RE: NGINX proxy, 502 error while SSL handshaking to upstream

Hello!

On Tue, Feb 25, 2014 at 04:34:34PM +0100, Juan Matas wrote:

• Hello everyone, I’m new here and this my first post in this mailing list,
  > > Maybe this is a frequently answered question but I could’t find
  a solution.
  > Maybe is a “layer 8” issue.
  > > Right now, I have a Nginx(1.0.8) proxy running on Ubuntu 10.04
  32bits,
  > OpenSSL 0.9.8 doing a https upstream on port 33195. Here is a piece
  of the
  > nginx.conf file:
  > > …
  > location /external_services {
  > proxy_pass https://x.x.x.x:33195/external_service;
  https://x.x.x.x:33195/external_service;
  > allow x.x.x.x;
  > deny all;
  > }
  > …
  > > > It is working, but I need to migrate this proxy to a new
  server. This new
  > server runs Ubuntu 12.04, OpenSSL 1.0.1 and Nginx 1.5.10.
  > > This server receive an http://myproxy/external_services
  http://myproxy/external_services request and proxy
  > it to https://x.x.x.x:33195/external_service;
  https://x.x.x.x:33195/external_service; (http to https)
  > > When I try to access http://myproxy/external_services
  http://myproxy/external_services on the new server, I
  > got a 502 error and I see this message in error.log :
  > > “peer closed connection in SSL handshake while SSL handshaking
  to
  > upstream”
  > > I found that I can connect(from the proxy server) to
  > https://x.x.x.x:33195/external_service
  https://x.x.x.x:33195/external_service using openssl, doing this:
  > > $ openssl s_client -connect
  https://x.x.x.x:33195/external_service-no_tls1_1
  https://x.x.x.x:33195/external_service-no_tls1_1
  > > I tried to disable TLSv1.1 in Nginx using the directive:
  ssl_protocols
  > SSLv3 TLSv1; but nothing change.

You have to use proxy_ssl_protocols, not ssl_protocols. See
Module ngx_http_proxy_module.

The proxy_ssl_ciphers directive may help, too, depending on what
exactly triggers the problem on your backend.

–
Maxim D.http://nginx.org/

Thanks Maxim D. for the answer
I tried that but did not work.

I tried using directives on nginx config file but the issue continue. I
can’t ensure but looks like Nginx was using TLSv1.1 or 1.2 anyway and
the
SSL handshake failed. And I didn’t find a way to disable this version of
the protocol.

So I fixed the problem compiling nginx(1.0.15) from source using openSSL
0.9.8e. This version of OpenSSL doesnt support TLSv1.1. And that’s
works. I
have no option, the provider that I’m dealing with doesn’t support
TLSv1.1
and they are not going to update his service.

Thanks,
Matas.