Intermittent SSL errors - SSL_do_handshake() failed (SSL: error:1408C095:SSL routines:SSL3_GET_FINISHED:digest check failed) while SSL handshaking to upstream Reverse proxy mode.. HELP

David Taveras d3taveras38d3 at gmail.com
Thu Mar 4 22:45:51 MSK 2010


Hello,

I have a reverse proxy config.

i reverse proxy SSL listening to port 81 , and sending also to a
upstream ssl 81. Iam getting intermittent SSL handshake errors and
users are getting a 501 Bad Gateway error.


2010/03/05 00:31:50 [error] 3078#0: *1362 SSL_do_handshake() failed
(SSL: error:1408C095:SSL routines:SSL3_GET_FINISHED:digest check
failed) while SSL handshaking to upstream, client: 150.45.62.218,
server: server1, request: "GET /dwf.php?action=image HTTP/1.1",
upstream: "https://35.17.50.184:81/_chat.php?action=alive", host:
"secure.domain.org:81", referrer: "http://www.some.org/"


Here is the server {} block:

server {
      access_log  /var/log/nginx/access.log main;
      error_log   /var/log/nginx/error.log;
      listen      xxx.xxx.xxx.xxx:81;
      root        /usr/local/nginx/html;
      server_name server1;

      ## Only allow these request methods
      if ($request_method !~ ^(GET|HEAD|POST)$ ) {
         return 444;
      }


      ssl on;
      ssl_certificate /etc/nginx/secure.domain.org_ssl.crt;
      ssl_certificate_key /etc/nginx/secure.domain.org_ssl.key;
      ssl_ciphers HIGH:!ADH:!MD5;
      ssl_prefer_server_ciphers on;
      ssl_protocols SSLv3;
      ssl_session_cache shared:SSL:1m;
      ssl_session_timeout 5m;

      location / {
        proxy_pass  https://secure.domain.org:81/;
        proxy_set_header  X-Real-IP  $remote_addr;

      }

  }


It is about 1 out of 6 requests that give me that error. The weird
thing is that when I try to replicate that error from the same nginx
box with the following:

openssl s_client -connect
www.domain_that_resolves_to_nginx_reverse_proxy.org:81 -state -ssl3
-no_ssl2 -no_tls1


CONNECTED(00000004)
SSL_connect:before/connect initialization
SSL_connect:SSLv3 write client hello A
SSL_connect:SSLv3 read server hello A
depth=0 /C=WE/ST=DF/L=SDF/O=SF/OU=GE/CN=YH/emailAddress=dfs at dfsd.com
verify error:num=18:self signed certificate
verify return:1
depth=0 /C=WE/ST=DF/L=SDF/O=SF/OU=GE/CN=YH/emailAddress=dfs at dfsd.com
verify return:1
SSL_connect:SSLv3 read server certificate A
SSL_connect:SSLv3 read server done A
SSL_connect:SSLv3 write client key exchange A
SSL_connect:SSLv3 write change cipher spec A
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
SSL_connect:SSLv3 read finished A
---
Certificate chain
 0 s:/C=WE/ST=DF/L=SDF/O=SF/OU=GE/CN=YH/emailAddress=dfs at dfsd.com
   i:/C=WE/ST=DF/L=SDF/O=SF/OU=GE/CN=YH/emailAddress=dfs at dfsd.com
---
Server certificate
-----BEGIN CERTIFICATE-----
MIICTzCCAbgCCQDTpOeLi+6vtzANBgkqhkiG9w0BAQUFADBsMQswCQYDVQQGEwJX
RTELMAkGA1UECBMCREYxDDAKBgNVBAcTA1NERjELMAkGA1UEChMCU0YxCzAJBgNV
BAsTAkdFMQswCQYDVQQDEwJZSDEbMBkGCSqGSIb3DQEJARYMZGZzQGRmc2QuY29t
MB4XDTEwMDIxMDIxNTMzM1oXDTExMDIxMDIxNTMzM1owbDELMAkGA1UEBhMCV0Ux
CzAJBgNVBAgTAkRGMQwwCgYDVQQHEwNTREYxCzAJBgNVBAoTAlNGMQswCQYDVQQL
EwJHRTELMAkGA1UEAxMCWUgxGzAZBgkqhkiG9w0BCQEWDGRmc0BkZnNkLmNvbTCB
nzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA0tAryKxiPf3f0S2Jy/jyZuOja03Y
QhHro9TQ5KzxDyMB8ptIRurjC7F6JGn6SHKrhk5v7mHN+Lwy/RLXft9lm7tWstbP
akYVTPbZu0xHPSsIwOGMEEKBE3ve1Uzd0K5SBSnUmSy2KIOhuY/9u6unbAB8GPcV
4p+sC0D1H6DNUqMCAwEAATANBgkqhkiG9w0BAQUFAAOBgQBAQApci/6/ozZu9xIL
zjFBGQp4fOMhf+JpFatihr9hYjJBnmXxY74pkdTVf2b/63w5/LF4FSJidglUtHke
9QarFVsj/UuFj/LSouRU+LHvsiWQU2i0xp+1YcXXzqNE7+6zwG0pDPHM6lR/hQxC
K+yxP3E5urDb7Lyu2aUArDpkqQ==
-----END CERTIFICATE-----
subject=/C=WE/ST=DF/L=SDF/O=SF/OU=GE/CN=YH/emailAddress=dfs at dfsd.com
issuer=/C=WE/ST=DF/L=SDF/O=SF/OU=GE/CN=YH/emailAddress=dfs at dfsd.com
---
No client certificate CA names sent
---
SSL handshake has read 773 bytes and written 304 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : SSLv3
    Cipher    : AES256-SHA
    Session-ID: 5E8A7F8AF9E84C730D0DC94E3BE31482F9E3C161BD660876FE32484832A457AB
    Session-ID-ctx:
    Master-Key:
15DEB4EB8D487AB061392468BA952ECA6800797B9101D07DA80D198B5C369DD3C520BC4BA06446E21959F22203E5C78C
    Key-Arg   : None
    Start Time: 1267749779
    Timeout   : 7200 (sec)
    Verify return code: 18 (self signed certificate)
---


I repeat that test 100 times and I never get any handshake errors.

What could be different.. what is so special about the way this nginx
config is doing the handshake? I have other clients also doing the
handshake directly to the upstream server with the mozilla browser and
they  never get errors.

The only observation I can make is that the upstream box that nginx
wants to do the handshake with is self signed. Is that a possible
issue?


David



More information about the nginx mailing list