OK a little more debugging.
No line shows in the access/error log of nginx when I use the validator.
But, on tcpdump, I do see traffic when i use the validator. Checking w/ wireshark, I see the client-hello as:
I then see a fatal: Handshake Failure. This is sent from server->client.
The SNI is present, and matches a name on the certificate.
I’m using nginx
I have a matching cipher: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
If I enable ‘debug’ on the nginx error log for this vhost, I get:
2018/09/14 08:54:59 [info] 11856#11856: *2864973 SSL_do_handshake() failed (SSL: error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher) while SSL handshaking, client: 199.16.157.181, server: 0.0.0.0:443
2018/09/14 08:54:59 [debug] 11856#11856: *2864973 close http connection: 16
2018/09/14 08:54:59 [debug] 11856#11856: *2864973 event timer del: 16: 3523977525
2018/09/14 08:54:59 [debug] 11856#11856: *2864973 reusable connection: 0
2018/09/14 08:54:59 [debug] 11856#11856: *2864973 free: 000055DB95E51200, unused: 120
2018/09/14 08:54:59 [debug] 11856#11856: *2864975 SSL_do_handshake: -1
2018/09/14 08:54:59 [debug] 11856#11856: *2864975 SSL_get_error: 1
I only expose 3 ciphers:
ssl_ciphers 'ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384!AES128:!3DES';
I expose secp384r1, which is in the client hello as well.
So I think it must be a mismatch in signature hash algorithms.
