这一块似乎是 Nginx 1.13.6 的问题?粗看你的配置里没有涉及 OR 特定的 SSL 特性
2017-12-04 13:08 GMT+08:00 Sean Wang <qiq...@gmail.com>:
> 在openresty1.13.6.1下,配置了https,安卓在请求https的有时候,有概率出现异常。现象为请求失败或者一直重复请求。切换到1.11.2.5则正常
>
> error.log中有以下log
> 2017/12/04 02:38:02 [crit] 5241#0: *20212 SSL_do_handshake() failed (SSL:
> error:14094085:SSL routines:ssl3_read_bytes:ccs received early) while SSL
> handshaking, client: 64.41.200.104, server: 0.0.0.0:443
> 2017/12/04 02:38:02 [crit] 5242#0: *20219 SSL_do_handshake() failed (SSL:
> error:14094085:SSL routines:ssl3_read_bytes:ccs received early) while SSL
> handshaking, client: 64.41.200.104, server: 0.0.0.0:443
> 2017/12/04 02:28:08 [crit] 4509#0: *8199 SSL_do_handshake() failed (SSL:
> error:14094085:SSL routines:ssl3_read_bytes:ccs received early) while SSL
> handshaking, client: 52.80.76.124, server: 0.0.0.0:443
> 2017/12/04 02:28:08 [crit] 4510#0: *8222 SSL_do_handshake() failed (SSL:
> error:14094085:SSL routines:ssl3_read_bytes:ccs received early) while SSL
> handshaking, client: 52.80.76.124, server: 0.0.0.0:443
> 2017/12/04 02:28:10 [crit] 4509#0: *8338 SSL_do_handshake() failed (SSL:
> error:14094085:SSL routines:ssl3_read_bytes:ccs received early) while SSL
> handshaking, client: 54.223.238.101, server: 0.0.0.0:443
> 2017/12/04 02:28:10 [crit] 4510#0: *8354 SSL_do_handshake() failed (SSL:
> error:14094085:SSL routines:ssl3_read_bytes:ccs received early) while SSL
> handshaking, client: 54.223.238.101, server: 0.0.0.0:443
> 2017/12/04 02:28:15 [crit] 4509#0: *8663 SSL_do_handshake() failed (SSL:
> error:14094085:SSL routines:ssl3_read_bytes:ccs received early) while SSL
> handshaking, client: 52.80.76.124, server: 0.0.0.0:443
> 2017/12/04 02:28:15 [crit] 4510#0: *8688 SSL_do_handshake() failed (SSL:
> error:14094085:SSL routines:ssl3_read_bytes:ccs received early) while SSL
> handshaking, client: 52.80.76.124, server: 0.0.0.0:443
> 2017/12/04 02:28:21 [crit] 4510#0: *9065 SSL_do_handshake() failed (SSL:
> error:14094085:SSL routines:ssl3_read_bytes:ccs received early) while SSL
> handshaking, client: 52.80.76.124, server: 0.0.0.0:443
> 2017/12/04 02:28:21 [crit] 4509#0: *9078 SSL_do_handshake() failed (SSL:
> error:14094085:SSL routines:ssl3_read_bytes:ccs received early) while SSL
> handshaking, client: 52.80.76.124, server: 0.0.0.0:443
> 而且是概率性抽风 有时候正常,有时候异常
>
> ios下正常
> 编译指令
> nginx version: openresty/1.13.6.1
> built by gcc 4.8.5 20150623 (Red Hat 4.8.5-16) (GCC)
> built with OpenSSL 1.0.2m 2 Nov 2017
> TLS SNI support enabled
> configure arguments: --prefix=/usr/local/openresty/nginx --with-cc-opt=-O2
> --add-module=../ngx_devel_kit-0.3.0 --add-module=../echo-nginx-module-0.61
> --add-module=../xss-nginx-module-0.05 --add-module=../ngx_coolkit-0.2rc3
> --add-module=../set-misc-nginx-module-0.31
> --add-module=../form-input-nginx-module-0.12
> --add-module=../encrypted-session-nginx-module-0.07
> --add-module=../srcache-nginx-module-0.31 --add-module=../ngx_lua-0.10.11
> --add-module=../ngx_lua_upstream-0.07
> --add-module=../headers-more-nginx-module-0.33
> --add-module=../array-var-nginx-module-0.05
> --add-module=../memc-nginx-module-0.18
> --add-module=../redis2-nginx-module-0.14
> --add-module=../redis-nginx-module-0.3.7
> --add-module=../rds-json-nginx-module-0.15
> --add-module=../rds-csv-nginx-module-0.08
> --add-module=../ngx_stream_lua-0.0.3
> --with-ld-opt='-Wl,-rpath,/usr/local/openresty/luajit/lib -ljemalloc'
> --user=www --group=www --with-http_stub_status_module --with-http_v2_module
> --with-http_ssl_module --with-http_gzip_static_module
> --with-http_realip_module --with-http_flv_module --with-http_mp4_module
> --with-openssl=/root/oneinstack/src/openresty-1.13.6.1/../openssl-1.0.2m
> --with-pcre=/root/oneinstack/src/openresty-1.13.6.1/../pcre-8.41
> --with-pcre-jit --with-stream --with-stream_ssl_module
>
> openssl已经使用最新的1.0.2m了。
> 配置文件不做任何改动重新编译1.11.2.5则恢复正常
> 已经尝试去掉http/2也是一样出现异常
>
> ng相关配置文件
> server {
> listen 80;
> listen 443 ssl http2;
> ssl_certificate ~~;
> ssl_certificate_key ~~;
> ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
> ssl_ciphers
> 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:!DSS';
> ssl_prefer_server_ciphers on;
> ssl_session_timeout 5m;
> ssl_session_cache shared:SSL:50m;
> ssl_session_tickets off;
> server_name ~~~;
> # access_log off;
> access_log ~~~ vhost;
> index index.html index.htm index.php;
> root ~~~~;
> include /usr/local/openresty/nginx/conf/rewrite/thinkphp.conf;
> #error_page 404 /404.html;
> #error_page 502 /502.html;
> location ~ [^/]\.php(/|$) {
> fastcgi_pass unix:/dev/shm/php-cgi.sock;
> fastcgi_index index.php;
> include fastcgi_params;
> set $real_script_name $fastcgi_script_name;
> if ($fastcgi_script_name ~ "^(.+?\.php)(/.+)$") {
> set $real_script_name $1;
> #set $path_info $2;
> }
> fastcgi_param SCRIPT_FILENAME $document_root$real_script_name;
> fastcgi_param SCRIPT_NAME $real_script_name;
> }
> location ~ .*\.(gif|jpg|jpeg|png|bmp|swf|flv|mp4|ico)$ {
> expires 30d;
> access_log off;
> }
> location ~ .*\.(js|css)?$ {
> expires 7d;
> access_log off;
> }
> location ~ /\.ht {
> deny all;
> }
> }
>
> --
>