Ssl handshake fail when proxy between two tomcat with mutual authentication


I’ve got a problem when setting up nginx as load balancer between two
tomcats with mutual authentication.

The system is like: Tomcat1 <–https-> Nginx <–https–> Tomcat2.

Before adding nginx, the mutual authentication between tomcat1 and
works fine, using cert/key and keystore/truststore. Now with nginx,
between tomcat1 and nginx is OK, but the SSL handshake between nginx and
tomcat2 not work. Wonder how to assign the keystore/truststore stuff
needed when communicating with tomcat2, can’t find related directive in
nginx ssl module configuration.

Any idea for this? Thanks!

My nginx configuration is like:

upstream backend {

server {
    listen       8443 ssl;
    server_name  localhost;
    ssl_certificate             /etc/nginx/ssl/server.crt;
    ssl_certificate_key         /etc/nginx/ssl/server.key;
    ssl_client_certificate      /etc/nginx/ssl/ca.crt;
    ssl_ciphers ALL:!ADH:!kEDH:!SSLv2:!EXPORT40:!EXP:!LOW;
    ssl_verify_client on;
    ssl_verify_depth 2;

    location / {
        proxy_pass https://backend;

And tomcat2 configuration is like:

And the error log is:
2013/07/23 20:25:11 [error] 18116#0: *1 SSL_do_handshake() failed (SSL:
error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake
failure:SSL alert number 40) while SSL handshaking to upstream, client

Posted at Nginx Forum:

Hi Dirnsnow,

Have you find the solution for your problem of mutual auth between Nginx
Tomcat2? I meet the same error as yours when I am using Nginx as a
proxy and trying to mutual talk my backend server through mutual SSL.

Thank you,

Posted at Nginx Forum: