Problems with nginx accepting tls connections

jonkeane nginx-forum at forum.nginx.org
Mon Feb 29 18:06:43 UTC 2016 

Apologies if this is not solely connected to nginx, but I think I've
narrowed it down to the connection with nginx, and how it is handling TLS
connections. I'm attempting to setup nginx to receive connections from an
amazon dash button (using information from
http://blog.nemik.net/2015/08/dash-button-corral/). Using ubuntu 14.04 and
nginx 1.4.6 this setup is working correctly, the dash connects to my server,
they exchange keys (although the key my server sends is not the one that the
dash is expecting, it doesn't actually check this, and then the dash
connects to the page 2/b on my server, and everything is great. I recently
upgraded to Ubuntu 15.10 with nginx 1.9.3 and something is going wrong with
the TLS/SSL connection. With the same setup, my server appropriately
responds to the page 2/b if I get or put there manually (from a browser,
etc.) but the dash is never able to connect.

I've run ssldump on both setups, and it looks like on nginx 1.9.3 the
connection never gets further than ServerHelloDone before the TCP FIN are
sent from client to server and server to client, no client key is exchanged,
and no data is exchanged (I've added output from ssldump with each below).
Is this an nginx configuration issue? Is there anyway I can configure
nginx/openssl so that these connections can go through like they did with
previous setups? 

I'm happy to provide more detailed configuration, log files, or other
information if needed. Thank you in advance for your help.


with nginx 1.9.3 192.168.1.140 is the dash button, 192.168.1.21 is my server
with nginx 1.9.3 on it:
New TCP connection #50: 192.168.1.140(30004) <-> 192.168.1.21(443)
50 1  0.0090 (0.0090)  C>SV3.1(49)  Handshake
      ClientHello
        Version 3.1 
        random[32]=
          00 00 37 5d 36 36 15 9d 59 8d da 1e ad f7 90 d7 
          a0 32 bd b9 c0 6f 58 6b cd 3f a0 5a a0 76 91 ca 
        cipher suites
        TLS_RSA_WITH_AES_256_CBC_SHA
        TLS_RSA_WITH_AES_128_CBC_SHA
        TLS_RSA_WITH_RC4_128_MD5
        compression methods
                  NULL
50 2  0.0094 (0.0004)  S>CV3.1(74)  Handshake
      ServerHello
        Version 3.1 
        random[32]=
          87 08 53 95 a3 9e 1b 7b f0 a8 56 cd f8 2b cc 03 
          94 27 3e 0e 8f 84 63 3c f5 03 e9 94 d2 1d f2 a4 
        session_id[32]=
          d1 2b 21 f6 f6 e0 16 7b a2 a1 69 ef 18 df 3f d5 
          e5 50 2e bb c4 c7 b2 5d f1 b7 9c 12 5b 4b ca d1 
        cipherSuite         TLS_RSA_WITH_AES_256_CBC_SHA
        compressionMethod                   NULL
50 3  0.0094 (0.0000)  S>CV3.1(704)  Handshake
      Certificate
        certificate[694]=
          [removed for brevity]
50 4  0.0094 (0.0000)  S>CV3.1(4)  Handshake
      ServerHelloDone
50    0.0271 (0.0176)  C>S  TCP FIN
50    0.0274 (0.0002)  S>C  TCP FIN


with nginx 1.4.6 192.168.1.140 is the dash button, 192.168.1.20 is my server
with nginx 1.4.6 on it:
New TCP connection #4: 192.168.1.140(30003) <-> 192.168.1.20(443)
4 1  0.0081 (0.0081)  C>SV3.1(49)  Handshake
      ClientHello
        Version 3.1 
        random[32]=
          00 00 34 dc c4 e3 62 d2 26 84 1e 82 be 3a 75 f3 
          2a c9 cf 82 f9 3d ad d8 1e 6b 5f 63 40 9f 0e 9c 
        cipher suites
        TLS_RSA_WITH_AES_256_CBC_SHA
        TLS_RSA_WITH_AES_128_CBC_SHA
        TLS_RSA_WITH_RC4_128_MD5
        compression methods
                  NULL
4 2  0.0084 (0.0003)  S>CV3.1(74)  Handshake
      ServerHello
        Version 3.1 
        random[32]=
          20 fd 68 07 d1 e3 63 0a cf 39 b4 f8 65 e9 25 ed 
          09 9f c4 d9 c4 0d f2 b6 f0 82 2b f8 d9 ea 1a 3f 
        session_id[32]=
          ea 25 8c fd 61 66 92 25 44 fb f0 74 7c 2a 4b bc 
          d6 76 8b 05 16 ed 4a ee 84 0b 0c 74 7f 23 b9 de 
        cipherSuite         TLS_RSA_WITH_AES_256_CBC_SHA
        compressionMethod                   NULL
4 3  0.0084 (0.0000)  S>CV3.1(704)  Handshake
      Certificate
        certificate[694]=
          [removed for brevity]
4 4  0.0084 (0.0000)  S>CV3.1(4)  Handshake
      ServerHelloDone
4 5  0.0548 (0.0463)  C>SV3.1(262)  Handshake
      ClientKeyExchange
        EncryptedPreMasterSecret[256]=
          [removed for brevity]
4 6  0.0561 (0.0013)  C>SV3.1(1)  ChangeCipherSpec
4 7  0.0561 (0.0000)  C>SV3.1(48)  Handshake
4 8  0.0617 (0.0056)  S>CV3.1(1)  ChangeCipherSpec
4 9  0.0617 (0.0000)  S>CV3.1(48)  Handshake
4 10 0.0645 (0.0027)  C>SV3.1(96)  application_data
4 11 0.0647 (0.0001)  C>SV3.1(64)  application_data
4 12 0.0648 (0.0001)  S>CV3.1(240)  application_data
4 13 0.0653 (0.0004)  C>SV3.1(112)  application_data
4 14 0.0656 (0.0003)  C>SV3.1(48)  application_data
4    0.0658 (0.0001)  S>C  TCP FIN
4    0.0745 (0.0087)  C>S  TCP FIN

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,264941,264941#msg-264941

More information about the nginx mailing list