Setting cipher suites results in 502 error

I’d like to disable some weak cipher suites, I am using the following Caddyfile:

0.0.0.0
log stdout
errors stdout

header / Strict-Transport-Security "max-age=31536000; includeSubDomains"
header / X-Frame-Options "DENY"
header / -Server

tls {
  protocols tls1.2
  ciphers ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-ECDSA-WITH-CHACHA20-POLY1305 ECDHE-RSA-WITH-CHACHA20-POLY1305 ECDHE-ECDSA-AES256-CBC-SHA ECDHE-ECDSA-AES128-CBC-SHA
  key_type p256
}

And running Caddy with the following command:
/usr/bin/caddy --conf /etc/Caddyfile --log stdout

Running Caddy without the tls directive works just fine, but including the directive results in the following error (Caddy does start up):

503 Service Unavailable
No server is available to handle this request.

Any ideas?

That’s not a Caddy error, so there must be something else going on. What’s in your logs (esp. Caddy logs)?

16/07/2018 17:36:16 MYDOMAIN
16/07/2018 17:36:16 /backend
16/07/2018 17:36:17 https://MYDOMAIN
16/07/2018 17:36:17 Activating privacy features... done.
16/07/2018 17:36:17 https://0.0.0.0
16/07/2018 17:36:17 2018/07/16 15:36:17 https://0.0.0.0
16/07/2018 17:36:17 2018/07/16 15:36:17 [INFO] Sending telemetry: success

What other infrastructure do you have? Firewalls, proxies, literally anything other than your OS?

That error smacks of load balancer health checking.

Probably worth noting that by going from no tls directive to the above configuration, you’ve changed the port for this site from Caddy’s default 2015 to the HTTPS standard 443.

Ah thanks, I changed the port from 2015 to 443. I’m now getting:

502 Bad Gateway
The server returned an invalid or incomplete response.

Caddy logs

http: TLS handshake error from IP:36190: tls: first record does not look like a TLS handshake
http: TLS handshake error from IP:36192: tls: first record does not look like a TLS handshake
http: TLS handshake error from IP:36210: tls: first record does not look like a TLS handshake
http: TLS handshake error from IP:36212: tls: first record does not look like a TLS handshake

I am testing to see if it is the use of key_type. EDIT: Same error without key_type

When you updated the port from 2015 to 443, did you also change the protocol from HTTP to HTTPS?

Yes, the protocol is HTTPS.

That error is consistent with a client attempting to connect to a HTTPS port using HTTP.

You can see this error in action yourself with a quick test. Run Caddy in the foreground with caddy -log stdout "tls self_signed", then run curl http://localhost:2015 from another shell and observe the output from Caddy.

I’m not sure what circumstances could produce it outside of that scenario. Caddy simply isn’t capable of handling non-TLS connections on a TLS listener.

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.