Re: Прокси HTTPS на nginx/1.5.4 собранный вручную vs nginx/1.5.7 из репозитория

mnsold nginx-forum at nginx.us
Mon Dec 9 14:34:23 UTC 2013


> Попробуйте подключиться _штатным_ ( из пакетов ) s_client'ом к
glassfish'у:
> openssl s_client -debug -connect localhost:8002

Включил
> -Djavax.net.debug=ssl

На данный момент openssl
# openssl version
OpenSSL 1.0.1e 11 Feb 2013
# dpkg -l|grep openssl
ii  openssl                             1.0.1e-2 

но nginx 1.5.7 использует все равно 0.9.8:
# ldd `which nginx`
	linux-vdso.so.1 =>  (0x00007fffae33d000)
	libpthread.so.0 => /lib/libpthread.so.0 (0x00007fdd24f6b000)
	libcrypt.so.1 => /lib/libcrypt.so.1 (0x00007fdd24d34000)
	libpcre.so.3 => /lib/libpcre.so.3 (0x00007fdd24b03000)
	libssl.so.0.9.8 => /usr/lib/libssl.so.0.9.8 (0x00007fdd248ac000)
	libcrypto.so.0.9.8 => /usr/lib/libcrypto.so.0.9.8 (0x00007fdd2450b000)
	libz.so.1 => /usr/lib/libz.so.1 (0x00007fdd242f3000)
	libc.so.6 => /lib/libc.so.6 (0x00007fdd23f91000)
	/lib64/ld-linux-x86-64.so.2 (0x00007fdd25195000)
	libdl.so.2 => /lib/libdl.so.2 (0x00007fdd23d8d000)

nginx 1.5.4:
# ldd `which /data/nginx-gost/sbin/nginx`
	linux-vdso.so.1 =>  (0x00007fff695ff000)
	libpthread.so.0 => /lib/libpthread.so.0 (0x00007ff4330f4000)
	libcrypt.so.1 => /lib/libcrypt.so.1 (0x00007ff432ebd000)
	libpcre.so.3 => /lib/libpcre.so.3 (0x00007ff432c8c000)
	libssl.so.1.0.0 => /usr/lib/x86_64-linux-gnu/libssl.so.1.0.0
(0x00007ff432a2d000)
	libcrypto.so.1.0.0 => /usr/lib/x86_64-linux-gnu/libcrypto.so.1.0.0
(0x00007ff432649000)
	libdl.so.2 => /lib/libdl.so.2 (0x00007ff432444000)
	libz.so.1 => /usr/lib/libz.so.1 (0x00007ff43222d000)
	libc.so.6 => /lib/libc.so.6 (0x00007ff431ecb000)
	/lib64/ld-linux-x86-64.so.2 (0x00007ff43331e000)


# openssl s_client -connect localhost:8002 -tlsextdebug
CONNECTED(00000003)
depth=0 C = US, ST = California, L = Santa Clara, O = Oracle Corporation, OU
= GlassFish, CN = myhost.domain.local
verify error:num=18:self signed certificate
verify return:1
depth=0 C = US, ST = California, L = Santa Clara, O = Oracle Corporation, OU
= GlassFish, CN = myhost.domain.local
verify return:1
---
Certificate chain
 0 s:/C=US/ST=California/L=Santa Clara/O=Oracle
Corporation/OU=GlassFish/CN=myhost.domain.local
   i:/C=US/ST=California/L=Santa Clara/O=Oracle
Corporation/OU=GlassFish/CN=myhost.domain.local
---
Server certificate
-----BEGIN CERTIFICATE-----
MIICsDCCAhmgAwIBAgIEUTCRSzANBgkqhkiG9w0BAQUFADCBijELMAkGA1UEBhMC
VVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFDASBgNVBAcTC1NhbnRhIENsYXJhMRsw
GQYDVQQKExJPcmFjbGUgQ29ycG9yYXRpb24xEjAQBgNVBAsTCUdsYXNzRmlzaDEf
MB0GA1UEAxMWb2N0b3B1cy5sYW4uaWFjLnNwYi5ydTAeFw0xMzAzMDExMTMwMTla
Fw0yMzAyMjcxMTMwMTlaMIGKMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZv
cm5pYTEUMBIGA1UEBxMLU2FudGEgQ2xhcmExGzAZBgNVBAoTEk9yYWNsZSBDb3Jw
b3JhdGlvbjESMBAGA1UECxMJR2xhc3NGaXNoMR8wHQYDVQQDExZvY3RvcHVzLmxh
bi5pYWMuc3BiLnJ1MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDHZ0/bGIlY
r12glRa0B8ykVXGuXtzbNr6cqOlQ5ELkyAlW1zwju/JSPxw00zy/elOep/VMFlAg
K7Sp+xQYqueWgF6u+05K1FTZeQSsgVO3fSkwbBiX4ObUVawuZoTW0tUs8t1RLUm6
widfiIsFrEjrbMWJ5xqxMwBzMdQnyggN3wIDAQABoyEwHzAdBgNVHQ4EFgQUPsyT
ixhlk4gfm5ripc8C1E+J8EwwDQYJKoZIhvcNAQEFBQADgYEAAuaaVnxJN4jsxqHT
AAwNyJl0493xApcKnWCFjdugNbCMvv0ez2tYJ4xuQsG0G4rL/zPLATJvQbJM36TO
JGXR4P3S/QIDFYDpy6cpCBqg/2P0c/vwh/mK5U10sWnrbfLUlh5sBCM1jza3/wtX
/Vqm9py36r3NhaX7hF2KKLG1s7A=
-----END CERTIFICATE-----
subject=/C=US/ST=California/L=Santa Clara/O=Oracle
Corporation/OU=GlassFish/CN=myhost.domain.local
issuer=/C=US/ST=California/L=Santa Clara/O=Oracle
Corporation/OU=GlassFish/CN=myhost.domain.local
---
No client certificate CA names sent
---
SSL handshake has read 1264 bytes and written 478 bytes
---
New, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA
Server public key is 1024 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : EDH-RSA-DES-CBC3-SHA
    Session-ID:
52A5C7084B96822C644DA72CADECFADD2C8684AFE17E63158BD8EB90819682B1
    Session-ID-ctx: 
    Master-Key:
ECB9F34696C2F27C330007773E9272D9FE539517AC74FD3E94F5CF105AA77BF2DFFEFEE93BE22066F68D42CB080F289F
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1386596104
    Timeout   : 300 (sec)
    Verify return code: 18 (self signed certificate)
---


Если дедлаю запрос с nginx 1.5.7 (из репозитория), в логах glassfish'а:
[#|2013-12-09T18:27:35.338+0400|INFO|oracle-glassfish3.1.2|javax.enterprise.system.std.com.sun.enterprise.server.logging|_ThreadID=36;_ThreadName=Thread-2;|Using
SSLEngineImpl.|#]

[#|2013-12-09T18:27:35.338+0400|INFO|oracle-glassfish3.1.2|javax.enterprise.system.std.com.sun.enterprise.server.logging|_ThreadID=36;_ThreadName=Thread-2;|http-thread-pool-8002(5),
READ: TLSv1 Handshake, length = 89|#]

[#|2013-12-09T18:27:35.339+0400|INFO|oracle-glassfish3.1.2|javax.enterprise.system.std.com.sun.enterprise.server.logging|_ThreadID=36;_ThreadName=Thread-2;|http-thread-pool-8002(5),
fatal error: 80: problem unwrapping net record
javax.net.ssl.SSLException: Unexpected end of handshake data|#]

[#|2013-12-09T18:27:35.339+0400|INFO|oracle-glassfish3.1.2|javax.enterprise.system.std.com.sun.enterprise.server.logging|_ThreadID=36;_ThreadName=Thread-2;|http-thread-pool-8002(5)|#]

[#|2013-12-09T18:27:35.339+0400|INFO|oracle-glassfish3.1.2|javax.enterprise.system.std.com.sun.enterprise.server.logging|_ThreadID=36;_ThreadName=Thread-2;|,
SEND TLSv1 ALERT:  |#]

[#|2013-12-09T18:27:35.339+0400|INFO|oracle-glassfish3.1.2|javax.enterprise.system.std.com.sun.enterprise.server.logging|_ThreadID=36;_ThreadName=Thread-2;|fatal,
|#]

[#|2013-12-09T18:27:35.340+0400|INFO|oracle-glassfish3.1.2|javax.enterprise.system.std.com.sun.enterprise.server.logging|_ThreadID=36;_ThreadName=Thread-2;|description
= internal_error|#]

[#|2013-12-09T18:27:35.340+0400|INFO|oracle-glassfish3.1.2|javax.enterprise.system.std.com.sun.enterprise.server.logging|_ThreadID=36;_ThreadName=Thread-2;|http-thread-pool-8002(5),
WRITE: TLSv1 Alert, length = 2|#]
Других записей нет в логе


Если дедлаю запрос с nginx 1.5.7 (сборка в ручную), в логах glassfish'а:
[#|2013-12-09T18:30:54.568+0400|INFO|oracle-glassfish3.1.2|javax.enterprise.system.std.com.sun.enterprise.server.logging|_ThreadID=35;_ThreadName=Thread-2;|Using
SSLEngineImpl.|#]

[#|2013-12-09T18:30:54.568+0400|INFO|oracle-glassfish3.1.2|javax.enterprise.system.std.com.sun.enterprise.server.logging|_ThreadID=35;_ThreadName=Thread-2;|http-thread-pool-8002(4),
READ: TLSv1 Handshake, length = 258|#]

[#|2013-12-09T18:30:54.569+0400|INFO|oracle-glassfish3.1.2|javax.enterprise.system.std.com.sun.enterprise.server.logging|_ThreadID=35;_ThreadName=Thread-2;|***
ClientHello, TLSv1|#]

[#|2013-12-09T18:30:54.569+0400|INFO|oracle-glassfish3.1.2|javax.enterprise.system.std.com.sun.enterprise.server.logging|_ThreadID=35;_ThreadName=Thread-2;|RandomCookie:
 |#]
...
[#|2013-12-09T18:30:54.580+0400|INFO|oracle-glassfish3.1.2|javax.enterprise.system.std.com.sun.enterprise.server.logging|_ThreadID=35;_ThreadName=Thread-2;|Ciph
er Suites: [TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, Unknown 0xc0:0x22, Unknown 0xc0:0x21,
TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TL
S_DHE_DSS_WITH_AES_256_CBC_SHA, Unknown 0x0:0x88, Unknown 0x0:0x87, Unknown
0x0:0x81, Unknown 0x0:0x80, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,
TLS_ECDH_ECDSA_WITH_A
ES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, Unknown 0x0:0x84,
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,
Unknown 0xc0:0x1c, U
nknown 0xc0:0x1b, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,
TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, Unknown 0xc0:0x1f, Unknown 0xc0:0x1e,
TLS_DHE_RSA_WIT
H_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, Unknown 0x0:0x9a,
Unknown 0x0:0x99, Unknown 0x0:0x45, Unknown 0x0:0x44,
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, 
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, Unknown
0x0:0x96, Unknown 0x0:0x41, SSL_RSA_WITH_IDEA_CBC_SHA,
TLS_ECDHE_RSA_WITH_RC4_128_SHA
, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDH_RSA_WITH_RC4_128_SHA,
TLS_ECDH_ECDSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_SHA,
SSL_RSA_WITH_RC4_128_MD5, SSL_DHE_
RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA,
SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA,
SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA, SSL_
RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5,
SSL_RSA_EXPORT_WITH_RC4_40_MD5, Unknown 0x0:0xff]|#]

[#|2013-12-09T18:30:54.580+0400|INFO|oracle-glassfish3.1.2|javax.enterprise.system.std.com.sun.enterprise.server.logging|_ThreadID=35;_ThreadName=Thread-2;|Comp
ression Methods:  { |#]

[#|2013-12-09T18:30:54.580+0400|INFO|oracle-glassfish3.1.2|javax.enterprise.system.std.com.sun.enterprise.server.logging|_ThreadID=35;_ThreadName=Thread-2;|0|#]

[#|2013-12-09T18:30:54.580+0400|INFO|oracle-glassfish3.1.2|javax.enterprise.system.std.com.sun.enterprise.server.logging|_ThreadID=35;_ThreadName=Thread-2;|
}|#
]

[#|2013-12-09T18:30:54.580+0400|INFO|oracle-glassfish3.1.2|javax.enterprise.system.std.com.sun.enterprise.server.logging|_ThreadID=35;_ThreadName=Thread-2;|Exte
nsion ec_point_formats, formats: [uncompressed, ansiX962_compressed_prime,
ansiX962_compressed_char2]|#]

[#|2013-12-09T18:30:54.580+0400|INFO|oracle-glassfish3.1.2|javax.enterprise.system.std.com.sun.enterprise.server.logging|_ThreadID=35;_ThreadName=Thread-2;|Exte
nsion elliptic_curves, curve names: {sect571r1, sect571k1, secp521r1,
sect409k1, sect409r1, secp384r1, sect283k1, sect283r1, secp256k1, secp256r1,
sect239k1, se
ct233k1, sect233r1, secp224k1, secp224r1, sect193r1, sect193r2, secp192k1,
secp192r1, sect163k1, sect163r1, sect163r2, secp160k1, secp160r1,
secp160r2}|#]

[#|2013-12-09T18:30:54.581+0400|INFO|oracle-glassfish3.1.2|javax.enterprise.system.std.com.sun.enterprise.server.logging|_ThreadID=35;_ThreadName=Thread-2;|Unsu
pported extension type_35, data: |#]

[#|2013-12-09T18:30:54.581+0400|INFO|oracle-glassfish3.1.2|javax.enterprise.system.std.com.sun.enterprise.server.logging|_ThreadID=35;_ThreadName=Thread-2;|Unsu
pported extension type_15, data: 01|#]

[#|2013-12-09T18:30:54.581+0400|INFO|oracle-glassfish3.1.2|javax.enterprise.system.std.com.sun.enterprise.server.logging|_ThreadID=35;_ThreadName=Thread-2;|***|
#]

[#|2013-12-09T18:30:54.582+0400|INFO|oracle-glassfish3.1.2|javax.enterprise.system.std.com.sun.enterprise.server.logging|_ThreadID=35;_ThreadName=Thread-2;|%%
R
esuming [Session-16, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA]|#]
...

Posted at Nginx Forum: http://forum.nginx.org/read.php?21,245360,245366#msg-245366



Подробная информация о списке рассылки nginx-ru