SSL Handshake problems, nginx reverse web proxy

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I am working on setting up an http reverse proxy in front of a
pre-packaged jetty server. The jetty server is a pre-configured
application, and not very flexible.

Here’s the quick and dirty. I have nginx configured to listen on 443,
using its own SSL cert. Then behind nginx, i have anohter server
running this jetty application, with its own cert, on port 9192.

My nginx config looks like this:

server {
listen 139.147.165.99:443;
server_name papercut.dev.lafayette.edu papercut.dev;

access_log  /var/log/nginx/papercut.dev.lafayette.edu_access;
error_log   /var/log/nginx/papercut.dev.lafayette.edu_error debug;

ssl                  on;
ssl_certificate

/etc/nginx/ssl.crt/papercut.dev.lafayette.edu.crt;
ssl_certificate_key
/etc/nginx/ssl.key/papercut.dev.lafayette.edu.key;

ssl_session_timeout  5m;

ssl_protocols  SSLv3 TLSv1;
ssl_ciphers

ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:!SSLv2:+EXP;

ssl_prefer_server_ciphers   on;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;

location / {
  proxy_pass  https://printman.dev.lafayette.edu:9192;
}

}

If i hit my vhost on https, i get a 502, bad gateway.

The error log reports:
2013/11/12 12:02:10 [error] 28416#0: *230 SSL_do_handshake() failed
(SSL: error:140773F2:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert
unexpected message) while SSL handshaking to upstream, client:
10.100.0.12, server: papercut.dev.lafayette.edu, request: “GET /
HTTP/1.1”, upstream: “https://139.147.165.80:9192/”, host:
“papercut.dev.lafayette.edu”

  • From what I can tell, this is saying that the ssl connection from my
    proxy, to my jetty host is failing negotiation.

If i browse directly to the target, on https and port 9192, it works
perfectly.

openssl s_connect from the proxy to the target seems to work ONLY if i
force sslv3, If i use TSLv1, or sslv2 it fails. If i use TLSv2 and
use -no_ticket, it works.

I’m wondering if one of these would solve the proxy problem? But how
can i force nginx to use sslv3, or no ticket, when connecting to its
target?

Thanks!
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlKCYDwACgkQsZqG4IN3suly1QCfbUmLesdBHsrm/diS/Sg0+n8O
XN8An3XkdTp3m8P2dzEeoZAKMzp5qjX9
=4UkA
-----END PGP SIGNATURE-----

Hello!

On Tue, Nov 12, 2013 at 12:07:08PM -0500, Nathan wrote:

I am working on setting up an http reverse proxy in front of a
pre-packaged jetty server. The jetty server is a pre-configured
application, and not very flexible.

Here’s the quick and dirty. I have nginx configured to listen on 443,
using its own SSL cert. Then behind nginx, i have anohter server
running this jetty application, with its own cert, on port 9192.

[…]

If i browse directly to the target, on https and port 9192, it works
perfectly.

openssl s_connect from the proxy to the target seems to work ONLY if i
force sslv3, If i use TSLv1, or sslv2 it fails. If i use TLSv2 and
use -no_ticket, it works.

I’m wondering if one of these would solve the proxy problem? But how
can i force nginx to use sslv3, or no ticket, when connecting to its
target?

As of nginx 1.5.6+, there is the proxy_ssl_protocols directive
exacly for this kind of problems. Restricting proxy_ssl_ciphers
to a smaller set may help too (again, in 1.5.6+).

See here for more details:

http://nginx.org/r/proxy_ssl_protocols
http://nginx.org/r/proxy_ssl_ciphers


Maxim D.
http://nginx.org/en/donation.html

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 11/12/2013 12:14 PM, Maxim D. wrote:

Hello!
Hi!

As of nginx 1.5.6+, there is the proxy_ssl_protocols directive
exacly for this kind of problems. Restricting proxy_ssl_ciphers to
a smaller set may help too (again, in 1.5.6+).

Good, so now all i have to do is convince Epel to carry a newer
version of nginx.

rpm -qa | grep nginx

nginx-1.0.15-5.el6.x86_64

I could to and get an rpm elsewhere i’m sure, that breaks our
standards though.

Any other suggestions?

See here for more details:

http://nginx.org/r/proxy_ssl_protocols
http://nginx.org/r/proxy_ssl_ciphers


  • -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
    Nathan Lager, RHCSA, RHCE, RHCVA (#110-011-426)
    System A.
    11 Pardee Hall
    Lafayette College, Easton, PA 18042
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.15 (GNU/Linux)
    Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlKCY9AACgkQsZqG4IN3sulH2ACcD6rCaefiWyNC11WeHm29jXdq
nuEAn0JLJiK6ugUmmQY9csA0JAH9ietm
=eSmS
-----END PGP SIGNATURE-----

Hello!

On Tue, Nov 12, 2013 at 12:22:24PM -0500, Nathan wrote:

nginx-1.0.15-5.el6.x86_64

I could to and get an rpm elsewhere i’m sure, that breaks our
standards though.

Any other suggestions?

Source code can be downloaded here:

http://nginx.org/en/download.html

It’s more or less trivial to compile. And we’ve even added
precompiled mainline packages for various Linux’es, see links on
the same page.

If it doesn’t work for you, you have another obvious option:
fixing a backend will do the trick, too.


Maxim D.
http://nginx.org/en/donation.html

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 11/12/2013 04:18 PM, Maxim D. wrote:

If it doesn’t work for you, you have another obvious option: fixing
a backend will do the trick, too.

Yes, i think this is the optimal solution, but the back end is a
blackbox controlled by a vendor. It’s jetty, so its likely that it
could be fixed, but working with them is like pulling teeth.

Thanks for the help. I’ll start digging on both options (upgrading,
or getting the backend fixed). At least now I know that its possible
tofix at the nginx end if we’re willing to update to latest.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEUEARECAAYFAlKDg20ACgkQsZqG4IN3sumVTQCYqc7U0biS0DuNGifoUd8BIrid
9QCeMipoeU9sqmXgCPlAvFcc4U3RL0k=
=aKa2
-----END PGP SIGNATURE-----

This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.

| Privacy Policy | Terms of Service | Remote Ruby Jobs