Using HTTPS, TLSV1 fatal handshake

The template is already in my app.yml in the templates section.

Adding again and rebuilding app doesn’t change anything unfortunately.

Paste templates section of app yml here

  - "templates/postgres.template.yml"
  - "templates/redis.template.yml"
  - "templates/web.template.yml"
  - "templates/web.ratelimited.template.yml"
## Uncomment these two lines if you wish to add Lets Encrypt (https)
  - "templates/web.ssl.template.yml"
  - "templates/web.letsencrypt.ssl.template.yml"

and my web.ssl.template.yml ssl_ciphers was posted above

I don’t understand this, I explained that your templates should look like this:

  - "templates/postgres.template.yml"
  - "templates/redis.template.yml"
  - "templates/web.template.yml"
  - "templates/web.ratelimited.template.yml"
### this is new
  - "containers/templates/web.ssl.template.yml"
### ^^^^
  - "templates/web.letsencrypt.ssl.template.yml"


Android 2.3.7 - Released December 6, 2010. An ancient BUGGY, INSECURE version of Android we do not support.
OpenSSL 0.9.8 - Released 11 Oct 2005, no longer supported by open ssl (1.0.2 and 1.1.0 are supported)

I don’t understand why you are even embarking on this.

1 Like

Yes and I added the - "containers/templates/web.ssl.template.yml" line to the above which made no difference to the outcome.

Because the scripting agent that I am using to add content to my discourse site doesn’t have ECDH ciphers.

This does not make sense to me at all… there are three options here

  1. You did not make any changes to containers/templates/web.ssl.template.yml
  2. You did not run ./launcher rebuild app
  3. You also include templates/web.ssl.template.yml somewhere later which is overriding it.

Barring that you are going to have to link me to the FULL log of your rebuild and a FULL copy of app.yml and the web.ssl.template fork you are using, with passwords obsfucated.

I think it is a better idea to upgrade you scripting agent here

1 Like

I fired up a new Google Container VM and installed a completely new instance of discourse.

And get exactly the same result.

I’ll send the files you requested … but which log is required?

Its not fair, you keep moving goal posts here.

./launcher and bootstrap are working, the NGINX config is being placed in the container… you can tell that by doing

./launcher enter app
cd /etc/nginx
... you can even edit the discourse.conf file and restart nginx with ...
sv restart nginx

So … somehow your config is not working with ancient Android 2.3.7 despite you “thinking” you made changes to add the support. I simply can not support you more here, its a futile exercise.

1 Like

As I’ve said a few times, I’m using a scripting agent which doesn’t support the default cipher suites for TLS 1.0 which are specified by the ssl template.

It’s hardly futile at all.

I changed the ssl_ciphers line in the web.ssl.template.yml to the one here instead

and it now works as I wanted with an A+ report from ssllabs.

Cool so this is working for you now, can we close this?

Yes, solved. And is there any particular reason why discourse doesn’t use the default ssl cipher settings for nginx?