SSL Handshake Errors

Thomas Ward teward at thomas-ward.net
Thu Nov 19 18:52:01 UTC 2020 

Provide SSL logs from the client side - if you can, using OpenSSL and 
its `s_connect` framework or similar to get the actual SSL handshake 
errors/logs.  Chances are something's wrong with the handshake or your 
cert.  (since I can't scan your infra directly yourself, you'll have to 
get detailed SSL connection information to the NGINX server first using 
some other tool)

On 11/19/20 1:31 PM, sachingp wrote:
> Hi - We are using Nginx as a reverse proxy with SSL as a termination point
>
> Call flow
>
> Network Load Balancer (TCP) --> Nginx(SSL Termination) --> Vertx Servers
> (HTTP)
>
> This is the config we use, fairly standard
>
>    upstream xyz {
>      server 127.0.0.1:8080;
>      keepalive 4096;
>    }
>
>    server {
>      listen 80;
>      listen 443 ssl;
>      ssl_certificate /etc/ssl/certs/bundle.crt;
>      ssl_certificate_key /etc/ssl/private/nginx-digicert.key;
>      # ssl_handshake_timeout 10s;
>      ssl_session_cache shared:SSL:20m;
>      ssl_session_timeout 4h;
>      # ssl_handshake_timeout 30s;
>      server_name _;
>      root        /usr/share/nginx/html;
>      access_log /var/log/nginx/raps-access.log timed_combined buffer=8k
> flush=1m;
>      #access_log off;
>
>      # only log critical errors
>      error_log  /var/log/nginx/raps-error.log info;
>
>      location / {
>        proxy_pass http://xyz;
>        proxy_pass_request_headers on;
>        proxy_ssl_server_name on;
>        proxy_http_version 1.1;
>        proxy_ssl_session_reuse on;
>        proxy_set_header Host $host;
>        proxy_set_header Connection "";
>        proxy_set_header X-Real-IP $remote_addr;
>        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
>      }
>
>
> We see a lot of SSL handshake errors
>
> 2020/11/19 18:28:08 [info] 5784#0: *5771518 peer closed connection in SSL
> handshake while SSL handshaking, client: 169.53.151.196, server:
> 0.0.0.0:443
> 2020/11/19 18:28:08 [info] 5786#0: *5771519 peer closed connection in SSL
> handshake while SSL handshaking, client: 158.85.210.39, server: 0.0.0.0:443
> 2020/11/19 18:28:08 [info] 5785#0: *5771520 peer closed connection in SSL
> handshake while SSL handshaking, client: 169.53.151.201, server:
> 0.0.0.0:443
> 2020/11/19 18:28:08 [info] 5786#0: *5771521 peer closed connection in SSL
> handshake while SSL handshaking, client: 169.53.151.198, server:
> 0.0.0.0:443
> 2020/11/19 18:28:08 [info] 5785#0: *5771522 peer closed connection in SSL
> handshake while SSL handshaking, client: 169.54.155.4, server: 0.0.0.0:443
> 2020/11/19 18:28:08 [info] 5785#0: *5771524 peer closed connection in SSL
> handshake while SSL handshaking, client: 169.53.151.202, server:
> 0.0.0.0:443
> 2020/11/19 18:28:08 [info] 5784#0: *5771525 peer closed connection in SSL
> handshake while SSL handshaking, client: 158.85.210.39, server: 0.0.0.0:443
> 2020/11/19 18:28:08 [info] 5784#0: *5771527 peer closed connection in SSL
> handshake while SSL handshaking, client: 169.53.151.212, server:
> 0.0.0.0:443
> 2020/11/19 18:28:08 [info] 5786#0: *5771528 peer closed connection in SSL
> handshake while SSL handshaking, client: 169.53.151.202, server:
> 0.0.0.0:443
> 2020/11/19 18:28:08 [info] 5783#0: *5771526 peer closed connection in SSL
> handshake while SSL handshaking, client: 169.53.151.212, server:
> 0.0.0.0:443
> 2020/11/19 18:28:08 [info] 5785#0: *5771529 peer closed connection in SSL
> handshake while SSL handshaking, client: 169.53.151.204, server:
> 0.0.0.0:443
> 2020/11/19 18:28:08 [info] 5785#0: *5771530 peer closed connection in SSL
> handshake while SSL handshaking, client: 169.54.155.82, server: 0.0.0.0:443
> 2020/11/19 18:28:08 [info] 5785#0: *5771531 peer closed connection in SSL
> handshake while SSL handshaking, client: 169.53.151.216, server:
> 0.0.0.0:443
> 2020/11/19 18:28:08 [info] 5785#0: *5771533 peer closed connection in SSL
> handshake while SSL handshaking, client: 169.53.151.201, server:
> 0.0.0.0:443
>
>
>
> Mostly this code
>
>
> 2020/11/19 18:15:00 [debug] 5525#0: *5703427 SSL_get_error: 2
> 2020/11/19 18:15:00 [debug] 5524#0: *5703640 SSL_get_error: 2
> 2020/11/19 18:15:00 [debug] 5525#0: *5703079 SSL_get_error: 2
> 2020/11/19 18:15:00 [debug] 5525#0: *5702872 SSL_get_error: 2
> 2020/11/19 18:15:00 [debug] 5524#0: *5703173 SSL_get_error: 2
> 2020/11/19 18:15:00 [debug] 5524#0: *5703406 SSL_get_error: 2
> 2020/11/19 18:15:00 [debug] 5524#0: *5703705 SSL_get_error: 2
> 2020/11/19 18:15:00 [debug] 5524#0: *5703764 SSL_get_error: 5
> 2020/11/19 18:15:00 [debug] 5524#0: *5703765 SSL_get_error: 5
> 2020/11/19 18:15:00 [debug] 5525#0: *5703766 SSL_get_error: 2
> 2020/11/19 18:15:00 [debug] 5525#0: *5703632 SSL_get_error: 2
> 2020/11/19 18:15:00 [debug] 5524#0: *5703406 SSL_get_error: 2
> 2020/11/19 18:15:00 [debug] 5523#0: *5703177 SSL_get_error: 2
> 2020/11/19 18:15:00 [debug] 5523#0: *5703357 SSL_get_error: 2
> 2020/11/19 18:15:00 [debug] 5524#0: *5703173 SSL_get_error: 2
> 2020/11/19 18:15:00 [debug] 5523#0: *5703627 SSL_get_error: 2
>
>
> Please share your experience or thoughts asap
>
> Posted at Nginx Forum: https://forum.nginx.org/read.php?2,290010,290010#msg-290010
>
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20201119/6330229a/attachment.htm>

More information about the nginx mailing list