Nginx: SSL_do_handshake() failed… and that’s OK!

The other day, I was looking at my Nginx error logs when the following critical error appeared:

2019/08/03 19:50:25 [crit] 25584#25584: *13780158 SSL_do_handshake() failed (SSL: error:1420918C:SSL routines:tls_early_post_process_client_hello:version too low) while SSL handshaking, client: CLIENT IP ADDRESS REDACTED, server:

Note that in this case, I am running an Nginx web server with an SSL certificate from Let’s Encrypt.

Essentially, this error can mean one of two things:

  1. The client is using really old hardware. As a result, it is unable to use your SSL ciphers.
  2. A client is deliberately attempting (but failing) to use an older insecure SSL protocol.

Either way, you should not be concerned if you see this error every now and again. This is just a case of Nginx doing its job.

Although you may be tempted to downgrade the security of your web server to support older protocols such as TLS v1.0 and SSL 2.0, let it be known that this is a bad idea. Doing this would compromise the security of your visitors for the sake of a few outdated clients.

To sum it up: Don’t enable older deprecated SSL protocols just because Karen in Florida is still using a PC that she bought back in 2001.