The original post: /r/nginx by /u/timwelchnz-ricoh on 2024-09-05 07:02:51.

Referring to my post at Enabling TLS 1.0 in IE Mode on Edge in Windows 11 : I’ve setup nginx on a Debian VM but seem to be fighting the requirement for a client certificate.

I’ll fully admit that I know enough to be dangerous and how to read docs but I’m unable to find anything meaningful in the docs that assists me in getting past the errors I keep getting.

2024/09/05 18:50:27 [crit] 259824#259824: *344 SSL_do_handshake() failed (SSL: error:0A0000BF:SSL routines::no protocols available) while SSL handshaking to upstream, client: 10.xxx.xxx.xxx, server: nginx.local, request: "GET /application/Login.htm HTTP/1.1", upstream: "https://xxx.xxx.xxx.xxx:444/application/Login.htm", host: "nginx.local"

I’ve tested OpenSSL with openssl ciphers -v 'DES-CBC3-SHA' and it returns with what I would expect.

So I’m unsure if this error is saying that DES-CBC3-SHA is not available to nginx or I’m having issues with the client certificate that it expects.

Currently I have the following config…

server {
    listen 80;
    server_name nginx.local;
    return 301 https://$host$request_uri;
}

server {
    listen 443 ssl;
    server_name nginx.local;

    ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt;
    ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;

    ssl_protocols TLSv1.2 TLSv1.3;  # Enable TLS 1.0
    ssl_ciphers HIGH:!aNULL:!MD5; # Secure client connections with modern protocols

    location / {
        proxy_pass https://IIS6withTLS1.nz:444; # Health app on IIS6 asking for TLS1.0 and DES-CBC3-SHA
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;

        # Set weak cipher and TLS for the server
        proxy_ssl_protocols TLSv1;  # Match upstream server's protocols
        proxy_ssl_ciphers DES-CBC3-SHA;  # Match upstream server's ciphers
        proxy_ssl_trusted_certificate /etc/ssl/certs/ClientCert.crt;  # Path to trusted certificate
        proxy_ssl_verify off; 
    }
}

Any assistance would be greatly appreciated.

Cheers, Tim