Server is responding OpenSSL: : SSL: : SSLError: Receivedfatalalert: handshake_failure

Server is responding OpenSSL: : SSL: : SSLError: Receivedfatalalert: handshake_failure

我参加了一个使用 Laravel 4.2 和 PHP 5.6 构建的项目。

并且已经用 Docker 安装了服务器。

服务器使用 Nginx,证书来自 Let's Encrypt with Certbot。 这些是 Nginx 的配置文件:

nginx.conf

server {

index index.php index.html;
error_log  /var/log/nginx/error.log;
access_log /var/log/nginx/access.log;
root /var/www/public;

    server_name example.com.py www.example.com.py;

    location ~ \.php$ {
    try_files $uri =404;
    fastcgi_split_path_info ^(.+\.php)(/.+)$;
    fastcgi_pass app:9000;
    fastcgi_index index.php;
    include fastcgi_params;
    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    fastcgi_param PATH_INFO $fastcgi_path_info;
}
location / {
    try_files $uri $uri/ /index.php?$query_string;
    gzip_static on;
}

listen [::]:443 ssl http2 ipv6only=on; # managed by Cetbot
listen 443 ssl http2; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/example.com.py/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/example.com.py/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}

options-ssl-nginx.conf

# This file contains important security parameters. If you modify this file
# manually, Certbot will be unable to automatically provide future security
# updates. Instead, Certbot will print and log an error message with a path to
# the up-to-date file that you will need to refer to when manually updating
# this file.

ssl_session_cache shared:le_nginx_SSL:40m; #holds approx 40 x 4000 sessions
ssl_session_timeout 2h;
ssl_session_tickets off;

ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers off;

ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";

该项目是与当地信用卡支付处理公司联系的电子商务。

一切正常,直到支付处理器在我的服务器中响应 url 以确认支付。

这是我的服务器在向付款确认发送请求时对付款处理器的响应 url:

[状态 500]

OpenSSL: : SSL: : SSLError: Receivedfatalalert: handshake_failure

我的 laravel.log 或我的 nginx 日志中没有任何错误或任何内容的日志。

我复制粘贴了相同的请求,并用 Postman 复制了它,它工作正常,返回了正确的 200 响应

付款处理器告诉我,我只需要验证 TLS1.2 及更高版本的证书,正如您在我的 options-ssl-[ 中看到的那样=72=] 文件,这已经验证。

有谁知道可能遗漏了什么?

提前致谢

更新 1:

我把nginx的错误日志调高了,出现如下错误:

这个有测试:

SSL_do_handshake() failed (SSL: error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher) while SSL handshaking, client: 190.128.218.209, server: 0.0.0.0:443

几个小时前我也收到了这个:

 SSL_do_handshake() failed (SSL: error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol) while SSL handshaking, client: 3.236.110.87, server: 0.0.0.0:443
ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";

您的密码集非常严格,即 RSA 证书只有 5 个 TLS 1.2 密码(ECDSA 密码可能无关紧要,因为您可能不使用 ECC 证书)。很可能是支付处理公司使用的特定客户端既不支持这些 TLS 1.2 密码也不支持 TLS 1.3。

注释掉 ssl_ciphers 行可能会很有用,这样它会回退到默认设置,这些设置通常(对于当前版本的 OpenSSL)仍然安全但范围更广。