NGINX / Server Setup

Solved: SSL connections do not work over IPv6

by , , revisited on

We have by far the largest RPM repository with NGINX module packages and VMODs for Varnish. If you want to install NGINX, Varnish, and lots of useful performance/security software with smooth yum upgrades for production use, this is the repository for you.
Active subscription is required.

Earlier I had a very strange problem. When checking SSL certificate installation using the great SSL labs test, it failed over IPv6.

Here is some useful information to troubleshoot this problem.

To confirm the problem is real (and not SSL labs test misreporting things), you can try to login to a server with IPv6 configured and run a simple command against your site:

wget -d —no-check-certificate https://www.getpagespeed.com/

Setting --check-certificate (checkcertificate) to 0
DEBUG output created by Wget 1.14 on linux-gnu.

URI encoding = ‘UTF-8’
--2016-01-09 12:36:13-- https://www.getpagespeed.com/
Resolving www.getpagespeed.com (www.getpagespeed.com)... 2001:19f0:6000:9190:5400:ff:fe13:d9d2,
Caching www.getpagespeed.com => 2001:19f0:6000:9190:5400:ff:fe13:d9d2
Connecting to www.getpagespeed.com (www.getpagespeed.com)|2001:19f0:6000:9190:5400:ff:fe13:d9d2|:443... connected.
Created socket 3.
Releasing 0x00000000009985b0 (new refcount 1).
Initiating SSL handshake.
SSL handshake failed.
Closed fd 3
Unable to establish SSL connection.

OK, it’s real. And we see it fails over IPv6 (I had run the same test using IPv4 only box and it was successfull).

If you don’t have access to additional server with IPv6 for testing, you can run the same test from the problematic server, assuming you have proper hosts file entries.

Another useful utility to troubleshoot SSL connectivity is ncat.

ncat -6 —ssl -v 2001:19f0:6000:9190:5400:ff:fe13:d9d2 443

Ncat: Version 6.40 ( http://nmap.org/ncat )
Ncat: Input/output error.


Check the following and I’m sure you will be able to fix your SSL connection that doesn’t work over IPv6!

Missing ssl_certificate!

You did not specify ssl_certificate configuration directive at all! Nginx will work just fine without those, but because one of the hosts has missing ssl_certificate parameter, for all the other hosts SSL will fail to work over IPv6. Weird, but true.

Missing ssl keyword in listen directive of Nginx

Somewhere in your nginx configuration files, you will have “listen 443..”. And it is missing ssl directive in one of the virtual host definition, i.e.”listen 443;” and not “listen 443 ssl;”

Different ssl directive in virtual hosts

Another possible reason is that you have different directives for the secure port, i.e. you have “listen 443 ssl;” in one place whereas you have “listen 443 ssl spdy;” in another.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: