Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

TLS handshake error #13

Open
plaffitt opened this issue Sep 7, 2022 · 3 comments
Open

TLS handshake error #13

plaffitt opened this issue Sep 7, 2022 · 3 comments

Comments

@plaffitt
Copy link

plaffitt commented Sep 7, 2022

Hello,

I'm getting TLS errors when using this plugin (I stripped IP addresses for privacy concerns):

$ curl -v https://xxx.yyy/
*   Trying xxx.xxx.xxx.x:443...
* TCP_NODELAY set
* Connected to xxx.yyy (xxx.xxx.xxx.x) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to xxx.yyy:443 
* Closing connection 0
curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to xxx.yyy:443 
{"level":"debug","ts":1662558661.0007904,"logger":"http.stdlib","msg":"http: TLS handshake error from xx.xxx.xxx.xxx:3803: invalid signature"}

Here is my caddyfile:

{
	debug
	servers {
		listener_wrappers {
			proxy_protocol {
				timeout 5s
				allow 0.0.0.0/0
			}
			tls
		}
	}
}

xxx.yyy {
	reverse_proxy sftpgo:8080 # I run this in docker-compose, so sftpgo is a docker containe
}

I don't understand what I'm doing wrong.
@Anduin2017
Copy link

Anduin2017 commented Oct 7, 2022
edited
Loading

Same here.

$ curl -v https://books.aiursoft.cn
*   Trying 192.168.50.80:443...
* Connected to books.aiursoft.cn (192.168.50.80) port 443 (#0)
* ALPN: offers h2
* ALPN: offers http/1.1
*  CAfile: C:/Program Files/Git/mingw64/ssl/certs/ca-bundle.crt
*  CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to books.aiursoft.cn:443
* Closing connection 0
curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to books.aiursoft.cn:443

@Anduin2017
Copy link

Anduin2017 commented Oct 7, 2022
edited
Loading

Hi, @paullaffitte I finally solved this!

The solution is: Set the allow attribute to use this plugin only when the request is coming from the trusted reverse proxy server IP.

For example, I'm using frp as a reverse proxy. And it works at 127.0.0.1. So I set it as:

{
	servers :443 {
		listener_wrappers {
			proxy_protocol {
				timeout 2s
				allow 127.0.0.1/32
			}
			http_redirect
			tls
		}
	}
}

After that, my direct HTTP request won't hit this plugin and doesn't have this issue.

@plaffitt
Copy link
Author

In my case, caddy is my reverse proxy server, so it doesn't work for me.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Anduin2017 @plaffitt