Join Log in
Score:0
avatar Server

Unable to connect to a site over HTTPS (SSL_ERROR_SYSCALL)

cn flag
x-yuri

I've got a server running Debian 8. Yes, a pretty old one. But there's something really strange about it. I can't connect to it over HTTPS:

$ curl -sSLv https://example.com
*   Trying xx.yyy.xx.yyy:443...
* Connected to example.com (xx.yyy.xx.yyy) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: none
} [5 bytes data]
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to example.com:443 
* Closing connection 0
curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to example.com:443 

$ sslscan example.com
Version: 2.0.11
OpenSSL 1.1.1m  14 Dec 2021

Connected to xx.yyy.xx.yyy

Testing SSL server example.com on port 443 using SNI name example.com

  SSL/TLS Protocols:
SSLv2     disabled
SSLv3     disabled
TLSv1.0   disabled
TLSv1.1   disabled
TLSv1.2   disabled
TLSv1.3   disabled

  TLS Fallback SCSV:
Connection failed - unable to determine TLS Fallback SCSV support

  TLS renegotiation:
Session renegotiation not supported

  TLS Compression:
OpenSSL version does not support compression
Rebuild with zlib1g-dev package for zlib support

  Heartbleed:

  Supported Server Cipher(s):
Certificate information cannot be retrieved.

$ dpkg -l | grep openssl
ii  openssl                             1.0.1t-1+deb8u12             amd64        Secure Sockets Layer toolkit - cryptographic utility

$ cat /etc/nginx/nginx.conf | grep ssl
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
    ssl_prefer_server_ciphers on;

$ dpkg -l | grep nginx
ii  nginx                               1.6.2-5                      all          small, powerful, scalable web/proxy server
ii  nginx-common                        1.6.2-5                      all          small, powerful, scalable web/proxy server - common files
ii  nginx-full                          1.6.2-5                      amd64        nginx web/proxy server (standard version)

To compare it to another Debian 8 server:

$ sslscan example2.com
Version: 2.0.11
OpenSSL 1.1.1m  14 Dec 2021

Connected to xx.xxx.xx.xxx

Testing SSL server example2.com on port 443 using SNI name example2.com

  SSL/TLS Protocols:
SSLv2     disabled
SSLv3     disabled
TLSv1.0   enabled
TLSv1.1   enabled
TLSv1.2   enabled
TLSv1.3   disabled

  TLS Fallback SCSV:
Server supports TLS Fallback SCSV

  TLS renegotiation:
Secure session renegotiation supported

  TLS Compression:
OpenSSL version does not support compression
Rebuild with zlib1g-dev package for zlib support

  Heartbleed:
TLSv1.2 not vulnerable to heartbleed
TLSv1.1 not vulnerable to heartbleed
TLSv1.0 not vulnerable to heartbleed

  Supported Server Cipher(s):
Preferred TLSv1.2  256 bits  ECDHE-RSA-AES256-GCM-SHA384   Curve P-256 DHE 256
Accepted  TLSv1.2  256 bits  ECDHE-RSA-AES256-SHA384       Curve P-256 DHE 256
Accepted  TLSv1.2  256 bits  ECDHE-RSA-AES256-SHA          Curve P-256 DHE 256
Accepted  TLSv1.2  256 bits  DHE-RSA-AES256-GCM-SHA384     DHE 1024 bits
Accepted  TLSv1.2  256 bits  DHE-RSA-AES256-SHA256         DHE 1024 bits
Accepted  TLSv1.2  256 bits  DHE-RSA-AES256-SHA            DHE 1024 bits
Accepted  TLSv1.2  256 bits  DHE-RSA-CAMELLIA256-SHA       DHE 1024 bits
Accepted  TLSv1.2  256 bits  AES256-GCM-SHA384            
Accepted  TLSv1.2  256 bits  AES256-SHA256                
Accepted  TLSv1.2  256 bits  AES256-SHA                   
Accepted  TLSv1.2  256 bits  CAMELLIA256-SHA              
Accepted  TLSv1.2  128 bits  ECDHE-RSA-AES128-GCM-SHA256   Curve P-256 DHE 256
Accepted  TLSv1.2  128 bits  ECDHE-RSA-AES128-SHA256       Curve P-256 DHE 256
Accepted  TLSv1.2  128 bits  ECDHE-RSA-AES128-SHA          Curve P-256 DHE 256
Accepted  TLSv1.2  128 bits  DHE-RSA-AES128-GCM-SHA256     DHE 1024 bits
Accepted  TLSv1.2  128 bits  DHE-RSA-AES128-SHA256         DHE 1024 bits
Accepted  TLSv1.2  128 bits  DHE-RSA-AES128-SHA            DHE 1024 bits
Accepted  TLSv1.2  128 bits  DHE-RSA-CAMELLIA128-SHA       DHE 1024 bits
Accepted  TLSv1.2  128 bits  AES128-GCM-SHA256            
Accepted  TLSv1.2  128 bits  AES128-SHA256                
Accepted  TLSv1.2  128 bits  AES128-SHA                   
Accepted  TLSv1.2  128 bits  CAMELLIA128-SHA              
Preferred TLSv1.1  256 bits  ECDHE-RSA-AES256-SHA          Curve P-256 DHE 256
Accepted  TLSv1.1  256 bits  DHE-RSA-AES256-SHA            DHE 1024 bits
Accepted  TLSv1.1  256 bits  DHE-RSA-CAMELLIA256-SHA       DHE 1024 bits
Accepted  TLSv1.1  256 bits  AES256-SHA                   
Accepted  TLSv1.1  256 bits  CAMELLIA256-SHA              
Accepted  TLSv1.1  128 bits  ECDHE-RSA-AES128-SHA          Curve P-256 DHE 256
Accepted  TLSv1.1  128 bits  DHE-RSA-AES128-SHA            DHE 1024 bits
Accepted  TLSv1.1  128 bits  DHE-RSA-CAMELLIA128-SHA       DHE 1024 bits
Accepted  TLSv1.1  128 bits  AES128-SHA                   
Accepted  TLSv1.1  128 bits  CAMELLIA128-SHA              
Preferred TLSv1.0  256 bits  ECDHE-RSA-AES256-SHA          Curve P-256 DHE 256
Accepted  TLSv1.0  256 bits  DHE-RSA-AES256-SHA            DHE 1024 bits
Accepted  TLSv1.0  256 bits  DHE-RSA-CAMELLIA256-SHA       DHE 1024 bits
Accepted  TLSv1.0  256 bits  AES256-SHA                   
Accepted  TLSv1.0  256 bits  CAMELLIA256-SHA              
Accepted  TLSv1.0  128 bits  ECDHE-RSA-AES128-SHA          Curve P-256 DHE 256
Accepted  TLSv1.0  128 bits  DHE-RSA-AES128-SHA            DHE 1024 bits
Accepted  TLSv1.0  128 bits  DHE-RSA-CAMELLIA128-SHA       DHE 1024 bits
Accepted  TLSv1.0  128 bits  AES128-SHA                   
Accepted  TLSv1.0  128 bits  CAMELLIA128-SHA              

  Server Key Exchange Group(s):
TLSv1.2  128 bits  secp256r1 (NIST P-256)

  SSL Certificate:
Signature Algorithm: sha256WithRSAEncryption
RSA Key Strength:    4096

Subject:  example2.com
Altnames: DNS:example2.com
Issuer:   R3

Not valid before: Dec 17 21:00:13 2021 GMT
Not valid after:  Mar 17 21:00:12 2022 GMT

$ dpkg -l | grep openssl
ii  openssl                          1.0.1k-3+deb8u2                                amd64        Secure Sockets Layer toolkit - cryptographic utility

$ cat /etc/nginx/nginx.conf | grep ssl
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
    ssl_prefer_server_ciphers on;

$ dpkg -l | grep nginx
ii  nginx                            1.6.2-5                                        all          small, powerful, scalable web/proxy server
ii  nginx-common                     1.6.2-5                                        all          small, powerful, scalable web/proxy server - common files
ii  nginx-full                       1.6.2-5                                        amd64        nginx web/proxy server (standard version)

What's wrong with the first server? How do I make https work?

2030
0 + 0
ssl
cn flag
Bob
At first glance you only show external observations but omit showing how the server is supposed to be configured.
2
Reply
Paul avatar
cn flag
Paul
Please post your full nginx configuration.
0
Reply
cn flag
x-yuri
@Paul https://gist.github.com/x-yuri/3c3a58bdd6d52b6816192eda6c6c9c91 Nothing unusual at first glance. And I'm not really sure the issue is with `nginx`.
0
Reply
cn flag
x-yuri
@Bob I'm not sure the issue is with `nginx`, but see the link above.
0
Reply
Score:2
avatar Server
cn flag
x-yuri

One of the servers (in terms of nginx) had listen 443 ssl, but no ssl_* directives. Under such circumstances you get the symptoms described in the question. That is, an issue with one server (virtual host) was affecting the other (the rest).

In the error log of the faulty server you'll see:

2022/01/12 02:44:46 [error] 445#0: *23 no "ssl_certificate" is defined in server listening on SSL port while SSL handshaking, client: xx.xxx.xx.xxx, server: 0.0.0.0:443

0 + 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.