Ignore Certificate Errors
Roger Fischer
roger at netskrt.io
Mon Sep 10 16:18:32 UTC 2018
Hello,
I eventually found out that the problem was a missing “proxy_ssl_server_name on;”.
Without the Server Name Indication (SNI) in the TLS handshake, the server returns a certificate that causes this problem.
I am also wondering if these days the default should be on. It seems that SNI is in widespread use.
Roger
> On Aug 30, 2018, at 11:13 AM, Maxim Dounin <mdounin at mdounin.ru> wrote:
>
> Hello!
>
> On Thu, Aug 30, 2018 at 09:09:44AM -0700, Roger Fischer wrote:
>
>> Hello,
>>
>> is there a way to make NGINX more forgiving on TLS certificate errors? Or would that have to be done in OpenSSL instead?
>>
>> When I use openssl s_client, I get the following errors from the upstream server:
>>
>> 140226185430680:error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1:block type is not 01:rsa_pk1.c:103:
>> 140226185430680:error:04067072:rsa routines:RSA_EAY_PUBLIC_DECRYPT:padding check failed:rsa_eay.c:705:
>> 140226185430680:error:1408D07B:SSL routines:ssl3_get_key_exchange:bad signature:s3_clnt.c:2010:
>>
>> This causes NGINX (reverse proxy) to return 502 Bad Gateway to the browser.
>>
>> The NGINX error log shows:
>>
>> 2018/08/29 09:09:59 [crit] 11633#11633: *28 SSL_do_handshake() failed (SSL: error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1:block type is not 01 error:04067072:rsa routines:RSA_EAY_PUBLIC_DECRYPT:padding check failed error:1408D07B:SSL routines:ssl3_get_key_exchange:bad signature) while SSL handshaking to upstream, client: 192.168.1.66, server: s5.example.com, request: "GET /xyz
>>
>> I have added “proxy_ssl_verify off;”, but that did not make any difference.
>>
>> Surprisingly, the browser (directly to the upstream server) does not complain about the TLS error.
>>
>> Is there anything else I can do either in NGINX or openssl to suppress the 502 Bad Gateway?
>>
>> Thanks…
>>
>> Roger
>>
>> PS: I don’t have control over the upstream server, so I can’t fix the root cause (faulty certificate).
>
> As per the error message, the problem seems to be not with the
> cerifitcate, but with the key exchange during the SSL handshake.
> For some reason signature verification after the key exchange
> fails due to wrong padding.
>
> Most likely the problem is specific to some ciphers, so forcing a
> different cipher with proxy_ssl_ciphers could help, see
> http://nginx.org/r/proxy_ssl_ciphers.
>
> --
> Maxim Dounin
> http://mdounin.ru/
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20180910/e6875b24/attachment.html>
More information about the nginx
mailing list