Forum: NGINX Error: SSL_CTX_set_tlsext_servername_callback failed SSL

Announcement (2017-05-07): www.ruby-forum.com is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see rubyonrails.org/community and ruby-lang.org/en/community for other Rails- und Ruby-related community platforms.
Mark A. (Guest)
on 2008-10-14 15:12
(Received via mailing list)
After uncommenting the *ssl* lines in my
/etc/nginx/sites-available/mainserver file, I am unable to restart Nginx
Executing sudo /etc/init.d/nginx restart produces this ERROR:

"Restarting nginx: 2008/10/14 11:25:22 [emerg] 7898#0:
SSL_CTX_set_tlsext_servername_callback() failed (SSL:)
nginx."

I have searched with google and at the Nginx site, at the nginx wiki and
at the nginx email archives, and I could not find any clue about this
error.

I am using Nginx 0.6.32 (nginx_0.6.32-3ubuntu1_i386.deb - Ubuntu 8.10)
in a Ubuntu 8.04 LTS server with libssl0.9.8.
The certificates were created in /etc/nginx/ssl/ with:
openssl req -new -x509 -nodes -out server.crt -keyout server.key

Did anybody had a similar problem?
Do you have any clues on how to overcome this problem?

M.


# start /etc/nginx/sites-available/mainserver
#
# (...)
server {
listen 443;
server_name phpmyadmin;
access_log  /var/log/nginx/phpmyadmin.access.log;
error_log  /var/log/nginx/phpmyadmin.error.log;

ssl on;
ssl_certificate /etc/nginx/ssl/cert.pem;
ssl_certificate_key /etc/nginx/ssl/cert.key;
#ssl_session_timeout  5m;
#ssl_protocols  SSLv2 SSLv3 TLSv1;
#ssl_ciphers  ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
#ssl_prefer_server_ciphers   on;

  location /phpmyadmin {
    root  /var/www/nginx-default;
    index  index.php;
  }

  location ~ \.php$ {
    include /etc/nginx/fastcgi_params;
    fastcgi_pass 127.0.0.1:9000;
    fastcgi_index index.php;
    fastcgi_param SCRIPT_FILENAME
/var/www/nginx-default/phpmyadmin$fastcgi_script_name;
    #fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
  }
}# end /etc/nginx/sites-available/mainserver
ronin (Guest)
on 2009-08-28 07:14
(Received via mailing list)
I have also experienced the same problem
system: centos 5.3  nginx:0.8.9 openssl:0.9.8K

: SSL_CTX_set_tlsext_servername_callback() failed (SSL:)

ldd /usr/sbin/nginx:
        linux-gate.so.1 =>  (0x00771000)
        libcrypt.so.1 => /lib/libcrypt.so.1 (0x00f5c000)
        libpcre.so.0 => /usr/lib/libpcre.so.0 (0x00d2c000)
        libssl.so.0.9.8 => /usr/lib/libssl.so.0.9.8 (0x0059b000)
        libcrypto.so.0.9.8 => /usr/lib/libcrypto.so.0.9.8 (0x002e0000)
        libdl.so.2 => /lib/libdl.so.2 (0x0086b000)
        libz.so.1 => /usr/lib/libz.so.1 (0x00276000)
        libc.so.6 => /lib/libc.so.6 (0x00110000)
        /lib/ld-linux.so.2 (0x00fe3000)

ldd `which openssl`:
        linux-gate.so.1 =>  (0x00d89000)
        libssl.so.0.9.8 => /usr/lib/libssl.so.0.9.8 (0x0057f000)
        libcrypto.so.0.9.8 => /usr/lib/libcrypto.so.0.9.8 (0x00110000)
        libdl.so.2 => /lib/libdl.so.2 (0x00659000)
        libc.so.6 => /lib/libc.so.6 (0x00391000)
        libz.so.1 => /usr/lib/libz.so.1 (0x0025e000)
        /lib/ld-linux.so.2 (0x00375000)

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,4701,5228#msg-5228
Igor S. (Guest)
on 2009-08-28 07:20
(Received via mailing list)
On Thu, Aug 27, 2009 at 06:04:27AM -0400, ronin wrote:

>         libcrypto.so.0.9.8 => /usr/lib/libcrypto.so.0.9.8 (0x002e0000)
>         libc.so.6 => /lib/libc.so.6 (0x00391000)
>         libz.so.1 => /usr/lib/libz.so.1 (0x0025e000)
>         /lib/ld-linux.so.2 (0x00375000)

Have you built nginx on this host or installed it using package ?
ronin (Guest)
on 2009-08-28 10:05
(Received via mailing list)
/usr/sbin/nginx Is wrong, should be /usr/local/nginx/sbin/nginx
openssl key:http://wiki.nginx.org/NginxHttpSslModule
nginx.conf info:
server {
        listen       443;
        server_name  192.168.1.242;
 index index.html index.htm index.php index.cgi index.shtml index.pl;
    root  //www/stat;
    ssl on;
    ssl_certificate conf/server.crt;
    ssl_certificate_key conf/server.key;

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,4701,5231#msg-5231
ronin (Guest)
on 2009-08-28 10:47
(Received via mailing list)
ssl_certificate /usr/local/nginx/conf/server.crt;
ssl_certificate_key /usr/local/nginx/conf/server.key;
or:
ssl_certificate /usr/local/nginx/conf/server.pem;
ssl_certificate_key /usr/local/nginx/conf/server.key;

Is the same error
: SSL_CTX_set_tlsext_servername_callback() failed (SSL:)

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,4701,5232#msg-5232
Igor S. (Guest)
on 2009-08-28 10:54
(Received via mailing list)
On Thu, Aug 27, 2009 at 09:33:58AM -0400, ronin wrote:

> ssl_certificate /usr/local/nginx/conf/server.crt;
> ssl_certificate_key /usr/local/nginx/conf/server.key;
> or:
> ssl_certificate /usr/local/nginx/conf/server.pem;
> ssl_certificate_key /usr/local/nginx/conf/server.key;
>
> Is the same error
> : SSL_CTX_set_tlsext_servername_callback() failed (SSL:)

What does show
ldd /usr/local/sbin/nginx
?

Have you built nginx on this host or installed it using package ?
ronin (Guest)
on 2009-08-28 12:59
(Received via mailing list)
ldd: /usr/local/sbin/nginx: No such file or directory

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,4701,5238#msg-5238
ronin (Guest)
on 2009-08-28 13:14
(Received via mailing list)
./configure --user=webuser --group=webuser --prefix=/usr/local/nginx
--with-http_stub_status_module --with-http_ssl_module
--with-http_sub_module --with-md5=/usr/lib --with-sha1=/usr/lib
--with-http_gzip_static_module

ldd /usr/local/nginx/sbin/nginx:
linux-gate.so.1 => (0x00771000)
libcrypt.so.1 => /lib/libcrypt.so.1 (0x00f5c000)
libpcre.so.0 => /usr/lib/libpcre.so.0 (0x00d2c000)
libssl.so.0.9.8 => /usr/lib/libssl.so.0.9.8 (0x0059b000)
libcrypto.so.0.9.8 => /usr/lib/libcrypto.so.0.9.8 (0x002e0000)
libdl.so.2 => /lib/libdl.so.2 (0x0086b000)
libz.so.1 => /usr/lib/libz.so.1 (0x00276000)
libc.so.6 => /lib/libc.so.6 (0x00110000)
/lib/ld-linux.so.2 (0x00fe3000)

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,4701,5237#msg-5237
Igor S. (Guest)
on 2009-08-28 13:19
(Received via mailing list)
On Thu, Aug 27, 2009 at 11:01:19AM -0400, ronin wrote:

> uname -srvmo:
> Linux 2.6.18-128.4.1.el5.centos.plus #1 SMP Thu Aug 6 11:07:23 EDT 2009 i686 GNU/Linux

What do show the following commands ?

openssl version
grep OPENSSL_VERSION /usr/include/openssl/opensslv.h
grep OPENSSL_NO_TLSEXT /usr/include/openssl/opensslconf.h
ronin (Guest)
on 2009-08-28 13:21
(Received via mailing list)
uname -srvmo:
Linux 2.6.18-128.4.1.el5.centos.plus #1 SMP Thu Aug 6 11:07:23 EDT 2009
i686 GNU/Linux

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,4701,5239#msg-5239
ronin (Guest)
on 2009-08-29 00:00
(Received via mailing list)
I re-installed openssl 0.9.8K,Site normal
Thanks Igor S.

# openssl version -a
OpenSSL 0.9.8k 25 Mar 2009
built on: Fri Aug 28 10:32:08 CST 2009
platform: linux-elf
options:  bn(64,32) md2(int) rc4(idx,int) des(ptr,risc1,16,long)
idea(int) blowfish(idx)
compiler: gcc -fPIC -DOPENSSL_PIC -DOPENSSL_THREADS -D_REENTRANT
-DDSO_DLFCN -DHAVE_DLFCN_H -DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer
-Wall -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DSHA1_ASM
-DMD5_ASM -DRMD160_ASM -DAES_ASM
OPENSSLDIR: "/usr/ssl"

grep OPENSSL_VERSION /usr/include/openssl/opensslv.h
#define OPENSSL_VERSION_NUMBER  0x009080bfL
#define OPENSSL_VERSION_TEXT    "OpenSSL 0.9.8k-fips 25 Mar 2009"
#define OPENSSL_VERSION_TEXT    "OpenSSL 0.9.8k 25 Mar 2009"
#define OPENSSL_VERSION_PTEXT   " part of " OPENSSL_VERSION_TEXT

 grep OPENSSL_NO_TLSEXT /usr/include/openssl/opensslconf.h
There is no information output

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,4701,5252#msg-5252
ronin (Guest)
on 2009-08-29 00:12
(Received via mailing list)
firefox is OK,but IE is failed

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,4701,5253#msg-5253
ronin (Guest)
on 2009-08-29 00:19
(Received via mailing list)
To re-generate the certificate,IE and fiefox is ok!

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,4701,5255#msg-5255
This topic is locked and can not be replied to.