Nginx – In nginx error log: “SSL_BYTES_TO_CIPHER_LIST:inappropriate fallback”

nginxopensslssl

We recently changed our nginx config to support TLSv1.2 as well as a number of more secure ciphers. Since the change, our nginx error logs have been filled with the following errors:

2015/01/28 23:55:57 [crit] 16898#0: *18712916 SSL_do_handshake()
failed (SSL: error:140A1175:SSL
routines:SSL_BYTES_TO_CIPHER_LIST:inappropriate fallback) while SSL
handshaking, client: ..., server: 0.0.0.0:443

Our nginx config is as follows:

server {
  root   /var/www/fl/current/public;

  listen              443;
  ssl                 on;
  ssl_certificate     /etc/nginx/ssl/wildcard.pem;
  ssl_certificate_key /etc/nginx/ssl/wildcard.key;
  ssl_session_timeout 5m;
  ssl_session_cache shared:SSL:50m;
  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
  ssl_prefer_server_ciphers on;

We've gotten a few emails about users not being able to access the site. One user said this is the error they get in Firefox:

Secure Connection Failed

An error occurred during a connection to ******.com. The server
rejected the handshake because the client downgraded to a lower TLS
version than the server supports. (Error code:
ssl_error_inappropriate_fallback_alert)

The page you are trying to view cannot be shown because the
authenticity of the received data could not be verified.

If I understand correctly, then the fallback alert is a security precaution when the client is using a lower version of TLS than what it and the server support. This error seems to make a lot of sense given that we now support a higher protocol version. What I don't understand is why this change would cause issues for some users when connecting to our site. Is this a fault in our configuration or their browser?

We now score an 'A' on Qualys SSL Server Test, so I am hesitant to revert back to our old config.

Best Answer

Browsers usually do a SSLv23 handshake. With this handshake they announce the best protocol version they support (mostly TLS1.2 today) but don't restrict the server to this version. Thus a server, which has a properly implemented and configured TLS stack but only supports TLS1.0, will simply reply with TLS1.0 and the connection will succeed on the first try.

But, there are some bad TLS stacks or misconfigurations or some bad middleboxes (load balancer etc) on the servers side, which cause this SSLv23 handshake to fail. In this cases browsers downgrade the protocol used in the handshake, that is they try with an explicit TLS1.0 handshake followed by an explicit SSL3.0 handshake (some browsers have disabled SSL3.0 already and thus don't try this).

Newer browsers will use the TLS_FALLBACK_SCSV pseudo-cipher if they do such a downgraded connection. If the server capable of TLS_FALLBACK_SCSV detects a downgraded connection with a lower protocol version it supports (e.g. downgrade uses TLS1.0 but server supports TLS1.2) than it assumes that a POODLE-like attack happens and will close the connection.

But why might a client downgrade in the first place when contacting your server?

You might have a broken load balancer in front, which causes hickups with some requests.
Your server or some anti-DOS device in front might simply close connections on high load before the SSL handshake finished. In this case the browser will assume a protocol problem and retry with a downgraded version.
Any other kinds of problems like out of memory etc which can cause random close within the SSL handshake.

Related Solutions

Nginx/Apache: set HSTS only if X-Forwarded-Proto is https

You could have multiple server blocks. So just add new server block for domains that need HSTS.

server {
    listen xx.xx.xxx.xxx:443 ssl default_server;

    # all ssl stuff
    # and other directives
}

server {
    listen xx.xx.xxx.xxx:443 ssl;
    server_name example.com other.example.com;

    # all ssl stuff
    # and other directives with HSTS enabled
}

Here first block will handle all https connections except example.com and other.example.com.

And you don't need ssl on directive if you have ssl flag in listen.

EDIT

There is another solution with only one server block:

map $scheme:$host $hsts_header {
    default "";
    https:example.com "max-age=31536000";
    https:other.example.com "max-age=31536000";
}

server {
    server_tokens off;

    listen xx.xx.xxx.xxx:80;
    listen xx.xx.xxx.xxx:443 ssl;

    ssl_certificate /etc/ssl/foo.crt;
    ssl_certificate_key /etc/ssl/private/foo.key;

    ssl_session_timeout 10m;

    # ... other ssl stuff

    location / {
        proxy_pass http://127.0.0.1:81;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-Port $server_port;
        proxy_set_header Host $host;
        add_header X-XSS-Protection "1; mode=block";
        add_header Strict-Transport-Security $hsts_header;
    }
}

We use map to define HSTS header value and use the fact, than nginx will not add header with empty value.

Nginx – OCSP validation – unable to get local issuer certificate

Those two errors was unrelated although the error message was same.

[...]SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-GCM-SHA384 [...] Start Time: 1411583991 Timeout : 300 (sec) Verify return code: 20 (unable to get local issuer certificate)

Above error was issued openssl_client command. As explained by Florian Heigl, you get this error because the openssl_client need the Globalsign Root cert in /etc/ssl/certs.

OCSP_basic_verify() failed (SSL: error:27069065:OCSP routines:OCSP_basic_verify:certificate verify error:Verify error:unable to get local issuer certificate) while requesting certificate status, responder: gv.symcd.com

For this error, it was issued by nginx ocsp routine, especially when you add ssl_stapling_verify on; line in nginx.conf.

Here some excerpt from the documentation of ssl_stapling_verify to explain why it throws the error

Syntax: ssl_stapling_verify on | off;

Enables or disables verification of OCSP responses by the server.

For verification to work, the certificate of the server certificate issuer, the root certificate, and all intermediate certificates should be configured as trusted using the ssl_trusted_certificate directive.

In other words, you need provide (2) Intermediate CA Bundle (RapidSSL SHA256 CA - G3) and (3) Intermediate CA Bundle (GeoTrust Global CA) to ssl_trusted_certificate directive.

cat GeoTrustGlobalCA.crt rapidsslG3.crt > ocsp-chain.crt

and add ocsp-chain.crt to ssl_trusted_certificate directive.

Best Answer

Related Solutions

Nginx/Apache: set HSTS only if X-Forwarded-Proto is https

Nginx – OCSP validation – unable to get local issuer certificate

Related Topic