I have a server running Nginx for years 1, and it just work super nice.

On thing that I do is watching video with VLC, streaming the video from the server.

It worked well on Linux and Windows but not on MacOS.

But Why ?

The server was TLS 1.3 only. I’m the only one using it so it has a very narrowed cipher suite and just TLSv1.3.

It’s working on every OS. Except MacOS. Because VLC uses the “SecureTransport API from MacOS, and it doesn’t support TLS 1.3.

MacOS ships with LibreSSL instead of openssl, and I could replicate the problem nicely in the CLI:

openssl s_client -connect my.server.com:443
4300588588:error:1400442E:SSL routines:CONNECT_CR_SRVR_HELLO:tlsv1 alert protocol version:/AppleInternal/Library/BuildRoots/66382bca-8bca-11ec-aade-6613bcf0e2ee/Library/Caches/com.apple.xbs/Sources/libressl/libressl-2.8/ssl/ssl_pkt.c:1200:SSL alert number 70
4300588588:error:140040E5:SSL routines:CONNECT_CR_SRVR_HELLO:ssl handshake failure:/AppleInternal/Library/BuildRoots/66382bca-8bca-11ec-aade-6613bcf0e2ee/Library/Caches/com.apple.xbs/Sources/libressl/libressl-2.8/ssl/ssl_pkt.c:585:
no peer certificate available
No client certificate CA names sent
SSL handshake has read 7 bytes and written 0 bytes
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
    Protocol  : TLSv1.2
    Cipher    : 0000
    Start Time: 1652638832
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)

I quickly jump into google, with post on SO etc… saying that MacOS doesn’t support TLS1.3 and I should activate TLS1.2. I did it didn’t worked.


The solution is to add a TLS1.2 into your nginx config + default_server as following:

server {
    listen 443 ssl http2 default_server;
    listen [::]:443 ssl http2 default_server;
    ssl_protocols TLSv1.2 TLSv1.3;

Thanks Apple for letting me loose 2 hours.

  1. I updated it ! ↩︎