Welcome to Centmin Mod Community
Become a Member

SSL Some errors

Discussion in 'Nginx, PHP-FPM & MariaDB MySQL' started by Sunka, Apr 4, 2017.

  1. Sunka

    Sunka Well-Known Member

    1,150
    325
    83
    Oct 31, 2015
    Pula, Croatia
    Ratings:
    +525
    Local Time:
    1:10 PM
    Nginx 1.17.9
    MariaDB 10.3.22
    Please fill in any relevant information that applies to you:
    • CentOS Version:CentOS 7 64bit
    • Centmin Mod Version Installed: 123.09beta01
    • Nginx Version Installed: 1.11.12
    • PHP Version Installed:7.1.3
    • MariaDB MySQL Version Installed: 10.1.22
    • When was last time updated Centmin Mod code base ? : today several times
    • Persistent Config:
      Code (Text):
      NGINX_LIBBROTLI=y # Brotly extension
      NGXDYNAMIC_BROTLI=y # Brotly dynamic module extension
      NGINX_PAGESPEED=n # nginx page speed
      NGXDYNAMIC_NGXPAGESPEED=n # nginx dynamic page speed
      PHP_MEMCACHE=n # memcache PHP extension
      PHP_MEMCACHED=n # memcached PHP extension
      PHP_PGO='y' # PGO Let It Go - Profile Guided Optimizations for PHP 7
      PHPPGO_INDEXPATH='/home/nginx/domains/pijanitvor.com/public/index.php' # path for PGO training
      AUDITD_ENABLE='y' # Auditd skripta
      RCLONE_ENABLE='y' # Rclone skripta
      NGINX_DEVTOOLSETGCC='y' # umjesto clang ide gcc kompilacija kod nginx
      DEVTOOLSETSIX='y' # ide 6.x verzija gcc kompilacije umjesto defaultne 5.x
      CLANG='n' # potrebno za gcc kompilaciju nginx
      CRYPTO_DEVTOOLSETGCC='y' # newer Intel GCC
      NGX_LDGOLD='y' # Nginx support for using ld.gold linker
      NGX_GSPLITDWARF='y' # Nginx support for using ld.gold linker
      PHP_GSPLITDWARF='y' # Nginx/php support for using ld.gold linker
      NGINX_ZLIBCUSTOM='y' # add custom zlib 1.2.11+ version support to Nginx compiles - https://goo.gl/1WNZcH

    I copied my post from RoldanLT thread to have own thread because errors are maybe not related.

    My forum went down for 1,5 hour last night.
    Only error I can see is:

    Code (Text):
    # tail -10 /usr/local/nginx/logs/error.log
    2017/04/04 04:55:38 [error] 1895#1895: ocsp.comodoca.com could not be resolved (110: Operation timed out) while requesting certificate status, responder: ocsp.comodoca.com, certificate: "/usr/local/nginx/conf/ssl/pijanitvor.com/ssl-unified.crt"
    


    After 1,5 hour all back to normal.
    nginx -t is OK


    Code (Text):
    2017/04/04 04:12:07 [error] 1895#1895: *349821 access forbidden by rule, client: 31.217.50.89, server: pijanitvor.com, request: "GET /.well-known/dnt-policy.txt HTTP/2.0", host: "www.pijanitvor.com"
    2017/04/04 05:47:55 [error] 1894#1894: *351541 access forbidden by rule, client: 24.6.48.212, server: pijanitvor.com, request: "GET /.well-known/dnt-policy.txt HTTP/2.0", host: "www.pijanitvor.com"
    2017/04/04 06:01:59 [crit] 1895#1895: *351717 SSL_do_handshake() failed (SSL: error:060C1064:digital envelope routines:AEAD_CHACHA20_POLY1305_OPEN:bad decrypt error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac) while SSL handshaking, client: 178.17.112.74, server: 0.0.0.0:443
    2017/04/04 06:08:02 [crit] 1895#1895: *351842 SSL_do_handshake() failed (SSL: error:060C1064:digital envelope routines:AEAD_CHACHA20_POLY1305_OPEN:bad decrypt error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac) while SSL handshaking, client: 62.193.135.121, server: 0.0.0.0:443
    2017/04/04 06:12:52 [crit] 1895#1895: *352016 SSL_do_handshake() failed (SSL: error:060C1064:digital envelope routines:AEAD_CHACHA20_POLY1305_OPEN:bad decrypt error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac) while SSL handshaking, client: 212.15.177.122, server: 0.0.0.0:443
    2017/04/04 06:19:50 [crit] 1894#1894: *352301 SSL_do_handshake() failed (SSL: error:060C1064:digital envelope routines:AEAD_CHACHA20_POLY1305_OPEN:bad decrypt error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac) while SSL handshaking, client: 93.140.5.69, server: 0.0.0.0:443
    2017/04/04 06:22:24 [crit] 1895#1895: *352470 SSL_do_handshake() failed (SSL: error:060C1064:digital envelope routines:AEAD_CHACHA20_POLY1305_OPEN:bad decrypt error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac) while SSL handshaking, client: 93.140.5.69, server: 0.0.0.0:443
    2017/04/04 06:25:52 [crit] 1894#1894: *352633 SSL_do_handshake() failed (SSL: error:060C1064:digital envelope routines:AEAD_CHACHA20_POLY1305_OPEN:bad decrypt error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac) while SSL handshaking, client: 93.138.103.248, server: 0.0.0.0:443
    2017/04/04 06:27:06 [crit] 1894#1894: *352709 SSL_do_handshake() failed (SSL: error:060C1064:digital envelope routines:AEAD_CHACHA20_POLY1305_OPEN:bad decrypt error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac) while SSL handshaking, client: 185.18.60.46, server: 0.0.0.0:443
    2017/04/04 06:32:15 [crit] 1895#1895: *352974 SSL_do_handshake() failed (SSL: error:060C1064:digital envelope routines:AEAD_CHACHA20_POLY1305_OPEN:bad decrypt error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac) while SSL handshaking, client: 37.205.109.190, server: 0.0.0.0:443
    2017/04/04 06:34:22 [crit] 1894#1894: *353069 SSL_do_handshake() failed (SSL: error:060C1064:digital envelope routines:AEAD_CHACHA20_POLY1305_OPEN:bad decrypt error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac) while SSL handshaking, client: 93.138.103.248, server: 0.0.0.0:443
    2017/04/04 06:35:05 [error] 1895#1895: *353101 open() "/home/nginx/domains/pijanitvor.com/public/images/smilies/aha.gif" failed (2: No such file or directory), client: 93.142.254.150, server: pijanitvor.com, request: "GET /images/smilies/aha.gif HTTP/1.1", host: "www.pijanitvor.com", referrer: "http://www.cvijet.info/forum/forum_posts.asp?TID=3388&PN=4"
    2017/04/04 06:35:23 [error] 1894#1894: *353108 open() "/home/nginx/domains/pijanitvor.com/public/images/smilies/aha.gif" failed (2: No such file or directory), client: 93.142.254.150, server: pijanitvor.com, request: "GET /images/smilies/aha.gif HTTP/1.1", host: "www.pijanitvor.com", referrer: "http://www.cvijet.info/forum/forum_posts.asp?TID=3388&PN=4"
    2017/04/04 06:37:16 [crit] 1895#1895: *353215 SSL_do_handshake() failed (SSL: error:060C1064:digital envelope routines:AEAD_CHACHA20_POLY1305_OPEN:bad decrypt error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac) while SSL handshaking, client: 185.18.60.46, server: 0.0.0.0:443
    2017/04/04 06:38:32 [crit] 1894#1894: *353287 SSL_do_handshake() failed (SSL: error:060C1064:digital envelope routines:AEAD_CHACHA20_POLY1305_OPEN:bad decrypt error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac) while SSL handshaking, client: 185.18.60.46, server: 0.0.0.0:443
    2017/04/04 06:39:01 [crit] 1894#1894: *353314 SSL_do_handshake() failed (SSL: error:060C1064:digital envelope routines:AEAD_CHACHA20_POLY1305_OPEN:bad decrypt error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac) while SSL handshaking, client: 185.18.60.46, server: 0.0.0.0:443
    2017/04/04 06:50:46 [crit] 1894#1894: *354034 SSL_do_handshake() failed (SSL: error:060C1064:digital envelope routines:AEAD_CHACHA20_POLY1305_OPEN:bad decrypt error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac) while SSL handshaking, client: 89.164.175.63, server: 0.0.0.0:443



    ---------------------------------------------------

    SSL Server Test: pijanitvor.com (Powered by Qualys SSL Labs)

    here they are:
    -----------------------

    Code (Text):
    [root@upcloud ~]# OPENSSLBIN=/opt/libressl/bin/openssl
    [root@upcloud ~]# DOMAIN=pijanitvor.com
    [root@upcloud ~]# echo "" | $OPENSSLBIN s_client -connect ${DOMAIN}:443 | sed '/-----BEGIN CERTIFICATE-----/,/-----END CERTIFICATE-----/d' | sed '/Session-ID: /,/Verify return code/d'
    depth=0 C = US, ST = California, L = Los Angeles, O = upcloud.pijanitvor.com, OU = IT, CN = upcloud.pijanitvor.com
    verify error:num=18:self signed certificate
    verify return:1
    depth=0 C = US, ST = California, L = Los Angeles, O = upcloud.pijanitvor.com, OU = IT, CN = upcloud.pijanitvor.com
    verify return:1
    DONE
    CONNECTED(00000003)
    ---
    Certificate chain
     0 s:/C=US/ST=California/L=Los Angeles/O=upcloud.pijanitvor.com/OU=IT/CN=upcloud.pijanitvor.com
       i:/C=US/ST=California/L=Los Angeles/O=upcloud.pijanitvor.com/OU=IT/CN=upcloud.pijanitvor.com
    ---
    Server certificate
    subject=/C=US/ST=California/L=Los Angeles/O=upcloud.pijanitvor.com/OU=IT/CN=upcloud.pijanitvor.com
    issuer=/C=US/ST=California/L=Los Angeles/O=upcloud.pijanitvor.com/OU=IT/CN=upcloud.pijanitvor.com
    ---
    No client certificate CA names sent
    ---
    SSL handshake has read 1584 bytes and written 452 bytes
    ---
    New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
    Server public key is 2048 bit
    Secure Renegotiation IS supported
    Compression: NONE
    Expansion: NONE
    No ALPN negotiated
    SSL-Session:
        Protocol  : TLSv1.2
        Cipher    : ECDHE-RSA-AES128-GCM-SHA256
    ---
    

    Code (Text):
    [root@upcloud ~]# OPENSSLBIN=/opt/libressl/bin/openssl
    [root@upcloud ~]# DOMAIN=pijanitvor.com
    [root@upcloud ~]# echo "" | $OPENSSLBIN s_client -connect ${DOMAIN}:443 -ssl3 -cipher RC4-SHA | sed '/-----BEGIN CERTIFICATE-----/,/-----END CERTIFICATE-----/d' | sed '/Session-ID: /,/Verify return code/d'
    unknown option -ssl3
    usage: s_client args
    
     -4            - Force IPv4
     -6            - Force IPv6
     -host host     - use -connect instead
     -port port     - use -connect instead
     -connect host:port - who to connect to (default is localhost:4433)
     -proxy host:port - connect to http proxy
     -verify arg   - turn on peer certificate verification
     -cert arg     - certificate file to use, PEM format assumed
     -certform arg - certificate format (PEM or DER) PEM default
     -key arg      - Private key file to use, in cert file if
                     not specified but cert file is.
     -keyform arg  - key format (PEM or DER) PEM default
     -pass arg     - private key file pass phrase source
     -CApath arg   - PEM format directory of CA's
     -CAfile arg   - PEM format file of CA's
     -reconnect    - Drop and re-make the connection with the same Session-ID
     -pause        - sleep(1) after each read(2) and write(2) system call
     -showcerts    - show all certificates in the chain
     -debug        - extra output
     -msg          - Show protocol messages
     -nbio_test    - more ssl protocol testing
     -state        - print the 'ssl' states
     -nbio         - Run with non-blocking IO
     -crlf         - convert LF from terminal into CRLF
     -quiet        - no s_client output
     -ign_eof      - ignore input eof (default when -quiet)
     -no_ign_eof   - don't ignore input eof
     -tls1_2       - just use TLSv1.2
     -tls1_1       - just use TLSv1.1
     -tls1         - just use TLSv1
     -dtls1        - just use DTLSv1
     -mtu          - set the link layer MTU
     -no_tls1_2/-no_tls1_1/-no_tls1/-no_ssl3/-no_ssl2 - turn off that protocol
     -bugs         - Switch on all SSL implementation bug workarounds
     -cipher       - preferred cipher to use, use the 'openssl ciphers'
                     command to see what is available
     -starttls prot - use the STARTTLS command before starting TLS
                     for those protocols that support it, where
                     'prot' defines which one to assume.  Currently,
                     only "smtp", "lmtp", "pop3", "imap", "ftp" and "xmpp"
                     are supported.
     -xmpphost host - connect to this virtual host on the xmpp server
     -sess_out arg - file to write SSL session to
     -sess_in arg  - file to read SSL session from
     -servername host  - Set TLS extension servername in ClientHello
     -tlsextdebug      - hex dump of all TLS extensions received
     -status           - request certificate status from server
     -no_ticket        - disable use of RFC4507bis session tickets
     -nextprotoneg arg - enable NPN extension, considering named protocols supported (comma-separated list)
     -alpn arg         - enable ALPN extension, considering named protocols supported (comma-separated list)
     -use_srtp profiles - Offer SRTP key management with a colon-separated profile list
     -keymatexport label   - Export keying material using label
     -keymatexportlen len  - Export len bytes of keying material (default 20)



    Code (Text):
    [root@upcloud ~]# OPENSSLBIN=/opt/libressl/bin/openssl
    [root@upcloud ~]# DOMAIN=pijanitvor.com
    [root@upcloud ~]# echo "" | $OPENSSLBIN s_client -connect ${DOMAIN}:443 -cipher ECDHE-RSA-AES256-SHA384 | sed '/-----BEGIN CERTIFICATE-----/,/-----END CERTIFICATE-----/d' | sed '/Session-ID: /,/Verify return code/d'
    depth=0 C = US, ST = California, L = Los Angeles, O = upcloud.pijanitvor.com, OU = IT, CN = upcloud.pijanitvor.com
    verify error:num=18:self signed certificate
    verify return:1
    depth=0 C = US, ST = California, L = Los Angeles, O = upcloud.pijanitvor.com, OU = IT, CN = upcloud.pijanitvor.com
    verify return:1
    DONE
    CONNECTED(00000003)
    ---
    Certificate chain
     0 s:/C=US/ST=California/L=Los Angeles/O=upcloud.pijanitvor.com/OU=IT/CN=upcloud.pijanitvor.com
       i:/C=US/ST=California/L=Los Angeles/O=upcloud.pijanitvor.com/OU=IT/CN=upcloud.pijanitvor.com
    ---
    Server certificate
    subject=/C=US/ST=California/L=Los Angeles/O=upcloud.pijanitvor.com/OU=IT/CN=upcloud.pijanitvor.com
    issuer=/C=US/ST=California/L=Los Angeles/O=upcloud.pijanitvor.com/OU=IT/CN=upcloud.pijanitvor.com
    ---
    No client certificate CA names sent
    ---
    SSL handshake has read 1640 bytes and written 352 bytes
    ---
    New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA384
    Server public key is 2048 bit
    Secure Renegotiation IS supported
    Compression: NONE
    Expansion: NONE
    No ALPN negotiated
    SSL-Session:
        Protocol  : TLSv1.2
        Cipher    : ECDHE-RSA-AES256-SHA384
    ---
    


    Code (Text):
    [root@upcloud ~]# OPENSSLBIN=/opt/libressl/bin/openssl
    [root@upcloud ~]# DOMAIN=pijanitvor.com
    [root@upcloud ~]# echo "" | $OPENSSLBIN s_client -connect ${DOMAIN}:443 -cipher ECDHE-RSA-CHACHA20-POLY1305 | sed '/-----BEGIN CERTIFICATE-----/,/-----END CERTIFICATE-----/d' | sed '/Session-ID: /,/Verify return code/d'
    140579481880256:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:441:
    CONNECTED(00000003)
    ---
    no peer certificate available
    ---
    No client certificate CA names sent
    ---
    SSL handshake has read 7 bytes and written 170 bytes
    ---
    New, (NONE), Cipher is (NONE)
    Secure Renegotiation IS NOT supported
    Compression: NONE
    Expansion: NONE
    No ALPN negotiated
    ---
    


    Code (Text):
    [root@upcloud ~]# OPENSSLBIN=/opt/libressl/bin/openssl
    [root@upcloud ~]# DOMAIN=pijanitvor.com
    [root@upcloud ~]# echo "" | $OPENSSLBIN s_client -connect ${DOMAIN}:443 -cipher ECDHE-RSA-CHACHA20-POLY1305-OLD | sed '/-----BEGIN CERTIFICATE-----/,/-----END CERTIFICATE-----/d' | sed '/Session-ID: /,/Verify return code/d'
    140258721363648:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:441:
    CONNECTED(00000003)
    ---
    no peer certificate available
    ---
    No client certificate CA names sent
    ---
    SSL handshake has read 7 bytes and written 170 bytes
    ---
    New, (NONE), Cipher is (NONE)
    Secure Renegotiation IS NOT supported
    Compression: NONE
    Expansion: NONE
    No ALPN negotiated
    ---
    


    Not using cloudflare
     
  2. eva2000

    eva2000 Administrator Staff Member

    54,575
    12,224
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,793
    Local Time:
    10:10 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    @Sunka

    from output at
    Code (Text):
    /usr/local/nginx/conf/conf.d/phpmyadmin_ssl.conf:27: ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256
    

    what happens if on line 27 of /usr/local/nginx/conf/conf.d/phpmyadmin_ssl.conf you change and append to your ssl_ciphers and change from
    Code (Text):
    ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256
    

    add EECDH+CHACHA20-draft:EECDH+CHACHA20: to beginning of existing ssl_ciphers
    Code (Text):
    ssl_ciphers EECDH+CHACHA20-draft:EECDH+CHACHA20:ECDHE-RSA-AES128-GCM-SHA256
    

    restart nginx and php-fpm
    Code (Text):
    nprestart
    
     
  3. Sunka

    Sunka Well-Known Member

    1,150
    325
    83
    Oct 31, 2015
    Pula, Croatia
    Ratings:
    +525
    Local Time:
    1:10 PM
    Nginx 1.17.9
    MariaDB 10.3.22
    complete #27 line is:
    Code:
    ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!CAMELLIA;
    And in quote tags

    So just to add this EECDH+CHACHA20-draft:EECDH+CHACHA20: at the beginning
     
  4. Sunka

    Sunka Well-Known Member

    1,150
    325
    83
    Oct 31, 2015
    Pula, Croatia
    Ratings:
    +525
    Local Time:
    1:10 PM
    Nginx 1.17.9
    MariaDB 10.3.22
    to be like this:
    Code:
    ssl_ciphers EECDH+CHACHA20-draft:EECDH+CHACHA20:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!CAMELLIA;
    
     
  5. eva2000

    eva2000 Administrator Staff Member

    54,575
    12,224
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,793
    Local Time:
    10:10 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Yeah or replace entire ssl_ciphers line with 123.09beta01 default nginx vhost ciphers
    Code (Text):
    ssl_ciphers EECDH+CHACHA20-draft:EECDH+CHACHA20:EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA256:EECDH+ECDSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+SHA384:EECDH+AES128:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!CAMELLIA;
    

    replace all nginx vhost's ssl_ciphers lines with the same and restart nginx
     
  6. Sunka

    Sunka Well-Known Member

    1,150
    325
    83
    Oct 31, 2015
    Pula, Croatia
    Ratings:
    +525
    Local Time:
    1:10 PM
    Nginx 1.17.9
    MariaDB 10.3.22
    And all of them would be in which files exactly?
     
  7. Sunka

    Sunka Well-Known Member

    1,150
    325
    83
    Oct 31, 2015
    Pula, Croatia
    Ratings:
    +525
    Local Time:
    1:10 PM
    Nginx 1.17.9
    MariaDB 10.3.22
    OK, I did change in phpmyadmin_ssl.conf and restart nginx and php
     
  8. eva2000

    eva2000 Administrator Staff Member

    54,575
    12,224
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,793
    Local Time:
    10:10 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    the nginx vhosts you saw when you typed command to grep recursively (r) and print line number (n) for the word 'ssl_ciphers ' in /usr/local/nginx/conf/conf.d/
    Code (Text):
    grep -rn 'ssl_ciphers ' /usr/local/nginx/conf/conf.d/
    
     
  9. Sunka

    Sunka Well-Known Member

    1,150
    325
    83
    Oct 31, 2015
    Pula, Croatia
    Ratings:
    +525
    Local Time:
    1:10 PM
    Nginx 1.17.9
    MariaDB 10.3.22
    Code (Text):
    [root@upcloud ~]# grep -rn 'ssl_ciphers ' /usr/local/nginx/conf/conf.d/
    /usr/local/nginx/conf/conf.d/ssl.conf:22:#    ssl_ciphers  RC4:HIGH:!aNULL:!MD5:!kEDH;
    /usr/local/nginx/conf/conf.d/phpmyadmin_ssl.conf:27:        ssl_ciphers EECDH+CHACHA20-draft:EECDH+CHACHA20:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!CAMELLIA;
    /usr/local/nginx/conf/conf.d/pijanitvor.com.ssl.conf:29:  ssl_ciphers EECDH+CHACHA20-draft:EECDH+CHACHA20:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!CAMELLIA:!DES-CBC3-SHA;


    Ok, so to change those 3 rows in that 3 files to default nginx:
    Code (Text):
    ssl_ciphers EECDH+CHACHA20-draft:EECDH+CHACHA20:EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA256:EECDH+ECDSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+SHA384:EECDH+AES128:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!CAMELLIA;
     
  10. Sunka

    Sunka Well-Known Member

    1,150
    325
    83
    Oct 31, 2015
    Pula, Croatia
    Ratings:
    +525
    Local Time:
    1:10 PM
    Nginx 1.17.9
    MariaDB 10.3.22
    Done
     
  11. Sunka

    Sunka Well-Known Member

    1,150
    325
    83
    Oct 31, 2015
    Pula, Croatia
    Ratings:
    +525
    Local Time:
    1:10 PM
    Nginx 1.17.9
    MariaDB 10.3.22
    Forum is working
    I can not see errors in logs but I get this from port monitor webpage

    Received fatal alert: handshake_failure


    Regarding that, only this line in error log
    Code:
    37.187.141.25 - - [04/Apr/2017:15:25:15 +0200] "HEAD / HTTP/1.1" 200 0 "https://www.port-monitor.com" "Port Monitor check service 1.0 | http://www.port-monitor.com"
     
  12. eva2000

    eva2000 Administrator Staff Member

    54,575
    12,224
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,793
    Local Time:
    10:10 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    is that the whole line ? or there's a user agent for that entry ? could be monitor is using old client that doesn't support modern ssl cipher preferences your server has now set
     
  13. Sunka

    Sunka Well-Known Member

    1,150
    325
    83
    Oct 31, 2015
    Pula, Croatia
    Ratings:
    +525
    Local Time:
    1:10 PM
    Nginx 1.17.9
    MariaDB 10.3.22
    yep, that is whole line.
    Other monitor sites report status OK
     
  14. eva2000

    eva2000 Administrator Staff Member

    54,575
    12,224
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,793
    Local Time:
    10:10 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    might want to ask port-monitor folks then
     
  15. Sunka

    Sunka Well-Known Member

    1,150
    325
    83
    Oct 31, 2015
    Pula, Croatia
    Ratings:
    +525
    Local Time:
    1:10 PM
    Nginx 1.17.9
    MariaDB 10.3.22
    16-08-11.png
     
  16. eva2000

    eva2000 Administrator Staff Member

    54,575
    12,224
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,793
    Local Time:
    10:10 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    contact port-monitor.com tech support and ask what client they use to connect to your server and whether it supports modern ssl ciphers