SSL handshake errors when configured as a reverse proxy

[Andrew Hutchings]

Hi Josh,

There are bugs in OpenSSL 1.0.1e that could trigger this which is why I 
asked. The two other things I would suggest trying are:

1. Look again at your cipher list, missing important ones out can 
trigger this error, especially with ssl_prefer_server_ciphers set. 
Judging by the quick skim looking at them they don't look correct for 
the ssl_protocols you have chosen. Using the defaults should be fine for 
most cases.

2. Upgrading to a supported version of NGINX, there have been many SSL 
related bug fixes since then (although I don't think any match your 
specific case). Our own apt repositories found on nginx.org have more 
current versions in them.

Kind Regards
Andrew


On 19/02/16 18:13, Josh Jaques wrote:
> Hi Andrew,
>
> To clarify the setup earlier,
>
> I continued to use the Ubuntu compiled version of NGINX from apt-get.
>
> The specific procedure I used to change the lib that NGINX would load
> was by replacing the libssl.so.1.0.0 and libcrypto.so.1.0.0 files in the
> path referenced by ldd for the NGINX binary with ones compiled from source.
>
> When I switched to Apache, I reverted the system to the package manger
> versions of libssl and openssl. It continues to be in production without
> producing any handshake errors.
>
> So from my end there doesn't seem to be any evidence to support OpenSSL
> version ever being an issue, because Apache works fine using the same
> version of OpenSSL that we initially experienced the problem with in NGINX.
>
> The Apache version I am running is also the default from apt-get.
>
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx

-- 
Andrew Hutchings (LinuxJedi)
Technical Product Manager, NGINX Inc.