Ignore Certificate Errors

Roger Fischer roger at netskrt.io
Thu Aug 30 16:09:44 UTC 2018


is there a way to make NGINX more forgiving on TLS certificate errors? Or would that have to be done in OpenSSL instead?

When I use openssl s_client, I get the following errors from the upstream server:

140226185430680:error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1:block type is not 01:rsa_pk1.c:103:
140226185430680:error:04067072:rsa routines:RSA_EAY_PUBLIC_DECRYPT:padding check failed:rsa_eay.c:705:
140226185430680:error:1408D07B:SSL routines:ssl3_get_key_exchange:bad signature:s3_clnt.c:2010:

This causes NGINX (reverse proxy) to return 502 Bad Gateway to the browser.

The NGINX error log shows:

2018/08/29 09:09:59 [crit] 11633#11633: *28 SSL_do_handshake() failed (SSL: error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1:block type is not 01 error:04067072:rsa routines:RSA_EAY_PUBLIC_DECRYPT:padding check failed error:1408D07B:SSL routines:ssl3_get_key_exchange:bad signature) while SSL handshaking to upstream, client:, server: s5.example.com, request: "GET /xyz

I have added “proxy_ssl_verify off;”, but that did not make any difference.

Surprisingly, the browser (directly to the upstream server) does not complain about the TLS error.

Is there anything else I can do either in NGINX or openssl to suppress the 502 Bad Gateway?



PS: I don’t have control over the upstream server, so I can’t fix the root cause (faulty certificate).

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20180830/724899ad/attachment.html>

More information about the nginx mailing list