SSL Handshake problems, nginx reverse web proxy.

Maxim Dounin mdounin at mdounin.ru
Tue Nov 12 17:14:16 UTC 2013


Hello!

On Tue, Nov 12, 2013 at 12:07:08PM -0500, Nathan wrote:

> I am working on setting up an http reverse proxy in front of a
> pre-packaged jetty server.  The jetty server is a pre-configured
> application, and not very flexible.
> 
> Here's the quick and dirty.  I have nginx configured to listen on 443,
> using its own SSL cert.  Then behind nginx, i have anohter server
> running this jetty application, with its own cert, on port 9192.

[...]

> The error log reports:
> 2013/11/12 12:02:10 [error] 28416#0: *230 SSL_do_handshake() failed
> (SSL: error:140773F2:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert
> unexpected message) while SSL handshaking to upstream, client:
> 10.100.0.12, server: papercut.dev.lafayette.edu, request: "GET /
> HTTP/1.1", upstream: "https://139.147.165.80:9192/", host:
> "papercut.dev.lafayette.edu"
> 
> - From what I can tell, this is saying that the ssl connection from my
> proxy, to my jetty host is failing negotiation.
> 
> If i browse directly to the target, on https and port 9192, it works
> perfectly.
> 
> openssl s_connect from the proxy to the target seems to work ONLY if i
> force sslv3, If i use TSLv1, or sslv2 it fails.  If i use TLSv2 and
> use -no_ticket, it works.
> 
> I'm wondering if one of these would solve the proxy problem? But how
> can i force nginx to use sslv3, or no ticket, when connecting to its
> target?

As of nginx 1.5.6+, there is the proxy_ssl_protocols directive 
exacly for this kind of problems.  Restricting proxy_ssl_ciphers 
to a smaller set may help too (again, in 1.5.6+).

See here for more details:

http://nginx.org/r/proxy_ssl_protocols
http://nginx.org/r/proxy_ssl_ciphers

-- 
Maxim Dounin
http://nginx.org/en/donation.html



More information about the nginx mailing list