I got this error in nginx error log:
SSL_do_handshake() failed (SSL: error:141CF06C:SSL routines:tls_parse_ctos_key_share:bad key share) while SSL handshaking
I use Let's Encrypt currently. Any ideas to solve this problem? Thank you, guys.
Asked
Active
Viewed 4.5k times
32
Justin
- 481
- 1
- 6
- 11
-
This is a bug in the client's TLS implementation -- either it sent key_share containing a group it doesn't support, or it responded to HelloRetryRequest with key_share other than the (single) requested group (which necessarily was already offered). This _probably_ doesn't have anything to do with your certificate from LE, but with bugs you never know. Identify the client and complain to its maintainer(s); if it's opensource (like the OpenSSL used in nginx) you could become a maintainer and complain to yourself :-) – dave_thompson_085 Jan 23 '21 at 05:00
-
2Did you find a solution? I‘m running into the same problem after a Rails update to 6 on hatchbox. – morgler May 06 '21 at 14:05
4 Answers
42
This isn't your problem.
The best thing you can do in this situation is just to keep your server reasonably updated and secured.
At best for you, the client side of a request was running seriously outdated software, and at worst your server is simply being scanned for vulnerabilities by compromised devices connected to the internet.
Personally I lean in the direction of this being scanning, as I myself see these errors on a private development server, to which only I should ever have a legitimate reason to connect to, yet I see a ton of IP addresses mentioned by the error from around the world.
Similar question and answer has already been provided here: https://serverfault.com/questions/905011/nginx-ssl-do-handshake-failed-ssl-error1417d18cssl/905019
Stay safe.
stack3r
- 536
- 6
- 4
-
2you should use a firewall. and maybe even a web application firewall. – The Fool Apr 20 '22 at 15:31
5
I was getting a similar error when I sent an HTTPS request from my computer in Iran to my server outside of Iran. Eventually I came to the conclusion that the problem is with our internet network (maybe government filtering) and using vpn solved the problem.
Therefore, I recommend testing with vpn.
Hassan Mahdian Manesh
- 109
- 1
- 5
0
This may sound simple, but I was struggling with this issue because I was attempting to access http://example.com instead of https://example.com. It probably isn't your issue - but it worked for me.
Ethan Hill
- 478
- 2
- 10
- 24
-
Could you please explain in more detail and show your nginx configuration. – Mohamed Diaby Jan 30 '23 at 07:09
-1
Check your secrete key decoupling with other settings.ini file your app secret is not linking with variable you set
sajid
- 1
-
As it’s currently written, your answer is unclear. Please [edit] to add additional details that will help others understand how this addresses the question asked. You can find more information on how to write good answers [in the help center](/help/how-to-answer). – Community Jan 28 '22 at 20:48
-