SSL Handshake problems, nginx reverse web proxy.

Nathan lagern at lafayette.edu
Tue Nov 12 17:07:08 UTC 2013 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I am working on setting up an http reverse proxy in front of a
pre-packaged jetty server.  The jetty server is a pre-configured
application, and not very flexible.

Here's the quick and dirty.  I have nginx configured to listen on 443,
using its own SSL cert.  Then behind nginx, i have anohter server
running this jetty application, with its own cert, on port 9192.

My nginx config looks like this:

server {
    listen       139.147.165.99:443;
    server_name  papercut.dev.lafayette.edu papercut.dev;

    access_log  /var/log/nginx/papercut.dev.lafayette.edu_access;
    error_log   /var/log/nginx/papercut.dev.lafayette.edu_error debug;

    ssl                  on;
    ssl_certificate
/etc/nginx/ssl.crt/papercut.dev.lafayette.edu.crt;
    ssl_certificate_key
/etc/nginx/ssl.key/papercut.dev.lafayette.edu.key;

    ssl_session_timeout  5m;

    ssl_protocols  SSLv3 TLSv1;
    ssl_ciphers
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:!SSLv2:+EXP;

    ssl_prefer_server_ciphers   on;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header Host $http_host;

    location / {
      proxy_pass	https://printman.dev.lafayette.edu:9192;
    }
}

If i hit my vhost on https, i get a 502, bad gateway.

The error log reports:
2013/11/12 12:02:10 [error] 28416#0: *230 SSL_do_handshake() failed
(SSL: error:140773F2:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert
unexpected message) while SSL handshaking to upstream, client:
10.100.0.12, server: papercut.dev.lafayette.edu, request: "GET /
HTTP/1.1", upstream: "https://139.147.165.80:9192/", host:
"papercut.dev.lafayette.edu"

- From what I can tell, this is saying that the ssl connection from my
proxy, to my jetty host is failing negotiation.

If i browse directly to the target, on https and port 9192, it works
perfectly.

openssl s_connect from the proxy to the target seems to work ONLY if i
force sslv3, If i use TSLv1, or sslv2 it fails.  If i use TLSv2 and
use -no_ticket, it works.

I'm wondering if one of these would solve the proxy problem? But how
can i force nginx to use sslv3, or no ticket, when connecting to its
target?

Thanks!
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlKCYDwACgkQsZqG4IN3suly1QCfbUmLesdBHsrm/diS/Sg0+n8O
XN8An3XkdTp3m8P2dzEeoZAKMzp5qjX9
=4UkA
-----END PGP SIGNATURE-----

More information about the nginx mailing list