{ "id": "nginx/ssl-handshake-failed-client-hello", "signature": "SSL_do_handshake() failed (SSL: error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure) while SSL handshaking to upstream", "signature_zh": "SSL握手失败", "regex": "SSL_do_handshake\\(\\) failed \\(SSL: error:14094410", "domain": "nginx", "category": "auth_error", "subcategory": null, "root_cause": "TLS handshake failure between nginx and upstream, often due to cipher mismatch, protocol version incompatibility, or certificate validation errors.", "root_cause_type": "generic", "root_cause_zh": "nginx与上游之间的TLS握手失败,通常由密码套件不匹配、协议版本不兼容或证书验证错误引起。", "versions": [ { "version": "nginx 1.20.0", "introduced": null, "deprecated": null, "removed": null, "behavior_change": null, "status": "active" }, { "version": "nginx 1.22.1", "introduced": null, "deprecated": null, "removed": null, "behavior_change": null, "status": "active" }, { "version": "nginx 1.25.0", "introduced": null, "deprecated": null, "removed": null, "behavior_change": null, "status": "active" } ], "os_specific": {}, "dead_ends": [ { "action": "", "why_fails": "Setting 'proxy_ssl_verify off;' bypasses verification but does not fix the underlying TLS incompatibility; handshake may still fail.", "fail_rate": 0.55, "condition": "", "sources": [] }, { "action": "", "why_fails": "The issue is usually on the upstream server side; upgrading nginx alone does not fix upstream TLS configuration.", "fail_rate": 0.7, "condition": "", "sources": [] }, { "action": "", "why_fails": "Restarting does not change TLS settings; if the handshake fails due to cipher mismatch, restarting is ineffective.", "fail_rate": 0.85, "condition": "", "sources": [] } ], "workarounds": [ { "action": "Ensure upstream server supports TLS 1.2 or higher. In nginx, set:\nproxy_ssl_protocols TLSv1.2 TLSv1.3;\nproxy_ssl_ciphers HIGH:!aNULL:!MD5;\nThis restricts protocols and ciphers to modern versions.", "success_rate": 0.8, "how": "Ensure upstream server supports TLS 1.2 or higher. In nginx, set:\nproxy_ssl_protocols TLSv1.2 TLSv1.3;\nproxy_ssl_ciphers HIGH:!aNULL:!MD5;\nThis restricts protocols and ciphers to modern versions.", "condition": "", "sources": [] }, { "action": "Check upstream certificate chain: run 'openssl s_client -connect upstream_host:443 -showcerts' to verify certificate validity and intermediate CA completeness.", "success_rate": 0.85, "how": "Check upstream certificate chain: run 'openssl s_client -connect upstream_host:443 -showcerts' to verify certificate validity and intermediate CA completeness.", "condition": "", "sources": [] }, { "action": "If upstream uses a self-signed certificate, add its CA to nginx's trust store and set:\nproxy_ssl_verify on;\nproxy_ssl_trusted_certificate /path/to/ca.crt;", "success_rate": 0.75, "how": "If upstream uses a self-signed certificate, add its CA to nginx's trust store and set:\nproxy_ssl_verify on;\nproxy_ssl_trusted_certificate /path/to/ca.crt;", "condition": "", "sources": [] } ], "workarounds_zh": [ "Ensure upstream server supports TLS 1.2 or higher. In nginx, set:\nproxy_ssl_protocols TLSv1.2 TLSv1.3;\nproxy_ssl_ciphers HIGH:!aNULL:!MD5;\nThis restricts protocols and ciphers to modern versions.", "Check upstream certificate chain: run 'openssl s_client -connect upstream_host:443 -showcerts' to verify certificate validity and intermediate CA completeness.", "If upstream uses a self-signed certificate, add its CA to nginx's trust store and set:\nproxy_ssl_verify on;\nproxy_ssl_trusted_certificate /path/to/ca.crt;" ], "transition_graph": { "leads_to": [], "preceded_by": [], "frequently_confused_with": [] }, "official_doc_url": "https://nginx.org/en/docs/http/ngx_http_upstream_module.html#proxy_ssl", "official_doc_section": null, "error_code": null, "verification_tier": "ai_generated", "confidence": 0.88, "fix_success_rate": 0.82, "resolvable": "true", "first_seen": "2024-01-10", "last_confirmed": "2024-06-01", "last_updated": "2024-06-01", "evidence_count": 1, "tags": [], "locale": "en", "aliases": [] }