<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /></head><body style='font-size: 10pt; font-family: Arial,Helvetica,sans-serif'>
<p> </p>
<div>Dear maintainers,</div>
<div> </div>
<div>I came across the problem when SSLv3 simply does not work with the current stable libssl1.0.0 (1.0.1k-3+deb8u1) in Debian Jessie (amd64).</div>
<div> </div>
<div>Please find the logs below, let me know if you need more details. I think it should be pretty self-explanatory.</div>
<div> </div>
<div><span style="font-family: courier new,courier,monospace; font-size: 8pt;">root@debian:~/nginx-debug# nginx -p ~/nginx-debug -c nginx.conf</span><br /><span style="font-family: courier new,courier,monospace; font-size: 8pt;">2015/07/06 03:28:39 [debug] 22474#0: epoll add event: fd:6 op:1 ev:00002001</span></div>
<div> </div>
<div> </div>
<div><span style="font-family: courier new,courier,monospace; font-size: 8pt;">root@debian:~/nginx-debug# openssl s_client -connect localhost:4443 -ssl3</span><br /><span style="font-family: courier new,courier,monospace; font-size: 8pt;">...</span><br /><span style="font-family: courier new,courier,monospace; font-size: 8pt;">SSL-Session:</span><br /><span style="font-family: courier new,courier,monospace; font-size: 8pt; color: #ff0000;"> Protocol : SSLv3</span><br /><span style="font-family: courier new,courier,monospace; font-size: 8pt; color: #ff0000;"> Cipher : 0000</span><br /><span style="font-family: courier new,courier,monospace; font-size: 8pt;">...</span></div>
<div> </div>
<div><br /><span style="font-family: courier new,courier,monospace; font-size: 8pt;">2015/07/06 03:28:41 [debug] 22474#0: accept on 0.0.0.0:4443, ready: 0</span><br /><span style="font-family: courier new,courier,monospace; font-size: 8pt;">2015/07/06 03:28:41 [debug] 22474#0: posix_memalign: 0000000001D45A10:256 @16</span><br /><span style="font-family: courier new,courier,monospace; font-size: 8pt;">2015/07/06 03:28:41 [debug] 22474#0: *1 accept: 127.0.0.1 fd:3</span><br /><span style="font-family: courier new,courier,monospace; font-size: 8pt;">2015/07/06 03:28:41 [debug] 22474#0: posix_memalign: 0000000001D210B0:256 @16</span><br /><span style="font-family: courier new,courier,monospace; font-size: 8pt;">2015/07/06 03:28:41 [debug] 22474#0: *1 event timer add: 3: 60000:1436167781415</span><br /><span style="font-family: courier new,courier,monospace; font-size: 8pt;">2015/07/06 03:28:41 [debug] 22474#0: *1 reusable connection: 1</span><br /><span style="font-family: courier new,courier,monospace; font-size: 8pt;">2015/07/06 03:28:41 [debug] 22474#0: *1 epoll add event: fd:3 op:1 ev:80002001</span><br /><span style="font-family: courier new,courier,monospace; font-size: 8pt;">2015/07/06 03:28:41 [debug] 22474#0: *1 http check ssl handshake</span><br /><span style="font-family: courier new,courier,monospace; font-size: 8pt;">2015/07/06 03:28:41 [debug] 22474#0: *1 http recv(): 1</span><br /><span style="font-family: courier new,courier,monospace; font-size: 8pt;">2015/07/06 03:28:41 [debug] 22474#0: *1 https ssl handshake: 0x16</span><br /><span style="font-family: courier new,courier,monospace; font-size: 8pt;">2015/07/06 03:28:41 [debug] 22474#0: *1 SSL_do_handshake: -1</span><br /><span style="font-family: courier new,courier,monospace; font-size: 8pt; color: #ff0000;">2015/07/06 03:28:41 [debug] 22474#0: *1 <strong>SSL_get_error: 1</strong></span><br /><span style="font-family: courier new,courier,monospace; font-size: 8pt; color: #ff0000;">2015/07/06 03:28:41 [crit] 22474#0: *1 <strong>SSL_do_handshake() failed</strong> (SSL: error:14076102:SSL routines:SSL23_GET_CLIENT_HELLO:unsupported protocol) while SSL handshaking, client: 127.0.0.1, server: 0.0.0.0:4443</span><br /><span style="font-family: courier new,courier,monospace; font-size: 8pt;">2015/07/06 03:28:41 [debug] 22474#0: *1 close http connection: 3</span><br /><span style="font-family: courier new,courier,monospace; font-size: 8pt;">2015/07/06 03:28:41 [debug] 22474#0: *1 SSL_shutdown: 1</span><br /><span style="font-family: courier new,courier,monospace; font-size: 8pt;">2015/07/06 03:28:41 [debug] 22474#0: *1 event timer del: 3: 1436167781415</span><br /><span style="font-family: courier new,courier,monospace; font-size: 8pt;">2015/07/06 03:28:41 [debug] 22474#0: *1 reusable connection: 0</span><br /><span style="font-family: courier new,courier,monospace; font-size: 8pt;">2015/07/06 03:28:41 [debug] 22474#0: *1 free: 0000000001D45A10, unused: 16</span><br /><span style="font-family: courier new,courier,monospace; font-size: 8pt;">2015/07/06 03:28:41 [debug] 22474#0: *1 free: 0000000001D210B0, unused: 136</span><br /><br /><span style="font-family: courier new,courier,monospace; font-size: 8pt;"></span><br /><br /><span style="font-family: courier new,courier,monospace; font-size: 8pt;">root@debian:~/nginx-debug# dpkg -l libssl1.0.0</span><br /><span style="font-family: courier new,courier,monospace; font-size: 8pt;">ii libssl1.0.0:amd64 1.0.1k-3+deb8u1 amd64 Secure Sockets Layer toolkit - shared libraries</span><br /><br /></div>
<div> </div>
<div><span style="font-size: 12pt;"><strong>Downgrading to Wheezy Stable libssl1.0.0</strong></span> <em><strong> (or it is also working when nginx is build from source --with-openssl=../openssl-1.0.1k for example, whole line i was using: root@www:~/nginx-1.6.2# ./configure --without-http_rewrite_module --without-http_gzip_module --with-http_ssl_module --with-openssl=../openssl-1.0.1k --with-ipv6 --with-debug)</strong></em></div>
<div><br /><span style="font-family: courier new,courier,monospace; font-size: 8pt;">root@debian:~/nginx-debug# dpkg -i downgrade/libssl1.0.0_1.0.1e-2+deb7u17_amd64.deb</span><br /><span style="font-family: courier new,courier,monospace; font-size: 8pt;">root@debian:~/nginx-debug# dpkg -l libssl1.0.0</span><br /><span style="font-family: courier new,courier,monospace; font-size: 8pt;">ii <strong>libssl1.0.0</strong>:amd64 <strong>1.0.1e-2+deb7u17</strong> amd64 SSL shared libraries</span><br /><br /><span style="font-family: courier new,courier,monospace; font-size: 8pt;">root@debian:~/nginx-debug# nginx -p ~/nginx-debug -c nginx.conf</span><br /><span style="font-family: courier new,courier,monospace; font-size: 8pt;">2015/07/06 03:29:35 [debug] 22514#0: epoll add event: fd:6 op:1 ev:00002001</span><br /><br /><br /><span style="font-family: courier new,courier,monospace; font-size: 8pt;">root@debian:~/nginx-debug# nginx -p ~/nginx-debug -c nginx.conf</span><br /><span style="font-family: courier new,courier,monospace; font-size: 8pt;">2015/07/06 03:30:30 [debug] 22518#0: epoll add event: fd:6 op:1 ev:00002001</span></div>
<div> </div>
<div><span style="font-family: courier new,courier,monospace; font-size: 8pt;">root@debian:~/nginx-debug# openssl s_client -connect localhost:4443 -ssl3</span><br /><span style="font-family: courier new,courier,monospace; font-size: 8pt;">...</span><br /><span style="font-family: courier new,courier,monospace; font-size: 8pt;">SSL-Session:</span><br /><span style="font-family: courier new,courier,monospace; font-size: 8pt;"> Protocol : SSLv3</span><br /><span style="font-family: courier new,courier,monospace; font-size: 8pt;"> Cipher : ECDHE-RSA-AES256-SHA</span><br /><span style="font-family: courier new,courier,monospace; font-size: 8pt;">...</span></div>
<div><br /><span style="font-family: courier new,courier,monospace; font-size: 8pt;">2015/07/06 03:30:33 [debug] 22518#0: accept on 0.0.0.0:4443, ready: 0</span><br /><span style="font-family: courier new,courier,monospace; font-size: 8pt;">2015/07/06 03:30:33 [debug] 22518#0: posix_memalign: 0000000002516A90:256 @16</span><br /><span style="font-family: courier new,courier,monospace; font-size: 8pt;">2015/07/06 03:30:33 [debug] 22518#0: *1 accept: 127.0.0.1 fd:3</span><br /><span style="font-family: courier new,courier,monospace; font-size: 8pt;">2015/07/06 03:30:33 [debug] 22518#0: posix_memalign: 00000000024F2130:256 @16</span><br /><span style="font-family: courier new,courier,monospace; font-size: 8pt;">2015/07/06 03:30:33 [debug] 22518#0: *1 event timer add: 3: 60000:1436167893670</span><br /><span style="font-family: courier new,courier,monospace; font-size: 8pt;">2015/07/06 03:30:33 [debug] 22518#0: *1 reusable connection: 1</span><br /><span style="font-family: courier new,courier,monospace; font-size: 8pt;">2015/07/06 03:30:33 [debug] 22518#0: *1 epoll add event: fd:3 op:1 ev:80002001</span><br /><span style="font-family: courier new,courier,monospace; font-size: 8pt;">2015/07/06 03:30:33 [debug] 22518#0: *1 http check ssl handshake</span><br /><span style="font-family: courier new,courier,monospace; font-size: 8pt;">2015/07/06 03:30:33 [debug] 22518#0: *1 http recv(): 1</span><br /><span style="font-family: courier new,courier,monospace; font-size: 8pt;">2015/07/06 03:30:33 [debug] 22518#0: *1 https ssl handshake: 0x16</span><br /><span style="font-family: courier new,courier,monospace; font-size: 8pt;">2015/07/06 03:30:33 [debug] 22518#0: *1 SSL_do_handshake: -1</span><br /><span style="font-family: courier new,courier,monospace; font-size: 8pt; color: #008000;">2015/07/06 03:30:33 [debug] 22518#0: *1 <strong>SSL_get_error: 2</strong></span><br /><span style="font-family: courier new,courier,monospace; font-size: 8pt;">2015/07/06 03:30:33 [debug] 22518#0: *1 reusable connection: 0</span><br /><span style="font-family: courier new,courier,monospace; font-size: 8pt;">2015/07/06 03:30:33 [debug] 22518#0: *1 SSL handshake handler: 0</span><br /><span style="font-family: courier new,courier,monospace; font-size: 8pt;">2015/07/06 03:30:33 [debug] 22518#0: *1 SSL_do_handshake: 1</span><br /><span style="font-family: courier new,courier,monospace; font-size: 8pt; color: #008000;">2015/07/06 03:30:33 [debug] 22518#0: *1 <strong>SSL: SSLv3</strong>, cipher: "ECDHE-RSA-AES256-SHA SSLv3 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA1"</span><br /><span style="font-family: courier new,courier,monospace; font-size: 8pt;">2015/07/06 03:30:33 [debug] 22518#0: *1 reusable connection: 1</span><br /><span style="font-family: courier new,courier,monospace; font-size: 8pt;">2015/07/06 03:30:33 [debug] 22518#0: *1 http wait request handler</span><br /><span style="font-family: courier new,courier,monospace; font-size: 8pt;">2015/07/06 03:30:33 [debug] 22518#0: *1 malloc: 00000000024FA040:1024</span><br /><span style="font-family: courier new,courier,monospace; font-size: 8pt;">2015/07/06 03:30:33 [debug] 22518#0: *1 SSL_read: -1</span><br /><span style="font-family: courier new,courier,monospace; font-size: 8pt;">2015/07/06 03:30:33 [debug] 22518#0: *1 SSL_get_error: 2</span><br /><span style="font-family: courier new,courier,monospace; font-size: 8pt;">2015/07/06 03:30:33 [debug] 22518#0: *1 free: 00000000024FA040</span><br /><br /></div>
<div> </div>
<div><br /><span style="font-family: courier new,courier,monospace; font-size: 8pt;">root@debian:~/nginx-debug# cat nginx.conf</span><br /><span style="font-family: courier new,courier,monospace; font-size: 8pt;">daemon off;</span><br /><span style="font-family: courier new,courier,monospace; font-size: 8pt;">worker_processes 1;</span><br /><br /><span style="font-family: courier new,courier,monospace; font-size: 8pt;">events {</span><br /><span style="font-family: courier new,courier,monospace; font-size: 8pt;"> worker_connections 1024;</span><br /><span style="font-family: courier new,courier,monospace; font-size: 8pt;">}</span><br /><br /><span style="font-family: courier new,courier,monospace; font-size: 8pt;">http {</span><br /><br /><span style="font-family: courier new,courier,monospace; font-size: 8pt;">ssl_protocols <strong>SSLv3</strong> TLSv1.2;</span><br /><br /><span style="font-family: courier new,courier,monospace; font-size: 8pt;">ssl_certificate /root/nginx-debug/cert.pem;</span><br /><span style="font-family: courier new,courier,monospace; font-size: 8pt;">ssl_certificate_key /root/nginx-debug/cert.key;</span><br /><br /><span style="font-family: courier new,courier,monospace; font-size: 8pt;">server {</span><br /><span style="font-family: courier new,courier,monospace; font-size: 8pt;"> listen 4443 ssl;</span><br /><br /><span style="font-family: courier new,courier,monospace; font-size: 8pt;"> error_log stderr debug;</span><br /><br /><span style="font-family: courier new,courier,monospace; font-size: 8pt;"> location / {</span><br /><span style="font-family: courier new,courier,monospace; font-size: 8pt;"> root html;</span><br /><span style="font-family: courier new,courier,monospace; font-size: 8pt;"> index index.html index.htm;</span><br /><span style="font-family: courier new,courier,monospace; font-size: 8pt;"> }</span><br /><span style="font-family: courier new,courier,monospace; font-size: 8pt;"> }</span><br /><span style="font-family: courier new,courier,monospace; font-size: 8pt;">}</span></div>
<div> </div>
<div><span style="font-family: courier new,courier,monospace; font-size: 8pt;">root@debian:~/nginx-debug# ls -lad cert.* logs nginx.conf<br />-rw------- 1 root root 1704 Jul 6 02:43 cert.key<br />-rw-r--r-- 1 root root 1428 Jul 6 02:43 cert.pem<br />drwxr-xr-x 2 root root 4096 Jul 6 03:19 logs<br />-rw-r--r-- 1 root root 665 Jul 6 02:43 nginx.conf<br /></span></div>
<div> </div>
<div> </div>
<div>Please let me know if you are planning to fix this. There are particular outdated apps that are still using SSLv3 and it would be wonderful to have it for the backwards compatibility. (current stable Jessie's Nginx by default does Not use SSLv3).</div>
<div> </div>
<div> </div>
<div>-- <br />
<p><span style="font-family: arial,helvetica,sans-serif; color: #808080;">kind regards</span><br /><strong><span style="font-family: arial,helvetica,sans-serif; color: #808080;">andrey arapov</span></strong></p>
</div>
<p> </p>
</body></html>