ecdh_curve auto;

might help (but not sure).