SSL with client certificate errors

Igor Sysoev igor at sysoev.ru
Tue Feb 23 12:48:03 MSK 2010


On Tue, Feb 23, 2010 at 06:35:54PM +0900, Zev Blut wrote:

> Hello,
> 
> On 02/23/2010 06:24 PM, Igor Sysoev wrote:
> > On Tue, Feb 23, 2010 at 04:52:29PM +0900, Zev Blut wrote:
> >
> >> On 02/09/2010 02:11 AM, Slawek Zak wrote:
> >>> Hi,
> >>>
> >>> I use nginx 0.7.62 to proxy a web application and secure it with
> >>> client certificates. Quite often NGINX just responds with connection
> >>> reset to Firefox and generates this error:
> >>>
> >>> 2010/02/08 18:04:49 [crit] 8248#0: *41 SSL_do_handshake() failed (SSL:
> >>> error:140D9115:SSL routines:SSL_GET_PREV_SESSION:session id context
> >>> uninitialized) while SSL handshaking, client: 77.x.x.x, server
> >>> 89.x.x.x
> >>>
> >>> Any ideas?
> >>
> >> I too am getting similar errors with 0.7.65:
> >>
> >> 2010/02/23 16:02:19 [crit] 7224#0: *46254 SSL_do_handshake() failed
> >> (SSL: error:140D9115:SSL routines:SSL_GET_PREV_SESSION:session id
> >> context uninitialized) while SSL handshaking, client: 192.x.x.x, server:
> >> example.com
> >
> > What is your ssl_session_cache settings ?
> 
> At the moment it is not set, so it is using whatever the default is.
> Here is a short example of what I am using:
> 
>     server {
>          listen 443;
> 
>          ssl                  on;
>          ssl_certificate      /etc/nginx/ssl/data.crt;
>          ssl_certificate_key  /etc/nginx/ssl/data.key;
>          ssl_protocols SSLv3 TLSv1;
> 
>          # Make sure we verify client side SSL
>          ssl_verify_client on;
>          ssl_client_certificate /etc/nginx/ssl/data.pem;
>     }

Could you try the attached patch ?


-- 
Igor Sysoev
http://sysoev.ru/en/
-------------- next part --------------
Index: src/event/ngx_event_openssl.c
===================================================================
--- src/event/ngx_event_openssl.c	(revision 2775)
+++ src/event/ngx_event_openssl.c	(working copy)
@@ -1428,6 +1428,8 @@
         return NGX_OK;
     }
 
+    SSL_CTX_set_session_id_context(ssl->ctx, sess_ctx->data, sess_ctx->len);
+
     if (builtin_session_cache == NGX_SSL_NONE_SCACHE) {
 
         /*
@@ -1459,8 +1461,6 @@
 
     SSL_CTX_set_session_cache_mode(ssl->ctx, cache_mode);
 
-    SSL_CTX_set_session_id_context(ssl->ctx, sess_ctx->data, sess_ctx->len);
-
     if (builtin_session_cache != NGX_SSL_NO_BUILTIN_SCACHE) {
 
         if (builtin_session_cache != NGX_SSL_DFLT_BUILTIN_SCACHE) {


More information about the nginx mailing list