# SSL握手失败

- **ID:** `nginx/ssl-handshake-failed-client-hello`
- **领域:** nginx
- **类别:** auth_error
- **验证级别:** ai_generated
- **修复率:** 82%

## 根因

nginx与上游之间的TLS握手失败，通常由密码套件不匹配、协议版本不兼容或证书验证错误引起。

## 版本兼容性

| 版本 | 状态 | 引入 | 弃用 |
|------|------|------|------|
| nginx 1.20.0 | active | — | — |
| nginx 1.22.1 | active | — | — |
| nginx 1.25.0 | active | — | — |

## 解决方案

1. ```
   Ensure upstream server supports TLS 1.2 or higher. In nginx, set:
proxy_ssl_protocols TLSv1.2 TLSv1.3;
proxy_ssl_ciphers HIGH:!aNULL:!MD5;
This restricts protocols and ciphers to modern versions.
   ```
2. ```
   Check upstream certificate chain: run 'openssl s_client -connect upstream_host:443 -showcerts' to verify certificate validity and intermediate CA completeness.
   ```
3. ```
   If upstream uses a self-signed certificate, add its CA to nginx's trust store and set:
proxy_ssl_verify on;
proxy_ssl_trusted_certificate /path/to/ca.crt;
   ```

## 无效尝试

- **** — Setting 'proxy_ssl_verify off;' bypasses verification but does not fix the underlying TLS incompatibility; handshake may still fail. (55% 失败率)
- **** — The issue is usually on the upstream server side; upgrading nginx alone does not fix upstream TLS configuration. (70% 失败率)
- **** — Restarting does not change TLS settings; if the handshake fails due to cipher mismatch, restarting is ineffective. (85% 失败率)