ERR_SSL_PROTOCOL_ERROR 仅适用于某些用户(nodejs,express)
[英]ERR_SSL_PROTOCOL_ERROR only for some users (nodejs, express)
问题描述
Only some (not all) users are receiving ERR_SSL_PROTOCOL_ERROR in Chrome when attempting to visit my express site.
只有部分(不是全部)用户在尝试访问我的快速站点时在 Chrome 中收到 ERR_SSL_PROTOCOL_ERROR。 I am not receiving this error, so it is proving a pain to debug.我没有收到这个错误,所以调试起来很痛苦。
I am creating a https server using a PFX file I downloaded from my provider (1&1):我正在使用从我的提供商 (1&1) 下载的 PFX 文件创建 https 服务器:
var options = {
pfx: fs.readFileSync('./mysite_private_key.pfx'),
passphrase: 'MYPASSPHRASE',
};
https.createServer(options, app).listen(443);
https://whatsmychaincert.com tells me that the chain is correct but complains about the handshake: https://whatsmychaincert.com告诉我链是正确的,但抱怨握手:
[mysite] has the correct chain.
[mysite]: TLS handshake error: error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert internal error SSL Labs might be able to tell you what went wrong
I've googled this with no success, does anyone know what the problem could be?我用谷歌搜索没有成功,有人知道问题可能是什么吗? Ty.泰。
3 个解决方案
解决方案1
1 已采纳 2020-06-10 16:39:30
In the end I ditched 1&1 and used GoDaddy's CA service and the problem went away.最后我放弃了 1&1 并使用了 GoDaddy 的 CA 服务,问题就消失了。
解决方案2
0 2020-06-06 23:10:33
A possible source of failed handshake could be the lack of an intermediate certificate, ca option of tls.createSecureContext .握手失败的可能来源可能是缺少中间证书,即tls.createSecureContext的ca选项。 It should by public on your provider's website.它应该在您的提供商的网站上公开。
Hope this helps.希望这可以帮助。
解决方案3
0 2020-06-07 13:57:25
nowadays, when our server (eg 1&1) is securely configured, only tls v1.2 and tls v1.3 are supported..如今,当我们的服务器(例如 1&1)安全配置时,仅支持 tls v1.2 和 tls v1.3..
so how you debug this:那么你如何调试这个:
scan your site with SSL Labs Test too see which ciphers are supported, or alternately see in our nginx/apache config
使用SSL 实验室测试来扫描您的站点,看看支持哪些密码,或者在我们的 nginx/apache 配置中查看tail -fthe server logs, especially the catchall/other_vhosts log files,since ssl protocol errors might be in the site logs and the generic catchall log when the server cannot decide on the nametail -f服务器日志,尤其是 catchall/other_vhosts 日志文件,因为 ssl 协议错误可能在服务器无法决定名称时出现在站点日志和通用 catchall 日志中try to update the users chrome to support at least tls 1.2
尝试更新用户 chrome 以至少支持 tls 1.2chrome has the some command line switches to change its cipher behaviour:
chrome 有一些命令行开关来改变它的密码行为:-
-
--ssl-version-maxSpecifies the maximum SSL/TLS version ("tls1.2" or "tls1.3").--ssl-version-max指定最大 SSL/TLS 版本(“tls1.2”或“tls1.3”)。 ↪↪
-
-
-
--ssl-version-minSpecifies the minimum SSL/TLS version ("tls1", "tls1.1", "tls1.2", or "tls1.3").--ssl-version-min指定最低 SSL/TLS 版本(“tls1”、“tls1.1”、“tls1.2”或“tls1.3”)。 ↪↪
-
DANGER ZONE:危险区:
- as last resort you could try to accept legacy ciphers in your nginx-config (
ssl_ciphersdirective) like socat OR (very last resort) socat23 to check which version your clients support,作为最后的手段,你可以尝试在你的 nginx-config ( ssl_ciphers指令)中接受遗留密码,比如 socat 或(最后的手段) socat23来检查你的客户支持哪个版本,
remember to disable everything below tls v1.2 in production environment请记住在生产环境中禁用 tls v1.2 以下的所有内容
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.