nginx auth_error ai_generated true

SSL握手失败

SSL_do_handshake() failed (SSL: error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure) while SSL handshaking to upstream

ID: nginx/ssl-handshake-failed-client-hello

其他格式: JSON · Markdown 中文 · English
82%修复率
88%置信度
1证据数
2024-01-10首次发现

版本兼容性

版本状态引入弃用备注
nginx 1.20.0 active
nginx 1.22.1 active
nginx 1.25.0 active

根因分析

nginx与上游之间的TLS握手失败,通常由密码套件不匹配、协议版本不兼容或证书验证错误引起。

English

TLS handshake failure between nginx and upstream, often due to cipher mismatch, protocol version incompatibility, or certificate validation errors.

generic

官方文档

https://nginx.org/en/docs/http/ngx_http_upstream_module.html#proxy_ssl

解决方案

  1. Ensure upstream server supports TLS 1.2 or higher. In nginx, set:
proxy_ssl_protocols TLSv1.2 TLSv1.3;
proxy_ssl_ciphers HIGH:!aNULL:!MD5;
This restricts protocols and ciphers to modern versions.
  2. Check upstream certificate chain: run 'openssl s_client -connect upstream_host:443 -showcerts' to verify certificate validity and intermediate CA completeness.
  3. If upstream uses a self-signed certificate, add its CA to nginx's trust store and set:
proxy_ssl_verify on;
proxy_ssl_trusted_certificate /path/to/ca.crt;

无效尝试

常见但无效的做法:

  1. 55% 失败

    Setting 'proxy_ssl_verify off;' bypasses verification but does not fix the underlying TLS incompatibility; handshake may still fail.

  2. 70% 失败

    The issue is usually on the upstream server side; upgrading nginx alone does not fix upstream TLS configuration.

  3. 85% 失败

    Restarting does not change TLS settings; if the handshake fails due to cipher mismatch, restarting is ineffective.