I have fixed this. I'm running nginx in centos. After upgrading to the following...
nginx version: nginx/1.16.0 (packages.exove.com: SSE2, openssl-1.1.1c, PCRE JIT, TCP Fast Open)
built by gcc 7.3.1 20180303 (Red Hat 7.3.1-5) (GCC)
built with OpenSSL 1.1.1c 28 May 2019
TLS SNI support enabled
and using the cipherlist from https://cipherli.st/
ssl_protocols TLSv1.2 TLSv1.3;# Requires nginx >= 1.13.0 else use TLSv1.2
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/nginx/dhparam.pem; # openssl dhparam -out /etc/nginx/dhparam.pem 4096
ssl_ciphers EECDH+AESGCM:EDH+AESGCM;
ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
ssl_session_timeout 10m;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off; # Requires nginx >= 1.5.9
ssl_stapling on; # Requires nginx >= 1.3.7
ssl_stapling_verify on; # Requires nginx => 1.3.7
resolver $DNS-IP-1 $DNS-IP-2 valid=300s;
resolver_timeout 5s;
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
This worked as expected.
My guess is the letencrypt docker container is running nginx but an other version compiled with an older openssl version. I'd look at getting this upgraded.
Chris
#12
Just wanted to add to this. I experienced this error and my nginx error logs had loads of these errors
The specific fix is related to the cipher suit used. I changed mine to this and now it works (works with plex).
Thanks chriscolden for posting the config.
Code: Select all
SSL routines:tls_process_client_hello:unsupported protocol) while SSL handshaking
The specific fix is related to the cipher suit used. I changed mine to this and now it works (works with plex).
Code: Select all
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:EECDH+AESGCM:EDH+AESGCM;
#13
I have a small selection of ciphers and have the same problem with art and episodes missing. The same unsupported protocol message in the error logs as well. I'll have to try adding the extra ciphers although everything is working fine outside of NZB360.
#14
Thanks tempemple! Using those ciphers my nzb360 works as it should. I've had this problem for about a year, so happy to have it working again.
Old Cipher
New Cipher
Seems like the only difference is
This is removed
ECDHE-RSA-AES256-SHA384
This is added
EECDH+AESGCM:EDH+AESGCM
Old Cipher
Code: Select all
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;
Code: Select all
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:EECDH+AESGCM:EDH+AESGCM;
This is removed
ECDHE-RSA-AES256-SHA384
This is added
EECDH+AESGCM:EDH+AESGCM
#15
This was exactly my problem and the fix. Great post.DeadlyHybrid wrote: ↑Tue Sep 17, 2019 9:49 pmThanks tempemple! Using those ciphers my nzb360 works as it should. I've had this problem for about a year, so happy to have it working again.
Old CipherNew CipherCode: Select all
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;
Seems like the only difference isCode: Select all
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:EECDH+AESGCM:EDH+AESGCM;
This is removed
ECDHE-RSA-AES256-SHA384
This is added
EECDH+AESGCM:EDH+AESGCM