SSL Handshake problems, nginx reverse web proxy.
Maxim Dounin
mdounin at mdounin.ru
Tue Nov 12 17:14:16 UTC 2013
Hello!
On Tue, Nov 12, 2013 at 12:07:08PM -0500, Nathan wrote:
> I am working on setting up an http reverse proxy in front of a
> pre-packaged jetty server. The jetty server is a pre-configured
> application, and not very flexible.
>
> Here's the quick and dirty. I have nginx configured to listen on 443,
> using its own SSL cert. Then behind nginx, i have anohter server
> running this jetty application, with its own cert, on port 9192.
[...]
> The error log reports:
> 2013/11/12 12:02:10 [error] 28416#0: *230 SSL_do_handshake() failed
> (SSL: error:140773F2:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert
> unexpected message) while SSL handshaking to upstream, client:
> 10.100.0.12, server: papercut.dev.lafayette.edu, request: "GET /
> HTTP/1.1", upstream: "https://139.147.165.80:9192/", host:
> "papercut.dev.lafayette.edu"
>
> - From what I can tell, this is saying that the ssl connection from my
> proxy, to my jetty host is failing negotiation.
>
> If i browse directly to the target, on https and port 9192, it works
> perfectly.
>
> openssl s_connect from the proxy to the target seems to work ONLY if i
> force sslv3, If i use TSLv1, or sslv2 it fails. If i use TLSv2 and
> use -no_ticket, it works.
>
> I'm wondering if one of these would solve the proxy problem? But how
> can i force nginx to use sslv3, or no ticket, when connecting to its
> target?
As of nginx 1.5.6+, there is the proxy_ssl_protocols directive
exacly for this kind of problems. Restricting proxy_ssl_ciphers
to a smaller set may help too (again, in 1.5.6+).
See here for more details:
http://nginx.org/r/proxy_ssl_protocols
http://nginx.org/r/proxy_ssl_ciphers
--
Maxim Dounin
http://nginx.org/en/donation.html
More information about the nginx
mailing list