-
Notifications
You must be signed in to change notification settings - Fork 29
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Handsake fail on nginx 1.11.13 with OpenSSL_1_1_0-pre6-2220-gb3c42fc25 #20
Comments
FYI I'm seeing this too with nginx 1.13.0 and openssl HEAD from today. |
I've been seeing this issue for a while atleast 2-3 weeks, at first I thought it was related this this(1). In fact it might still be. |
It's a bug in OpenSSL, I've submitted a PR: openssl/openssl#3310 |
Great @grahamedgecombe Thank you for quick response :) |
Fix has been merged into OpenSSL's master branch, closing |
Great work, thank you. I've tested and it works. |
Hey,
Litte bug report , that took some time to trace down to ct,
I'm running a test server with TLSv1.3 and with the latest few post draft 19 off TLSv1.3 implementation of TLSv1.3 I get server handshake fail in all browsers tested,
However after I comment out ssl_ct in config, site works again
nginx build options
nginx version: nginx/1.11.13
built by gcc 6.3.0 20170406 (Ubuntu 6.3.0-12ubuntu2)
built with OpenSSL 1.1.1-dev xx XXX xxxx
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --pid-path=/usr/local/nginx/nginx.pid --with-pcre=../pcre-8.40 --with-zlib=../zlib-1.2.11 --with-http_ssl_module --with-openssl=../openssl --with-openssl-opt=enable-tls1_3 --with-http_gzip_static_module --with-http_addition_module --with-http_geoip_module --with-http_dav_module --with-http_stub_status_module --with-http_sub_module --with-http_ssl_module --with-stream --with-stream_ssl_module --with-mail=dynamic --with-http_v2_module --add-dynamic-module=/opt/nginx-ct --with-mail=dynamic
Is there away to get this working again with newest git of OpenSSL? or should one wait untill TLSv1.3 is final? (looks like draft 20 is coming out very soon)
The text was updated successfully, but these errors were encountered: