Welcome! Log In Create A New Profile

Advanced

Intermittent SSL errors - SSL_do_handshake() failed (SSL: error:1408C095:SSL routines:SSL3_GET_FINISHED:digest check failed) while SSL handshaking to upstream Reverse proxy mode.. HELP

David Taveras
March 04, 2010 02:50PM
Hello,

I have a reverse proxy config.

i reverse proxy SSL listening to port 81 , and sending also to a
upstream ssl 81. Iam getting intermittent SSL handshake errors and
users are getting a 501 Bad Gateway error.


2010/03/05 00:31:50 [error] 3078#0: *1362 SSL_do_handshake() failed
(SSL: error:1408C095:SSL routines:SSL3_GET_FINISHED:digest check
failed) while SSL handshaking to upstream, client: 150.45.62.218,
server: server1, request: "GET /dwf.php?action=image HTTP/1.1",
upstream: "https://35.17.50.184:81/_chat.php?action=alive", host:
"secure.domain.org:81", referrer: "http://www.some.org/"


Here is the server {} block:

server {
access_log /var/log/nginx/access.log main;
error_log /var/log/nginx/error.log;
listen xxx.xxx.xxx.xxx:81;
root /usr/local/nginx/html;
server_name server1;

## Only allow these request methods
if ($request_method !~ ^(GET|HEAD|POST)$ ) {
return 444;
}


ssl on;
ssl_certificate /etc/nginx/secure.domain.org_ssl.crt;
ssl_certificate_key /etc/nginx/secure.domain.org_ssl.key;
ssl_ciphers HIGH:!ADH:!MD5;
ssl_prefer_server_ciphers on;
ssl_protocols SSLv3;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;

location / {
proxy_pass https://secure.domain.org:81/;
proxy_set_header X-Real-IP $remote_addr;

}

}


It is about 1 out of 6 requests that give me that error. The weird
thing is that when I try to replicate that error from the same nginx
box with the following:

openssl s_client -connect
www.domain_that_resolves_to_nginx_reverse_proxy.org:81 -state -ssl3
-no_ssl2 -no_tls1


CONNECTED(00000004)
SSL_connect:before/connect initialization
SSL_connect:SSLv3 write client hello A
SSL_connect:SSLv3 read server hello A
depth=0 /C=WE/ST=DF/L=SDF/O=SF/OU=GE/CN=YH/emailAddress=dfs@dfsd.com
verify error:num=18:self signed certificate
verify return:1
depth=0 /C=WE/ST=DF/L=SDF/O=SF/OU=GE/CN=YH/emailAddress=dfs@dfsd.com
verify return:1
SSL_connect:SSLv3 read server certificate A
SSL_connect:SSLv3 read server done A
SSL_connect:SSLv3 write client key exchange A
SSL_connect:SSLv3 write change cipher spec A
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
SSL_connect:SSLv3 read finished A
---
Certificate chain
0 s:/C=WE/ST=DF/L=SDF/O=SF/OU=GE/CN=YH/emailAddress=dfs@dfsd.com
i:/C=WE/ST=DF/L=SDF/O=SF/OU=GE/CN=YH/emailAddress=dfs@dfsd.com
---
Server certificate
-----BEGIN CERTIFICATE-----
MIICTzCCAbgCCQDTpOeLi+6vtzANBgkqhkiG9w0BAQUFADBsMQswCQYDVQQGEwJX
RTELMAkGA1UECBMCREYxDDAKBgNVBAcTA1NERjELMAkGA1UEChMCU0YxCzAJBgNV
BAsTAkdFMQswCQYDVQQDEwJZSDEbMBkGCSqGSIb3DQEJARYMZGZzQGRmc2QuY29t
MB4XDTEwMDIxMDIxNTMzM1oXDTExMDIxMDIxNTMzM1owbDELMAkGA1UEBhMCV0Ux
CzAJBgNVBAgTAkRGMQwwCgYDVQQHEwNTREYxCzAJBgNVBAoTAlNGMQswCQYDVQQL
EwJHRTELMAkGA1UEAxMCWUgxGzAZBgkqhkiG9w0BCQEWDGRmc0BkZnNkLmNvbTCB
nzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA0tAryKxiPf3f0S2Jy/jyZuOja03Y
QhHro9TQ5KzxDyMB8ptIRurjC7F6JGn6SHKrhk5v7mHN+Lwy/RLXft9lm7tWstbP
akYVTPbZu0xHPSsIwOGMEEKBE3ve1Uzd0K5SBSnUmSy2KIOhuY/9u6unbAB8GPcV
4p+sC0D1H6DNUqMCAwEAATANBgkqhkiG9w0BAQUFAAOBgQBAQApci/6/ozZu9xIL
zjFBGQp4fOMhf+JpFatihr9hYjJBnmXxY74pkdTVf2b/63w5/LF4FSJidglUtHke
9QarFVsj/UuFj/LSouRU+LHvsiWQU2i0xp+1YcXXzqNE7+6zwG0pDPHM6lR/hQxC
K+yxP3E5urDb7Lyu2aUArDpkqQ==
-----END CERTIFICATE-----
subject=/C=WE/ST=DF/L=SDF/O=SF/OU=GE/CN=YH/emailAddress=dfs@dfsd.com
issuer=/C=WE/ST=DF/L=SDF/O=SF/OU=GE/CN=YH/emailAddress=dfs@dfsd.com
---
No client certificate CA names sent
---
SSL handshake has read 773 bytes and written 304 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : SSLv3
Cipher : AES256-SHA
Session-ID: 5E8A7F8AF9E84C730D0DC94E3BE31482F9E3C161BD660876FE32484832A457AB
Session-ID-ctx:
Master-Key:
15DEB4EB8D487AB061392468BA952ECA6800797B9101D07DA80D198B5C369DD3C520BC4BA06446E21959F22203E5C78C
Key-Arg : None
Start Time: 1267749779
Timeout : 7200 (sec)
Verify return code: 18 (self signed certificate)
---


I repeat that test 100 times and I never get any handshake errors.

What could be different.. what is so special about the way this nginx
config is doing the handshake? I have other clients also doing the
handshake directly to the upstream server with the mozilla browser and
they never get errors.

The only observation I can make is that the upstream box that nginx
wants to do the handshake with is self signed. Is that a possible
issue?


David

_______________________________________________
nginx mailing list
nginx@nginx.org
http://nginx.org/mailman/listinfo/nginx
Subject Author Posted

Intermittent SSL errors - SSL_do_handshake() failed (SSL: error:1408C095:SSL routines:SSL3_GET_FINISHED:digest check failed) while SSL handshaking to upstream Reverse proxy mode.. HELP

David Taveras March 04, 2010 02:50PM

Re: Intermittent SSL errors - SSL_do_handshake() failed (SSL: error:1408C095:SSL routines:SSL3_GET_FINISHED:digest check failed) while SSL handshaking to upstream Reverse proxy mode.. HELP

David Taveras March 04, 2010 03:20PM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 126
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready