Intermittent failures with SecureChannelFailure error on client
mdounin at mdounin.ru
Fri Apr 18 13:03:45 UTC 2014
On Thu, Apr 17, 2014 at 11:34:14AM -0700, Venkat Morampudi wrote:
> We are using NGINX (version 1.4.4) in front of HAProxy for SSl
> termination. We are seeing intermittent "Could not create
> SSL/TLS secure channel" failure from our .net client. On
> enabling debug logging on NGINX the following error is being
> recorded at the same time the client see the error.
> [info] 27456#0: *43842 SSL_do_handshake() failed (SSL:
> error:1408C095:SSL routines:SSL3_GET_FINISHED:digest check
> failed) while SSL handshaking, client: 10.76.121.148, server:
>From the error message it looks like that handshake failed due to
incorrect digest value got from the client.
Do you control network and are able to eliminate a possibility of
real man-in-the-middle attack? If yes, this is likely a bug
either in the client or in OpenSSL library on nginx side.
Some things to test, in no particular order:
- A workaround from here may work, as well as advise to obtain more
details from the client:
- Try to add SSL_OP_TLS_ROLLBACK_BUG option in nginx, it may help
in case of some client bugs which used to result in digest check
failures (see "man SSL_set_options" for details).
- Checking if the problem persists with latest OpenSSL library
(or, vice versa, with old good 0.9.8*) may be beneficial, as
well as upgrading nginx to at least latest 1.4.x version.
> Based on the documentation I have disabled ssl session reuse, it
> didn't seem to help.
Did you do this in your .net client?
> This message and any attachments contain information that may be
> RMS Inc. confidential and/or privileged. If you are not the
> intended recipient (or authorized to receive for the intended
Just a side note: sending messages to the whole world with such a
disclaimer looks silly.
More information about the nginx