We are using NGINX (version 1.4.4) in front of HAProxy for SSl
termination. We are seeing intermittent “Could not create SSL/TLS
secure channel” failure from our .net client. On enabling debug logging
on NGINX the following error is being recorded at the same time the
client see the error.
[info] 27456#0: *43842 SSL_do_handshake() failed (SSL:
error:1408C095:SSL routines:SSL3_GET_FINISHED:digest check failed) while
SSL handshaking, client: 10.76.121.148, server: 0.0.0.0:443
Based on the documentation I have disabled ssl session reuse, it didn’t
seem to help.
Suggestion are really appreciated.
On Thu, Apr 17, 2014 at 11:34:14AM -0700, Venkat Morampudi wrote:
failed) while SSL handshaking, client: 10.76.121.148, server:
From the error message it looks like that handshake failed due to
incorrect digest value got from the client.
Do you control network and are able to eliminate a possibility of
real man-in-the-middle attack? If yes, this is likely a bug
either in the client or in OpenSSL library on nginx side.
Some things to test, in no particular order:
A workaround from here may work, as well as advise to obtain more
details from the client:
Try to add SSL_OP_TLS_ROLLBACK_BUG option in nginx, it may help
in case of some client bugs which used to result in digest check
failures (see “man SSL_set_options” for details).
Checking if the problem persists with latest OpenSSL library
(or, vice versa, with old good 0.9.8*) may be beneficial, as
well as upgrading nginx to at least latest 1.4.x version.
Based on the documentation I have disabled ssl session reuse, it
didn’t seem to help.
Did you do this in your .net client?
This message and any attachments contain information that may be
RMS Inc. confidential and/or privileged. If you are not the
intended recipient (or authorized to receive for the intended
Just a side note: sending messages to the whole world with such a
disclaimer looks silly.