SSL with client certificate errors

Zev Blut zblut at cerego.co.jp
Tue Feb 23 12:35:54 MSK 2010


Hello,

On 02/23/2010 06:24 PM, Igor Sysoev wrote:
> On Tue, Feb 23, 2010 at 04:52:29PM +0900, Zev Blut wrote:
>
>> On 02/09/2010 02:11 AM, Slawek Zak wrote:
>>> Hi,
>>>
>>> I use nginx 0.7.62 to proxy a web application and secure it with
>>> client certificates. Quite often NGINX just responds with connection
>>> reset to Firefox and generates this error:
>>>
>>> 2010/02/08 18:04:49 [crit] 8248#0: *41 SSL_do_handshake() failed (SSL:
>>> error:140D9115:SSL routines:SSL_GET_PREV_SESSION:session id context
>>> uninitialized) while SSL handshaking, client: 77.x.x.x, server
>>> 89.x.x.x
>>>
>>> Any ideas?
>>
>> I too am getting similar errors with 0.7.65:
>>
>> 2010/02/23 16:02:19 [crit] 7224#0: *46254 SSL_do_handshake() failed
>> (SSL: error:140D9115:SSL routines:SSL_GET_PREV_SESSION:session id
>> context uninitialized) while SSL handshaking, client: 192.x.x.x, server:
>> example.com
>
> What is your ssl_session_cache settings ?

At the moment it is not set, so it is using whatever the default is.
Here is a short example of what I am using:

    server {
         listen 443;

         ssl                  on;
         ssl_certificate      /etc/nginx/ssl/data.crt;
         ssl_certificate_key  /etc/nginx/ssl/data.key;
         ssl_protocols SSLv3 TLSv1;

         # Make sure we verify client side SSL
         ssl_verify_client on;
         ssl_client_certificate /etc/nginx/ssl/data.pem;
    }

>> I also get lots of odd entries in my access logs related to this.
>> 192.x.x.x - - [23/Feb/2010:16:47:04 +0900] "\x16...(snip lots of codes)"
>> 400 173 "-" "-" 0.000 "-" "-" "-" [-] - - - [-] [-]
>
> "\x16..." is SSLv3 handshake message. It seems that nginx logs it as
> request line since nginx treats it like a bad request.

So I guess there is not much we can do about that.

Thanks,
Zev



More information about the nginx mailing list