Hi, I use nginx 0.7.62 to proxy a web application and secure it with client certificates. Quite often NGINX just responds with connection reset to Firefox and generates this error: 2010/02/08 18:04:49 [crit] 8248#0: *41 SSL_do_handshake() failed (SSL: error:140D9115:SSL routines:SSL_GET_PREV_SESSION:session id context uninitialized) while SSL handshaking, client: 77.x.x.x, server 89.x.x.x Any ideas? Thanks, /S
on 08.02.2010 18:11
on 23.02.2010 08:53
On 02/09/2010 02:11 AM, Slawek Zak wrote: > > Any ideas? I too am getting similar errors with 0.7.65: 2010/02/23 16:02:19 [crit] 7224#0: *46254 SSL_do_handshake() failed (SSL: error:140D9115:SSL routines:SSL_GET_PREV_SESSION:session id context uninitialized) while SSL handshaking, client: 192.x.x.x, server: example.com I also get lots of odd entries in my access logs related to this. 192.x.x.x - - [23/Feb/2010:16:47:04 +0900] "\x16...(snip lots of codes)" 400 173 "-" "-" 0.000 "-" "-" "-" [-] - - - [-] [-] Thanks Zev
on 23.02.2010 10:22
On Mon, Feb 08, 2010 at 06:11:21PM +0100, Slawek Zak wrote: > Hi, > > I use nginx 0.7.62 to proxy a web application and secure it with > client certificates. Quite often NGINX just responds with connection > reset to Firefox and generates this error: > > 2010/02/08 18:04:49 [crit] 8248#0: *41 SSL_do_handshake() failed (SSL: > error:140D9115:SSL routines:SSL_GET_PREV_SESSION:session id context > uninitialized) while SSL handshaking, client: 77.x.x.x, server > 89.x.x.x Do you see it with Firefox only or with other browsers too ? What is your ssl_session_cache settings ? -- Igor Sysoev http://sysoev.ru/en/
on 23.02.2010 10:24
On Tue, Feb 23, 2010 at 04:52:29PM +0900, Zev Blut wrote: > > 89.x.x.x > > > > Any ideas? > > I too am getting similar errors with 0.7.65: > > 2010/02/23 16:02:19 [crit] 7224#0: *46254 SSL_do_handshake() failed > (SSL: error:140D9115:SSL routines:SSL_GET_PREV_SESSION:session id > context uninitialized) while SSL handshaking, client: 192.x.x.x, server: > example.com What is your ssl_session_cache settings ? > I also get lots of odd entries in my access logs related to this. > 192.x.x.x - - [23/Feb/2010:16:47:04 +0900] "\x16...(snip lots of codes)" > 400 173 "-" "-" 0.000 "-" "-" "-" [-] - - - [-] [-] "\x16..." is SSLv3 handshake message. It seems that nginx logs it as request line since nginx treats it like a bad request. -- Igor Sysoev http://sysoev.ru/en/
on 23.02.2010 10:36
Hello, On 02/23/2010 06:24 PM, Igor Sysoev wrote: >>> error:140D9115:SSL routines:SSL_GET_PREV_SESSION:session id context >> example.com > > What is your ssl_session_cache settings ? At the moment it is not set, so it is using whatever the default is. Here is a short example of what I am using: server { listen 443; ssl on; ssl_certificate /etc/nginx/ssl/data.crt; ssl_certificate_key /etc/nginx/ssl/data.key; ssl_protocols SSLv3 TLSv1; # Make sure we verify client side SSL ssl_verify_client on; ssl_client_certificate /etc/nginx/ssl/data.pem; } >> I also get lots of odd entries in my access logs related to this. >> 192.x.x.x - - [23/Feb/2010:16:47:04 +0900] "\x16...(snip lots of codes)" >> 400 173 "-" "-" 0.000 "-" "-" "-" [-] - - - [-] [-] > > "\x16..." is SSLv3 handshake message. It seems that nginx logs it as > request line since nginx treats it like a bad request. So I guess there is not much we can do about that. Thanks, Zev
on 23.02.2010 10:48
On Tue, Feb 23, 2010 at 06:35:54PM +0900, Zev Blut wrote: > >>> reset to Firefox and generates this error: > >> 2010/02/23 16:02:19 [crit] 7224#0: *46254 SSL_do_handshake() failed > listen 443; > > ssl on; > ssl_certificate /etc/nginx/ssl/data.crt; > ssl_certificate_key /etc/nginx/ssl/data.key; > ssl_protocols SSLv3 TLSv1; > > # Make sure we verify client side SSL > ssl_verify_client on; > ssl_client_certificate /etc/nginx/ssl/data.pem; > } Could you try the attached patch ?
on 25.02.2010 10:20
Hello, On 02/23/2010 06:48 PM, Igor Sysoev wrote: >>>>> I use nginx 0.7.62 to proxy a web application and secure it with >>>> I too am getting similar errors with 0.7.65: >> >> ssl_client_certificate /etc/nginx/ssl/data.pem; >> } > > Could you try the attached patch ? I have installed the patch on one of our internal servers. The server works and accepts my ssl client certificate. Also, the error logs are clean. Unfortunately, I am not able to recreate the errors pm our own production server that created these errors. So I am not sure if applying the patch will show that it was fixed or not. Thanks, Zev
on 02.03.2010 07:49
Hello, On 02/23/2010 06:48 PM, Igor Sysoev wrote: >>>>> error:140D9115:SSL routines:SSL_GET_PREV_SESSION:session id context >>>>> uninitialized) while SSL handshaking, client: 77.x.x.x, server >>>>> 89.x.x.x <snip a bunch of comments> > Could you try the attached patch ? I have installed the patch on a production server and this appears to work! Thanks, Zev
on 06.04.2010 08:50
Igor Sysoev wrote: > On Tue, Feb 23, 2010 at 06:35:54PM +0900, Zev Blut wrote: > >> >>> reset to Firefox and generates this error: >> >> 2010/02/23 16:02:19 [crit] 7224#0: *46254 SSL_do_handshake() failed >> listen 443; >> >> ssl on; >> ssl_certificate /etc/nginx/ssl/data.crt; >> ssl_certificate_key /etc/nginx/ssl/data.key; >> ssl_protocols SSLv3 TLSv1; >> >> # Make sure we verify client side SSL >> ssl_verify_client on; >> ssl_client_certificate /etc/nginx/ssl/data.pem; >> } > > Could you try the attached patch ? Hi, Igor! I also have the above problem - nginx is working on Windows (currently on my local computer) and hope the patch will help to fix the problem. Sorry for the silly question - how to install the patch you posted here? As far as I can understand - this module is written on C language. I didn't have a deal with C anytime unfortunately :( I am a Java developer. And our system administrator is out of office now. Can you help me, please?
on 06.04.2010 10:16
On Tue, Apr 06, 2010 at 08:50:26AM +0200, Anna Malova wrote: > >> ssl_protocols SSLv3 TLSv1; > problem. Sorry for the silly question - how to install the patch you > posted here? As far as I can understand - this module is written on C > language. I didn't have a deal with C anytime unfortunately :( I am a > Java developer. And our system administrator is out of office now. Can > you help me, please? This bug has been fixed in 0.8.34: *) Bugfix: if ssl_session_cache was not set or was set to "none", then during client certificate verify the error "session id context uninitialized" might occur; the bug had appeared in 0.7.1. -- Igor Sysoev http://sysoev.ru/en/
on 06.04.2010 11:46
Igor Sysoev wrote: > On Tue, Apr 06, 2010 at 08:50:26AM +0200, Anna Malova wrote: > >> >> ssl_protocols SSLv3 TLSv1; >> problem. Sorry for the silly question - how to install the patch you >> posted here? As far as I can understand - this module is written on C >> language. I didn't have a deal with C anytime unfortunately :( I am a >> Java developer. And our system administrator is out of office now. Can >> you help me, please? > > This bug has been fixed in 0.8.34: > > *) Bugfix: if ssl_session_cache was not set or was set to "none", > then > during client certificate verify the error "session id context > uninitialized" might occur; the bug had appeared in 0.7.1. > > > -- > Igor Sysoev > http://sysoev.ru/en/ I put the ssl_session_cashe parameter to shared:SSL:10m; and certificate was ok, no errors in log file, but every time when i stop the nginx I receive the unhandled win32 exception in nginx.exe[6116]. And also the same unhandled win32 exception in nginx.exe[3480] after checking the user certificate and passing request to the application server. As a result, application doesn't open at all :(
on 06.04.2010 12:18
Hello! On Tue, Apr 06, 2010 at 11:46:25AM +0200, Anna Malova wrote: > > This bug has been fixed in 0.8.34: > > I put the ssl_session_cashe parameter to shared:SSL:10m; and certificate > was ok, no errors in log file, but every time when i stop the nginx I > receive the unhandled win32 exception in nginx.exe[6116]. And also the > same unhandled win32 exception in nginx.exe[3480] after checking the > user certificate and passing request to the application server. As a > result, application doesn't open at all :( Which OS do you use? It's expected that shared memory won't work on Windows Vista and up, see here: http://nginx.org/en/docs/windows.html Maxim Dounin
on 06.04.2010 12:24
Maxim Dounin wrote: > Hello! > > On Tue, Apr 06, 2010 at 11:46:25AM +0200, Anna Malova wrote: > >> > This bug has been fixed in 0.8.34: >> >> I put the ssl_session_cashe parameter to shared:SSL:10m; and certificate >> was ok, no errors in log file, but every time when i stop the nginx I >> receive the unhandled win32 exception in nginx.exe[6116]. And also the >> same unhandled win32 exception in nginx.exe[3480] after checking the >> user certificate and passing request to the application server. As a >> result, application doesn't open at all :( > > Which OS do you use? It's expected that shared memory won't work > on Windows Vista and up, see here: > > http://nginx.org/en/docs/windows.html > > Maxim Dounin Thank you for the reply! I have Windows XP SP2. I changed nginx to the older version - the last stable from the nginx.org and it works well. :)
on 06.04.2010 12:33
On Tue, Apr 06, 2010 at 12:24:03PM +0200, Anna Malova wrote: > >> same unhandled win32 exception in nginx.exe[3480] after checking the > Thank you for the reply! I have Windows XP SP2. I changed nginx to the > older version - the last stable from the nginx.org and it works well. :) What version causes exception - 0.8.34 or 0.8.35 ? -- Igor Sysoev http://sysoev.ru/en/
on 06.04.2010 12:34
Igor Sysoev wrote: > On Tue, Apr 06, 2010 at 12:24:03PM +0200, Anna Malova wrote: > >> >> same unhandled win32 exception in nginx.exe[3480] after checking the >> Thank you for the reply! I have Windows XP SP2. I changed nginx to the >> older version - the last stable from the nginx.org and it works well. :) > > What version causes exception - 0.8.34 or 0.8.35 ? > > > -- > Igor Sysoev > http://sysoev.ru/en/ 0.8.35 causes the exception
on 06.04.2010 12:38
On Tue, Apr 06, 2010 at 12:34:57PM +0200, Anna Malova wrote: > Igor Sysoev wrote: > > On Tue, Apr 06, 2010 at 12:24:03PM +0200, Anna Malova wrote: > > > >> >> same unhandled win32 exception in nginx.exe[3480] after checking the > >> Thank you for the reply! I have Windows XP SP2. I changed nginx to the > >> older version - the last stable from the nginx.org and it works well. :) > > > > What version causes exception - 0.8.34 or 0.8.35 ? > > 0.8.35 causes the exception Could you try 0.8.34 ? 0.8.35 has been built with OpenSSL 1.0.0 while 0.8.34 has been built with OpenSSL 0.9.8k. -- Igor Sysoev http://sysoev.ru/en/
on 06.04.2010 12:41
Igor Sysoev wrote: >> 0.8.35 causes the exception > > Could you try 0.8.34 ? 0.8.35 has been built with OpenSSL 1.0.0 while > 0.8.34 has been built with OpenSSL 0.9.8k. > ok, now I will try it. Thank you for the help.
on 06.04.2010 12:42
Anna Malova wrote: > Igor Sysoev wrote: >>> 0.8.35 causes the exception >> >> Could you try 0.8.34 ? 0.8.35 has been built with OpenSSL 1.0.0 while >> 0.8.34 has been built with OpenSSL 0.9.8k. >> > > ok, now I will try it. Thank you for the help. I just tried it. 0.8.34 doesn't cause unhandled exceptions at stopping the nginx, but causes unhandled win32 exception when trying to connect to application server after receiving user certificate.
on 06.04.2010 13:04
Hello! On Tue, Apr 06, 2010 at 12:24:03PM +0200, Anna Malova wrote: > >> same unhandled win32 exception in nginx.exe[3480] after checking the > Thank you for the reply! I have Windows XP SP2. I changed nginx to the > older version - the last stable from the nginx.org and it works well. :) Looks like I'm able to reproduce fault on Windows XP even without ssl_session_cache used, just ssl server configured is enough. It's triggered in nginx 0.8.35 by nginx -s reload nginx -s stop sequence. And indeed nginx 0.7.65 doesn't have this problem. Maxim Dounin