Forum: NGINX SSL with client certificate errors

Hi,

I use nginx 0.7.62 to proxy a web application and secure it with
client certificates. Quite often NGINX just responds with connection
reset to Firefox and generates this error:

2010/02/08 18:04:49 [crit] 8248#0: *41 SSL_do_handshake() failed (SSL:
error:140D9115:SSL routines:SSL_GET_PREV_SESSION:session id context
uninitialized) while SSL handshaking, client: 77.x.x.x, server
89.x.x.x

Any ideas?

Thanks, /S

On 02/09/2010 02:11 AM, Slawek Zak wrote:
>
> Any ideas?

I too am getting similar errors with 0.7.65:

2010/02/23 16:02:19 [crit] 7224#0: *46254 SSL_do_handshake() failed
(SSL: error:140D9115:SSL routines:SSL_GET_PREV_SESSION:session id
context uninitialized) while SSL handshaking, client: 192.x.x.x, server:
example.com

I also get lots of odd entries in my access logs related to this.
192.x.x.x - - [23/Feb/2010:16:47:04 +0900] "\x16...(snip lots of codes)"
400 173 "-" "-" 0.000 "-" "-" "-" [-] - - - [-] [-]

Thanks
Zev

On Mon, Feb 08, 2010 at 06:11:21PM +0100, Slawek Zak wrote:

> Hi,
> 
> I use nginx 0.7.62 to proxy a web application and secure it with
> client certificates. Quite often NGINX just responds with connection
> reset to Firefox and generates this error:
> 
> 2010/02/08 18:04:49 [crit] 8248#0: *41 SSL_do_handshake() failed (SSL:
> error:140D9115:SSL routines:SSL_GET_PREV_SESSION:session id context
> uninitialized) while SSL handshaking, client: 77.x.x.x, server
> 89.x.x.x

Do you see it with Firefox only or with other browsers too ?
What is your ssl_session_cache settings ?


--
Igor Sysoev
http://sysoev.ru/en/

On Tue, Feb 23, 2010 at 04:52:29PM +0900, Zev Blut wrote:

> > 89.x.x.x
> >
> > Any ideas?
> 
> I too am getting similar errors with 0.7.65:
> 
> 2010/02/23 16:02:19 [crit] 7224#0: *46254 SSL_do_handshake() failed 
> (SSL: error:140D9115:SSL routines:SSL_GET_PREV_SESSION:session id 
> context uninitialized) while SSL handshaking, client: 192.x.x.x, server: 
> example.com

What is your ssl_session_cache settings ?

> I also get lots of odd entries in my access logs related to this.
> 192.x.x.x - - [23/Feb/2010:16:47:04 +0900] "\x16...(snip lots of codes)" 
> 400 173 "-" "-" 0.000 "-" "-" "-" [-] - - - [-] [-]

"\x16..." is SSLv3 handshake message. It seems that nginx logs it as
request line since nginx treats it like a bad request.


--
Igor Sysoev
http://sysoev.ru/en/

Hello,

On 02/23/2010 06:24 PM, Igor Sysoev wrote:
>>> error:140D9115:SSL routines:SSL_GET_PREV_SESSION:session id context
>> example.com
>
> What is your ssl_session_cache settings ?

At the moment it is not set, so it is using whatever the default is.
Here is a short example of what I am using:

    server {
         listen 443;

         ssl                  on;
         ssl_certificate      /etc/nginx/ssl/data.crt;
         ssl_certificate_key  /etc/nginx/ssl/data.key;
         ssl_protocols SSLv3 TLSv1;

         # Make sure we verify client side SSL
         ssl_verify_client on;
         ssl_client_certificate /etc/nginx/ssl/data.pem;
    }

>> I also get lots of odd entries in my access logs related to this.
>> 192.x.x.x - - [23/Feb/2010:16:47:04 +0900] "\x16...(snip lots of codes)"
>> 400 173 "-" "-" 0.000 "-" "-" "-" [-] - - - [-] [-]
>
> "\x16..." is SSLv3 handshake message. It seems that nginx logs it as
> request line since nginx treats it like a bad request.

So I guess there is not much we can do about that.

Thanks,
Zev

On Tue, Feb 23, 2010 at 06:35:54PM +0900, Zev Blut wrote:

> >>> reset to Firefox and generates this error:
> >> 2010/02/23 16:02:19 [crit] 7224#0: *46254 SSL_do_handshake() failed
>          listen 443;
> 
>          ssl                  on;
>          ssl_certificate      /etc/nginx/ssl/data.crt;
>          ssl_certificate_key  /etc/nginx/ssl/data.key;
>          ssl_protocols SSLv3 TLSv1;
> 
>          # Make sure we verify client side SSL
>          ssl_verify_client on;
>          ssl_client_certificate /etc/nginx/ssl/data.pem;
>     }

Could you try the attached patch ?

Hello,

On 02/23/2010 06:48 PM, Igor Sysoev wrote:
>>>>> I use nginx 0.7.62 to proxy a web application and secure it with
>>>> I too am getting similar errors with 0.7.65:
>>
>>           ssl_client_certificate /etc/nginx/ssl/data.pem;
>>      }
>
> Could you try the attached patch ?

I have installed the patch on one of our internal servers.
The server works and accepts my ssl client certificate.
Also, the error logs are clean.

Unfortunately, I am not able to recreate the errors pm our own
production server that created these errors.  So I am not sure
if applying the patch will show that it was fixed or not.

Thanks,
Zev

Hello,

On 02/23/2010 06:48 PM, Igor Sysoev wrote:
>>>>> error:140D9115:SSL routines:SSL_GET_PREV_SESSION:session id context
>>>>> uninitialized) while SSL handshaking, client: 77.x.x.x, server
>>>>> 89.x.x.x

<snip a bunch of comments>

> Could you try the attached patch ?

I have installed the patch on a production server and this appears to 
work!

Thanks,
Zev

Igor Sysoev wrote:
> On Tue, Feb 23, 2010 at 06:35:54PM +0900, Zev Blut wrote:
> 
>> >>> reset to Firefox and generates this error:
>> >> 2010/02/23 16:02:19 [crit] 7224#0: *46254 SSL_do_handshake() failed
>>          listen 443;
>> 
>>          ssl                  on;
>>          ssl_certificate      /etc/nginx/ssl/data.crt;
>>          ssl_certificate_key  /etc/nginx/ssl/data.key;
>>          ssl_protocols SSLv3 TLSv1;
>> 
>>          # Make sure we verify client side SSL
>>          ssl_verify_client on;
>>          ssl_client_certificate /etc/nginx/ssl/data.pem;
>>     }
> 
> Could you try the attached patch ?

Hi, Igor! I also have the above problem - nginx is working on Windows 
(currently on my local computer) and hope the patch will help to fix the 
problem. Sorry for the silly question - how to install the patch you 
posted here? As far as I can understand - this module is written on C 
language. I didn't have a deal with C anytime unfortunately :( I am a 
Java developer. And our system administrator is out of office now. Can 
you help me, please?

On Tue, Apr 06, 2010 at 08:50:26AM +0200, Anna Malova wrote:

> >>          ssl_protocols SSLv3 TLSv1;
> problem. Sorry for the silly question - how to install the patch you 
> posted here? As far as I can understand - this module is written on C 
> language. I didn't have a deal with C anytime unfortunately :( I am a 
> Java developer. And our system administrator is out of office now. Can 
> you help me, please?

This bug has been fixed in 0.8.34:

    *) Bugfix: if ssl_session_cache was not set or was set to "none", 
then
       during client certificate verify the error "session id context
       uninitialized" might occur; the bug had appeared in 0.7.1.


--
Igor Sysoev
http://sysoev.ru/en/

Igor Sysoev wrote:
> On Tue, Apr 06, 2010 at 08:50:26AM +0200, Anna Malova wrote:
> 
>> >>          ssl_protocols SSLv3 TLSv1;
>> problem. Sorry for the silly question - how to install the patch you 
>> posted here? As far as I can understand - this module is written on C 
>> language. I didn't have a deal with C anytime unfortunately :( I am a 
>> Java developer. And our system administrator is out of office now. Can 
>> you help me, please?
> 
> This bug has been fixed in 0.8.34:
> 
>     *) Bugfix: if ssl_session_cache was not set or was set to "none", 
> then
>        during client certificate verify the error "session id context
>        uninitialized" might occur; the bug had appeared in 0.7.1.
> 
> 
> --
> Igor Sysoev
> http://sysoev.ru/en/

I put the ssl_session_cashe parameter to shared:SSL:10m; and certificate 
was ok, no errors in log file, but every time when i stop the nginx I 
receive the unhandled win32 exception in nginx.exe[6116]. And also the 
same unhandled win32 exception in nginx.exe[3480] after checking the 
user certificate and passing request to the application server. As a 
result, application doesn't open at all :(

Hello!

On Tue, Apr 06, 2010 at 11:46:25AM +0200, Anna Malova wrote:

> > This bug has been fixed in 0.8.34:
> 
> I put the ssl_session_cashe parameter to shared:SSL:10m; and certificate 
> was ok, no errors in log file, but every time when i stop the nginx I 
> receive the unhandled win32 exception in nginx.exe[6116]. And also the 
> same unhandled win32 exception in nginx.exe[3480] after checking the 
> user certificate and passing request to the application server. As a 
> result, application doesn't open at all :(

Which OS do you use?  It's expected that shared memory won't work
on Windows Vista and up, see here:

http://nginx.org/en/docs/windows.html

Maxim Dounin

Maxim Dounin wrote:
> Hello!
> 
> On Tue, Apr 06, 2010 at 11:46:25AM +0200, Anna Malova wrote:
> 
>> > This bug has been fixed in 0.8.34:
>> 
>> I put the ssl_session_cashe parameter to shared:SSL:10m; and certificate 
>> was ok, no errors in log file, but every time when i stop the nginx I 
>> receive the unhandled win32 exception in nginx.exe[6116]. And also the 
>> same unhandled win32 exception in nginx.exe[3480] after checking the 
>> user certificate and passing request to the application server. As a 
>> result, application doesn't open at all :(
> 
> Which OS do you use?  It's expected that shared memory won't work
> on Windows Vista and up, see here:
> 
> http://nginx.org/en/docs/windows.html
> 
> Maxim Dounin

Thank you for the reply! I have Windows XP SP2. I changed nginx to the 
older version - the last stable from the nginx.org and it works well. :)

On Tue, Apr 06, 2010 at 12:24:03PM +0200, Anna Malova wrote:

> >> same unhandled win32 exception in nginx.exe[3480] after checking the 
> Thank you for the reply! I have Windows XP SP2. I changed nginx to the 
> older version - the last stable from the nginx.org and it works well. :)

What version causes exception - 0.8.34 or 0.8.35 ?


--
Igor Sysoev
http://sysoev.ru/en/

Igor Sysoev wrote:
> On Tue, Apr 06, 2010 at 12:24:03PM +0200, Anna Malova wrote:
> 
>> >> same unhandled win32 exception in nginx.exe[3480] after checking the 
>> Thank you for the reply! I have Windows XP SP2. I changed nginx to the 
>> older version - the last stable from the nginx.org and it works well. :)
> 
> What version causes exception - 0.8.34 or 0.8.35 ?
> 
> 
> --
> Igor Sysoev
> http://sysoev.ru/en/

0.8.35 causes the exception

On Tue, Apr 06, 2010 at 12:34:57PM +0200, Anna Malova wrote:

> Igor Sysoev wrote:
> > On Tue, Apr 06, 2010 at 12:24:03PM +0200, Anna Malova wrote:
> > 
> >> >> same unhandled win32 exception in nginx.exe[3480] after checking the 
> >> Thank you for the reply! I have Windows XP SP2. I changed nginx to the 
> >> older version - the last stable from the nginx.org and it works well. :)
> > 
> > What version causes exception - 0.8.34 or 0.8.35 ?
> 
> 0.8.35 causes the exception

Could you try 0.8.34 ? 0.8.35 has been built with OpenSSL 1.0.0 while
0.8.34 has been built with OpenSSL 0.9.8k.


--
Igor Sysoev
http://sysoev.ru/en/

Igor Sysoev wrote:
>> 0.8.35 causes the exception
> 
> Could you try 0.8.34 ? 0.8.35 has been built with OpenSSL 1.0.0 while
> 0.8.34 has been built with OpenSSL 0.9.8k.
> 

ok, now I will try it. Thank you for the help.

Anna Malova wrote:
> Igor Sysoev wrote:
>>> 0.8.35 causes the exception
>> 
>> Could you try 0.8.34 ? 0.8.35 has been built with OpenSSL 1.0.0 while
>> 0.8.34 has been built with OpenSSL 0.9.8k.
>> 
> 
> ok, now I will try it. Thank you for the help.

I just tried it. 0.8.34 doesn't cause unhandled exceptions at stopping 
the nginx, but causes unhandled win32 exception when trying to connect 
to application server after receiving user certificate.

Hello!

On Tue, Apr 06, 2010 at 12:24:03PM +0200, Anna Malova wrote:

> >> same unhandled win32 exception in nginx.exe[3480] after checking the 
> Thank you for the reply! I have Windows XP SP2. I changed nginx to the 
> older version - the last stable from the nginx.org and it works well. :)

Looks like I'm able to reproduce fault on Windows XP even without
ssl_session_cache used, just ssl server configured is enough.
It's triggered in nginx 0.8.35 by

nginx -s reload
nginx -s stop

sequence.  And indeed nginx 0.7.65 doesn't have this problem.

Maxim Dounin