stackoom
  简体   繁体   中英

ERR_SSL_PROTOCOL_ERROR only for some users (nodejs, express)

 原文  2020-05-26 11:46:36       node.js/ express/ ssl/ https/ tls1.2

Question

Only some (not all) users are receiving ERR_SSL_PROTOCOL_ERROR in Chrome when attempting to visit my express site. I am not receiving this error, so it is proving a pain to debug.

I am creating a https server using a PFX file I downloaded from my provider (1&1):

var options = {
  pfx: fs.readFileSync('./mysite_private_key.pfx'),
  passphrase: 'MYPASSPHRASE',
};
https.createServer(options, app).listen(443);

https://whatsmychaincert.com tells me that the chain is correct but complains about the handshake:

[mysite] has the correct chain.

[mysite]: TLS handshake error: error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert internal error SSL Labs might be able to tell you what went wrong

I've googled this with no success, does anyone know what the problem could be? Ty.

3 answers

solution1
 1 ACCPTED  2020-06-10 16:39:30

In the end I ditched 1&1 and used GoDaddy's CA service and the problem went away.

solution2
 0  2020-06-06 23:10:33

A possible source of failed handshake could be the lack of an intermediate certificate, ca option of tls.createSecureContext . It should by public on your provider's website.

Hope this helps.

solution3
 0  2020-06-07 13:57:25

nowadays, when our server (eg 1&1) is securely configured, only tls v1.2 and tls v1.3 are supported..

so how you debug this:

  • scan your site with SSL Labs Test too see which ciphers are supported, or alternately see in our nginx/apache config

  • tail -f the server logs, especially the catchall/other_vhosts log files,since ssl protocol errors might be in the site logs and the generic catchall log when the server cannot decide on the name

  • try to update the users chrome to support at least tls 1.2

    chrome has the some command line switches to change its cipher behaviour:

    • --ssl-version-max Specifies the maximum SSL/TLS version ("tls1.2" or "tls1.3").
    • --ssl-version-min Specifies the minimum SSL/TLS version ("tls1", "tls1.1", "tls1.2", or "tls1.3").

DANGER ZONE:

  • as last resort you could try to accept legacy ciphers in your nginx-config ( ssl_ciphers directive) like socat OR (very last resort) socat23 to check which version your clients support,

remember to disable everything below tls v1.2 in production environment

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question ERR_SSL_PROTOCOL_ERROR browser error message while running a https server in nodejs express NodeJS https server returning ERR_SSL_PROTOCOL_ERROR using express net::ERR_SSL_PROTOCOL_ERROR on http POST to express server Docker ERR_SSL_PROTOCOL_ERROR socket.io error net::ERR_SSL_PROTOCOL_ERROR getting net::ERR_SSL_PROTOCOL_ERROR in axios reactJs ERR_SSL_PROTOCOL_ERROR when making request to server IP ERR_SSL_PROTOCOL_ERROR | Full aplication (back + front) Node.js on Azure Worker Role w/ SSL results in ERR_SSL_PROTOCOL_ERROR Nginx proxy to node.js server SSL ERR_SSL_PROTOCOL_ERROR
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM