Hi,
We are using NGINX (version 1.4.4) in front of HAProxy for SSl
termination. We are seeing intermittent “Could not create SSL/TLS
secure channel” failure from our .net client. On enabling debug logging
on NGINX the following error is being recorded at the same time the
client see the error.
[info] 27456#0: *43842 SSL_do_handshake() failed (SSL:
error:1408C095:SSL routines:SSL3_GET_FINISHED:digest check failed) while
SSL handshaking, client: 10.76.121.148, server: 0.0.0.0:443
Based on the documentation I have disabled ssl session reuse, it didn’t
seem to help.
Suggestion are really appreciated.
Thanks,
Venkat
Hello!
On Thu, Apr 17, 2014 at 11:34:14AM -0700, Venkat Morampudi wrote:
failed) while SSL handshaking, client: 10.76.121.148, server:
0.0.0.0:443
From the error message it looks like that handshake failed due to
incorrect digest value got from the client.
Do you control network and are able to eliminate a possibility of
real man-in-the-middle attack? If yes, this is likely a bug
either in the client or in OpenSSL library on nginx side.
Some things to test, in no particular order:
-
A workaround from here may work, as well as advise to obtain more
details from the client:
c# - .NET HttpWebRequest HTTPS Error - Stack Overflow
-
Try to add SSL_OP_TLS_ROLLBACK_BUG option in nginx, it may help
in case of some client bugs which used to result in digest check
failures (see “man SSL_set_options” for details).
-
Checking if the problem persists with latest OpenSSL library
(or, vice versa, with old good 0.9.8*) may be beneficial, as
well as upgrading nginx to at least latest 1.4.x version.
Based on the documentation I have disabled ssl session reuse, it
didn’t seem to help.
Did you do this in your .net client?
[…]
This message and any attachments contain information that may be
RMS Inc. confidential and/or privileged. If you are not the
intended recipient (or authorized to receive for the intended
Just a side note: sending messages to the whole world with such a
disclaimer looks silly.
–
Maxim D.
http://nginx.org/