SSL handshake errors when configured as a reverse proxy

Andrew Hutchings ahutchings at
Sat Feb 20 15:11:52 UTC 2016

Hi Josh,

There are bugs in OpenSSL 1.0.1e that could trigger this which is why I 
asked. The two other things I would suggest trying are:

1. Look again at your cipher list, missing important ones out can 
trigger this error, especially with ssl_prefer_server_ciphers set. 
Judging by the quick skim looking at them they don't look correct for 
the ssl_protocols you have chosen. Using the defaults should be fine for 
most cases.

2. Upgrading to a supported version of NGINX, there have been many SSL 
related bug fixes since then (although I don't think any match your 
specific case). Our own apt repositories found on have more 
current versions in them.

Kind Regards

On 19/02/16 18:13, Josh Jaques wrote:
> Hi Andrew,
> To clarify the setup earlier,
> I continued to use the Ubuntu compiled version of NGINX from apt-get.
> The specific procedure I used to change the lib that NGINX would load
> was by replacing the and files in the
> path referenced by ldd for the NGINX binary with ones compiled from source.
> When I switched to Apache, I reverted the system to the package manger
> versions of libssl and openssl. It continues to be in production without
> producing any handshake errors.
> So from my end there doesn't seem to be any evidence to support OpenSSL
> version ever being an issue, because Apache works fine using the same
> version of OpenSSL that we initially experienced the problem with in NGINX.
> The Apache version I am running is also the default from apt-get.
> _______________________________________________
> nginx mailing list
> nginx at

Andrew Hutchings (LinuxJedi)
Technical Product Manager, NGINX Inc.

More information about the nginx mailing list