NGINX proxy, 502 error while SSL handshaking to upstream

Juan Matías jmrepetti at gmail.com
Wed Mar 5 14:57:54 UTC 2014 

Hello!

On Tue, Feb 25, 2014 at 04:34:34PM +0100, Juan Matías wrote:

>* Hello everyone, I'm new here and this my first post in this mailing list,
*> >* Maybe this is a frequently answered question but I could't find
a solution.
*>* Maybe is a "layer 8" issue.
*> >* Right now, I have a Nginx(1.0.8) proxy running on Ubuntu 10.04 32bits,
*>* OpenSSL 0.9.8  doing a https upstream on port 33195. Here is a piece of the
*>* nginx.conf file:
*> >* ......
*>*   location /external_services {
*>*       proxy_pass  https://x.x.x.x:33195/external_service;
<https://x.x.x.x:33195/external_service;>
*>*     allow x.x.x.x;
*>*     deny all;
*>*   }
*>* ......
*> > >* It is working, but I need to migrate this proxy to a new
server. This new
*>* server runs Ubuntu 12.04, OpenSSL 1.0.1 and Nginx 1.5.10.
*> >* This server receive an http://myproxy/external_services
<http://myproxy/external_services> request and proxy
*>* it to https://x.x.x.x:33195/external_service;
<https://x.x.x.x:33195/external_service;> (http to https)
*> >* When I try to access http://myproxy/external_services
<http://myproxy/external_services> on the new server, I
*>* got a 502 error and I see this message in error.log :
*> >*     "peer closed connection in SSL handshake while SSL handshaking to
*>* upstream"
*> >* I found that I can connect(from the proxy server) to
*>* https://x.x.x.x:33195/external_service
<https://x.x.x.x:33195/external_service> using openssl, doing this:
*> >*     $ openssl s_client -connect
https://x.x.x.x:33195/external_service-no_tls1_1
<https://x.x.x.x:33195/external_service-no_tls1_1>
*> >* I tried to disable TLSv1.1 in Nginx using the directive: ssl_protocols
*>* SSLv3 TLSv1; but nothing change.
*
You have to use proxy_ssl_protocols, not ssl_protocols.  See
http://nginx.org/r/proxy_ssl_protocols.

The proxy_ssl_ciphers directive may help, too, depending on what
exactly triggers the problem on your backend.

-- 
Maxim Douninhttp://nginx.org/


Thanks Maxim Dounin for the answer
I tried that but did not work.

I tried using directives on nginx config file but the issue continue. I
can't ensure but looks like Nginx was using TLSv1.1 or 1.2 anyway and the
SSL handshake failed. And I didn't find a way to disable this version of
the protocol.

So I fixed the problem compiling nginx(1.0.15) from source using openSSL
0.9.8e. This version of OpenSSL doesnt support TLSv1.1. And that's works. I
have no option, the provider that I'm dealing with doesn't support TLSv1.1
and they are not going to update his service.


Thanks,
Matías.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20140305/dfd06ef6/attachment.html>

More information about the nginx mailing list