SSL with client certificate errors

Zev Blut zblut at cerego.co.jp
Thu Feb 25 12:20:41 MSK 2010


Hello,

On 02/23/2010 06:48 PM, Igor Sysoev wrote:
> On Tue, Feb 23, 2010 at 06:35:54PM +0900, Zev Blut wrote:
>
>> Hello,
>>
>> On 02/23/2010 06:24 PM, Igor Sysoev wrote:
>>> On Tue, Feb 23, 2010 at 04:52:29PM +0900, Zev Blut wrote:
>>>
>>>> On 02/09/2010 02:11 AM, Slawek Zak wrote:
>>>>> Hi,
>>>>>
>>>>> I use nginx 0.7.62 to proxy a web application and secure it with
>>>>> client certificates. Quite often NGINX just responds with connection
>>>>> reset to Firefox and generates this error:
>>>>>
>>>>> 2010/02/08 18:04:49 [crit] 8248#0: *41 SSL_do_handshake() failed (SSL:
>>>>> error:140D9115:SSL routines:SSL_GET_PREV_SESSION:session id context
>>>>> uninitialized) while SSL handshaking, client: 77.x.x.x, server
>>>>> 89.x.x.x
>>>>>
>>>>> Any ideas?
>>>>
>>>> I too am getting similar errors with 0.7.65:
>>>>
>>>> 2010/02/23 16:02:19 [crit] 7224#0: *46254 SSL_do_handshake() failed
>>>> (SSL: error:140D9115:SSL routines:SSL_GET_PREV_SESSION:session id
>>>> context uninitialized) while SSL handshaking, client: 192.x.x.x, server:
>>>> example.com
>>>
>>> What is your ssl_session_cache settings ?
>>
>> At the moment it is not set, so it is using whatever the default is.
>> Here is a short example of what I am using:
>>
>>      server {
>>           listen 443;
>>
>>           ssl                  on;
>>           ssl_certificate      /etc/nginx/ssl/data.crt;
>>           ssl_certificate_key  /etc/nginx/ssl/data.key;
>>           ssl_protocols SSLv3 TLSv1;
>>
>>           # Make sure we verify client side SSL
>>           ssl_verify_client on;
>>           ssl_client_certificate /etc/nginx/ssl/data.pem;
>>      }
>
> Could you try the attached patch ?

I have installed the patch on one of our internal servers.
The server works and accepts my ssl client certificate.
Also, the error logs are clean.

Unfortunately, I am not able to recreate the errors pm our own
production server that created these errors.  So I am not sure
if applying the patch will show that it was fixed or not.

Thanks,
Zev





More information about the nginx mailing list