SSL handshake errors when configured as a reverse proxy
ahutchings at nginx.com
Sat Feb 20 15:11:52 UTC 2016
There are bugs in OpenSSL 1.0.1e that could trigger this which is why I
asked. The two other things I would suggest trying are:
1. Look again at your cipher list, missing important ones out can
trigger this error, especially with ssl_prefer_server_ciphers set.
Judging by the quick skim looking at them they don't look correct for
the ssl_protocols you have chosen. Using the defaults should be fine for
2. Upgrading to a supported version of NGINX, there have been many SSL
related bug fixes since then (although I don't think any match your
specific case). Our own apt repositories found on nginx.org have more
current versions in them.
On 19/02/16 18:13, Josh Jaques wrote:
> Hi Andrew,
> To clarify the setup earlier,
> I continued to use the Ubuntu compiled version of NGINX from apt-get.
> The specific procedure I used to change the lib that NGINX would load
> was by replacing the libssl.so.1.0.0 and libcrypto.so.1.0.0 files in the
> path referenced by ldd for the NGINX binary with ones compiled from source.
> When I switched to Apache, I reverted the system to the package manger
> versions of libssl and openssl. It continues to be in production without
> producing any handshake errors.
> So from my end there doesn't seem to be any evidence to support OpenSSL
> version ever being an issue, because Apache works fine using the same
> version of OpenSSL that we initially experienced the problem with in NGINX.
> The Apache version I am running is also the default from apt-get.
> nginx mailing list
> nginx at nginx.org
Andrew Hutchings (LinuxJedi)
Technical Product Manager, NGINX Inc.
More information about the nginx