Intermittent failures with SecureChannelFailure error on client

[Maxim Dounin]

Hello!

On Thu, Apr 17, 2014 at 11:34:14AM -0700, Venkat Morampudi wrote:

> Hi,
> 
> We are using NGINX (version 1.4.4) in front of HAProxy for SSl 
> termination. We are seeing intermittent  "Could not create 
> SSL/TLS secure channel" failure from our .net client. On 
> enabling  debug logging on NGINX the following error is being 
> recorded at the same time the client see the error.
> 
> [info] 27456#0: *43842 SSL_do_handshake() failed (SSL: 
> error:1408C095:SSL routines:SSL3_GET_FINISHED:digest check 
> failed) while SSL handshaking, client: 10.76.121.148, server: 
> 0.0.0.0:443

>From the error message it looks like that handshake failed due to 
incorrect digest value got from the client.

Do you control network and are able to eliminate a possibility of 
real man-in-the-middle attack?  If yes, this is likely a bug 
either in the client or in OpenSSL library on nginx side.

Some things to test, in no particular order:

- A workaround from here may work, as well as advise to obtain more 
  details from the client:
  http://stackoverflow.com/questions/2078682/net-httpwebrequest-https-error

- Try to add SSL_OP_TLS_ROLLBACK_BUG option in nginx, it may help 
  in case of some client bugs which used to result in digest check 
  failures (see "man SSL_set_options" for details).

- Checking if the problem persists with latest OpenSSL library 
  (or, vice versa, with old good 0.9.8*) may be beneficial, as 
  well as upgrading nginx to at least latest 1.4.x version.

> Based on the documentation I have disabled ssl session reuse, it 
> didn't seem to help.

Did you do this in your .net client?

[...]

> This message and any attachments contain information that may be 
> RMS Inc. confidential and/or privileged. If you are not the 
> intended recipient (or authorized to receive for the intended 

Just a side note: sending messages to the whole world with such a 
disclaimer looks silly.

-- 
Maxim Dounin
http://nginx.org/