Hi, I use nginx 0.7.62 to proxy a web application and secure it with client certificates. Quite often NGINX just responds with connection reset to Firefox and generates this error: 2010/02/08 18:04:49 [crit] 8248#0: *41 SSL_do_handshake() failed (SSL: error:140D9115:SSL routines:SSL_GET_PREV_SESSION:session id context uninitialized) while SSL handshaking, client: 77.x.x.x, server 89.x.x.x Any ideas? Thanks, /S
on 08.02.2010 18:11
on 23.02.2010 08:53
On 02/09/2010 02:11 AM, Slawek Zak wrote: > > Any ideas? I too am getting similar errors with 0.7.65: 2010/02/23 16:02:19 [crit] 7224#0: *46254 SSL_do_handshake() failed (SSL: error:140D9115:SSL routines:SSL_GET_PREV_SESSION:session id context uninitialized) while SSL handshaking, client: 192.x.x.x, server: example.com I also get lots of odd entries in my access logs related to this. 192.x.x.x - - [23/Feb/2010:16:47:04 +0900] "\x16...(snip lots of codes)" 400 173 "-" "-" 0.000 "-" "-" "-" [-] - - - [-] [-] Thanks Zev
on 23.02.2010 10:22
On Mon, Feb 08, 2010 at 06:11:21PM +0100, Slawek Zak wrote: > Hi, > > I use nginx 0.7.62 to proxy a web application and secure it with > client certificates. Quite often NGINX just responds with connection > reset to Firefox and generates this error: > > 2010/02/08 18:04:49 [crit] 8248#0: *41 SSL_do_handshake() failed (SSL: > error:140D9115:SSL routines:SSL_GET_PREV_SESSION:session id context > uninitialized) while SSL handshaking, client: 77.x.x.x, server > 89.x.x.x Do you see it with Firefox only or with other browsers too ? What is your ssl_session_cache settings ? -- Igor Sysoev http://sysoev.ru/en/
on 23.02.2010 10:24
On Tue, Feb 23, 2010 at 04:52:29PM +0900, Zev Blut wrote: > > 89.x.x.x > > > > Any ideas? > > I too am getting similar errors with 0.7.65: > > 2010/02/23 16:02:19 [crit] 7224#0: *46254 SSL_do_handshake() failed > (SSL: error:140D9115:SSL routines:SSL_GET_PREV_SESSION:session id > context uninitialized) while SSL handshaking, client: 192.x.x.x, server: > example.com What is your ssl_session_cache settings ? > I also get lots of odd entries in my access logs related to this. > 192.x.x.x - - [23/Feb/2010:16:47:04 +0900] "\x16...(snip lots of codes)" > 400 173 "-" "-" 0.000 "-" "-" "-" [-] - - - [-] [-] "\x16..." is SSLv3 handshake message. It seems that nginx logs it as request line since nginx treats it like a bad request. -- Igor Sysoev http://sysoev.ru/en/
on 23.02.2010 10:36
Hello, On 02/23/2010 06:24 PM, Igor Sysoev wrote: >>> error:140D9115:SSL routines:SSL_GET_PREV_SESSION:session id context >> example.com > > What is your ssl_session_cache settings ? At the moment it is not set, so it is using whatever the default is. Here is a short example of what I am using: server { listen 443; ssl on; ssl_certificate /etc/nginx/ssl/data.crt; ssl_certificate_key /etc/nginx/ssl/data.key; ssl_protocols SSLv3 TLSv1; # Make sure we verify client side SSL ssl_verify_client on; ssl_client_certificate /etc/nginx/ssl/data.pem; } >> I also get lots of odd entries in my access logs related to this. >> 192.x.x.x - - [23/Feb/2010:16:47:04 +0900] "\x16...(snip lots of codes)" >> 400 173 "-" "-" 0.000 "-" "-" "-" [-] - - - [-] [-] > > "\x16..." is SSLv3 handshake message. It seems that nginx logs it as > request line since nginx treats it like a bad request. So I guess there is not much we can do about that. Thanks, Zev
on 23.02.2010 10:48
On Tue, Feb 23, 2010 at 06:35:54PM +0900, Zev Blut wrote: > >>> reset to Firefox and generates this error: > >> 2010/02/23 16:02:19 [crit] 7224#0: *46254 SSL_do_handshake() failed > listen 443; > > ssl on; > ssl_certificate /etc/nginx/ssl/data.crt; > ssl_certificate_key /etc/nginx/ssl/data.key; > ssl_protocols SSLv3 TLSv1; > > # Make sure we verify client side SSL > ssl_verify_client on; > ssl_client_certificate /etc/nginx/ssl/data.pem; > } Could you try the attached patch ?
on 25.02.2010 10:20
Hello, On 02/23/2010 06:48 PM, Igor Sysoev wrote: >>>>> I use nginx 0.7.62 to proxy a web application and secure it with >>>> I too am getting similar errors with 0.7.65: >> >> ssl_client_certificate /etc/nginx/ssl/data.pem; >> } > > Could you try the attached patch ? I have installed the patch on one of our internal servers. The server works and accepts my ssl client certificate. Also, the error logs are clean. Unfortunately, I am not able to recreate the errors pm our own production server that created these errors. So I am not sure if applying the patch will show that it was fixed or not. Thanks, Zev
on 02.03.2010 07:49
Hello, On 02/23/2010 06:48 PM, Igor Sysoev wrote: >>>>> error:140D9115:SSL routines:SSL_GET_PREV_SESSION:session id context >>>>> uninitialized) while SSL handshaking, client: 77.x.x.x, server >>>>> 89.x.x.x <snip a bunch of comments> > Could you try the attached patch ? I have installed the patch on a production server and this appears to work! Thanks, Zev