Ignore Certificate Errors
Roger Fischer
roger at netskrt.io
Thu Aug 30 16:09:44 UTC 2018
Hello,
is there a way to make NGINX more forgiving on TLS certificate errors? Or would that have to be done in OpenSSL instead?
When I use openssl s_client, I get the following errors from the upstream server:
140226185430680:error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1:block type is not 01:rsa_pk1.c:103:
140226185430680:error:04067072:rsa routines:RSA_EAY_PUBLIC_DECRYPT:padding check failed:rsa_eay.c:705:
140226185430680:error:1408D07B:SSL routines:ssl3_get_key_exchange:bad signature:s3_clnt.c:2010:
This causes NGINX (reverse proxy) to return 502 Bad Gateway to the browser.
The NGINX error log shows:
2018/08/29 09:09:59 [crit] 11633#11633: *28 SSL_do_handshake() failed (SSL: error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1:block type is not 01 error:04067072:rsa routines:RSA_EAY_PUBLIC_DECRYPT:padding check failed error:1408D07B:SSL routines:ssl3_get_key_exchange:bad signature) while SSL handshaking to upstream, client: 192.168.1.66, server: s5.example.com, request: "GET /xyz
I have added “proxy_ssl_verify off;”, but that did not make any difference.
Surprisingly, the browser (directly to the upstream server) does not complain about the TLS error.
Is there anything else I can do either in NGINX or openssl to suppress the 502 Bad Gateway?
Thanks…
Roger
PS: I don’t have control over the upstream server, so I can’t fix the root cause (faulty certificate).
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20180830/724899ad/attachment.html>
More information about the nginx
mailing list