Welcome! Log In Create A New Profile

Advanced

SSL handshake fail between nginx and my tomcat with mutual authentication

Previous Message Next Message
Forum List Message List New Topic Print View
flash008
January 03, 2014 04:35AM
Hi All,

I am using Nginx 1.4.4 as reverse proxy for my tomcat server. My problem is: SSL handshake failed between Nginx and tomcat with mutual SSL authentication. I have verified that Client to Nginx with mutual SSL is working. But if my upstream backend is also using https:mutual port, the path will fail with error:
[error] 1816#3436: *23 SSL_do_handshake() failed (SSL: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate:SSL alert number 42) while SSL handshaking to upstream, client: xx.xx.xx.xx, server: xx.xxx.xxx.xxx, request: "GET / HTTP/1.1", upstream: "https://xx.xx.xx.xx:8082/", host: "xx.xx.xx.xx:8002"

My upstream server https://xx.xx.xx.xx:8082 is using mutual SSL and working perfectly without Nginx.
the Nginx host https://xx.xx.xx.xx:8002 is using mutual SSL and also working perfectly without the upstream mutual ssl or with only http port.
The problem is: when both Nginx and upstream require mutual SSL, and I would like to pass the client certificate to Nginx then to my upstream server, the SSL handshake error occurs.

I have tried to add client cert in headers, but no luck. Here is part of my nginx config
####
server {
listen xx.xx.xx.xx:8002;
server_name xx.xx.xx.xx;

ssl on;
ssl_certificate C:/nginx-1.4.4/cert/MyServer.crt;
ssl_certificate_key C:/nginx-1.4.4/cert/MyServer.key;

ssl_client_certificate C:/nginx-1.4.4/cert/MyCA.pem;
ssl_trusted_certificate C:/nginx-1.4.4/cert/MyCA.pem;

ssl_prefer_server_ciphers on;
ssl_verify_client on;
ssl_verify_depth 3;
ssl_protocols SSLv2 SSLv3 TLSv1;

access_log C:/nginx-1.4.4/logs/access_8002.log;
error_log C:/nginx-1.4.4/logs/error_8002.log debug;

root html;
index index.html index.htm;

location / {
proxy_pass https://10.128.103.47:8082/;
proxy_redirect default;
proxy_set_header Host $host:$server_port;

proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Client-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Ssl on;
proxy_set_header X-Client-Verify $ssl_client_verify;
proxy_set_header X-SSL-Client-Cert $ssl_client_cert;
proxy_set_header X-SSL-Client-Serial $ssl_client_serial;
proxy_set_header X-SSL-Client-Verify $ssl_client_verify;
proxy_set_header X-SSL-Client-S-DN $ssl_client_s_dn;

}
}

Is this usage supported by Nginx?
I would be very grateful if someone can point me some clues or suggestions.

Thanks and Best Regards,
Flash008
Reply Quote
RSS
Subject Author Posted

SSL handshake fail between nginx and my tomcat with mutual authentication

flash008 January 03, 2014 04:35AM

Re: SSL handshake fail between nginx and my tomcat with mutual authentication

rjoshi August 18, 2014 10:29PM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 303
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready