Welcome to OStack Knowledge Sharing Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
799 views
in Technique[技术] by (71.8m points)

https - how to config Nginx ssl_ciphers to resolve handshake_failure error

jdk7 and okhttp3.12.12 call https api, one host (a.com) is ok,

*** ClientHello, TLSv1.2
    RandomCookie:  GMT: 1592631181 bytes = { ... }
    Session ID:  {}
    Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA]
    Compression Methods:  { 0 }
    Extension elliptic_curves, curve names: {secp256r1, sect163k1, sect163r2, secp192r1, secp224r1, sect233k1, sect233r1, sect283k1, sect283r1, secp384r1, sect409k1, sect409r1, secp521r1, sect571k1, sect571r1, secp160k1, secp160r1, secp160r2, sect163r1, secp192k1, sect193r1, sect193r2, secp224k1, sect239k1, secp256k1}
    Extension ec_point_formats, formats: [uncompressed]
    Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA224withECDSA, SHA224withRSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA, MD5withRSA
    Extension server_name, server_name: [host_name: a.com]
    Extension renegotiation_info, renegotiated_connection: <empty>
    ***
    *** ServerHello, TLSv1.2
    RandomCookie:  GMT: 367988487 bytes = { ... }
    Session ID:  {...}
    Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
    Compression Method: 0
    Extension renegotiation_info, renegotiated_connection: <empty>
    Extension ec_point_formats, formats: [uncompressed, ansiX962_compressed_prime, ansiX962_compressed_char2]
    ***

but another host (b.com) is failed,

main, handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure

from ssllabs I know a.com supported cipher suites

enter image description here

and b.com supported cipher suites enter image description here

Want to know how to config b.com Nginx ssl_ciphers let the same client could also call b.com successfully? Does just append Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA] in ssl_ciphers work?


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Answer

0 votes
by (71.8m points)
等待大神答复

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome to OStack Knowledge Sharing Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...