SSL alert number 70 with TLSv1.3

Question

# nginx -V
nginx version: nginx/1.21.4
built with OpenSSL 1.1.1f  31 Mar 2020

I've configured nginx to support TLSv1.3.

ssl_protocols  TLSv1.2 TLSv1.3;

but i can't reach my host using TLSv1.3:

# openssl s_client -connect hostname.com:443 -tls1_3
CONNECTED(00000003)
140544753464640:error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version:../ssl/record/rec_layer_s3.c:1543:SSL alert number 70
---
no peer certificate available
...

only TLSv1.2 works:

# openssl s_client -connect hostname.com:443 -tls1_2
CONNECTED(00000003)
...

Any host, like google.com or cloudflare.com connects fine using the same openssl command.

Of course, SSL Labs test also confirms TLSv1.3 support not enabled.

I've also read this thread and double-checked and I have one and only ssl_protocols line by cd /etc/nginx; grep -rl "ssl_protocols" which only outputs one file.

could you provide ssl chiphers do you use? I use `ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";` and no problem at all — nothinux, Feb 08 '22 at 01:16
`ssl_ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305";`. I've tried yours, same result. — CrazyRabbit, Feb 08 '22 at 07:53

CrazyRabbit · Accepted Answer · 2022-02-08T20:58:07.187

3

I've found my issue, I've configured a default "catch all" server like this:

server {
    listen 443 ssl default_server;
    ssl_reject_handshake on;
}

As specified in the docs here: https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_reject_handshake

Problem is fixed by removing ssl_reject_handshake on; and instead return 444 on that server, like:

server {
    listen 443 ssl default_server;
    ssl_certificate ssl/cert.pem;
    return 444;
}

This is a known bug and should be fixed with OpenSSL 1.1.1h

edited Feb 08 '22 at 20:58

answered Feb 08 '22 at 10:47

CrazyRabbit

251
3
10

I had the exact same error, but in my case, it was the certificate that was set to only use TLS 1.3. We generated a new cert where only TLS 1.2 was set, and since then it's been working perfectly – justdoingmyjob May 08 '23 at 13:46

SSL alert number 70 with TLSv1.3

1 Answers1