Intermittent failures with SecureChannelFailure error on client

Hi,

We are using NGINX (version 1.4.4) in front of HAProxy for SSl
termination. We are seeing intermittent “Could not create SSL/TLS
secure channel” failure from our .net client. On enabling debug logging
on NGINX the following error is being recorded at the same time the
client see the error.

[info] 27456#0: *43842 SSL_do_handshake() failed (SSL:
error:1408C095:SSL routines:SSL3_GET_FINISHED:digest check failed) while
SSL handshaking, client: 10.76.121.148, server: 0.0.0.0:443

Based on the documentation I have disabled ssl session reuse, it didn’t
seem to help.

Suggestion are really appreciated.

Thanks,
Venkat

Hello!

On Thu, Apr 17, 2014 at 11:34:14AM -0700, Venkat Morampudi wrote:

failed) while SSL handshaking, client: 10.76.121.148, server:
0.0.0.0:443

From the error message it looks like that handshake failed due to
incorrect digest value got from the client.

Do you control network and are able to eliminate a possibility of
real man-in-the-middle attack? If yes, this is likely a bug
either in the client or in OpenSSL library on nginx side.

Some things to test, in no particular order:

  • A workaround from here may work, as well as advise to obtain more
    details from the client:
    http://stackoverflow.com/questions/2078682/net-httpwebrequest-https-error

  • Try to add SSL_OP_TLS_ROLLBACK_BUG option in nginx, it may help
    in case of some client bugs which used to result in digest check
    failures (see “man SSL_set_options” for details).

  • Checking if the problem persists with latest OpenSSL library
    (or, vice versa, with old good 0.9.8*) may be beneficial, as
    well as upgrading nginx to at least latest 1.4.x version.

Based on the documentation I have disabled ssl session reuse, it
didn’t seem to help.

Did you do this in your .net client?

[…]

This message and any attachments contain information that may be
RMS Inc. confidential and/or privileged. If you are not the
intended recipient (or authorized to receive for the intended

Just a side note: sending messages to the whole world with such a
disclaimer looks silly.


Maxim D.
http://nginx.org/

This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.

| Privacy Policy | Terms of Service | Remote Ruby Jobs