Setting the SSL protocol used on proxy_pass?

Maxim Dounin mdounin at mdounin.ru
Tue Dec 30 23:27:17 UTC 2014


Hello!

On Tue, Dec 30, 2014 at 09:44:17AM +0000, Edward Hibbert wrote:

> I am trying to set up a reverse proxy which handles SSL.  This is my first
> time, so I may be doing something stupid.
> 
> On the NGINX which is acting as a proxy I get this:
> 
> SSL_do_handshake() failed (SSL: error:140770FC:SSL
> routines:SSL23_GET_SERVER_HELLO:unknown protocol) while SSL handshaking to
> upstream,
> 
> On the NGINX which is upstream I am configured to only accept TLS, because
> of recent SSL security problems.
> 
>         ssl_protocols               TLSv1.2 TLSv1.1 TLSv1;
> 
> I would guess that the problem here is that NGINX is opening the proxy
> connection using the wrong SSL protocol.  Is there a way to control which
> protocol it uses for the proxy connection?

There is the "proxy_ssl_protocols" directive to control which 
protocols are allowed while connecting to upstream HTTPS servers, 
see http://nginx.org/r/proxy_ssl_protocols for details.  By 
default it allows SSLv3 and above, so it should be fine with the 
ssl_protocols you configured.  The message you are seeing may 
appear if you've accidentally set "proxy_ssl_protocols SSLv3" 
though.

-- 
Maxim Dounin
http://nginx.org/



More information about the nginx mailing list