SSL with client certificate errors

Hi,

I use nginx 0.7.62 to proxy a web application and secure it with
client certificates. Quite often NGINX just responds with connection
reset to Firefox and generates this error:

2010/02/08 18:04:49 [crit] 8248#0: *41 SSL_do_handshake() failed (SSL:
error:140D9115:SSL routines:SSL_GET_PREV_SESSION:session id context
uninitialized) while SSL handshaking, client: 77.x.x.x, server
89.x.x.x

Any ideas?

Thanks, /S

On 02/09/2010 02:11 AM, Slawek Zak wrote:

Any ideas?

I too am getting similar errors with 0.7.65:

2010/02/23 16:02:19 [crit] 7224#0: *46254 SSL_do_handshake() failed
(SSL: error:140D9115:SSL routines:SSL_GET_PREV_SESSION:session id
context uninitialized) while SSL handshaking, client: 192.x.x.x, server:
example.com

I also get lots of odd entries in my access logs related to this.
192.x.x.x - - [23/Feb/2010:16:47:04 +0900] “\x16…(snip lots of codes)”
400 173 “-” “-” 0.000 “-” “-” “-” [-] - - - [-] [-]

Thanks
Zev

On Tue, Feb 23, 2010 at 04:52:29PM +0900, Zev B. wrote:

89.x.x.x

Any ideas?

I too am getting similar errors with 0.7.65:

2010/02/23 16:02:19 [crit] 7224#0: *46254 SSL_do_handshake() failed
(SSL: error:140D9115:SSL routines:SSL_GET_PREV_SESSION:session id
context uninitialized) while SSL handshaking, client: 192.x.x.x, server:
example.com

What is your ssl_session_cache settings ?

I also get lots of odd entries in my access logs related to this.
192.x.x.x - - [23/Feb/2010:16:47:04 +0900] “\x16…(snip lots of codes)”
400 173 “-” “-” 0.000 “-” “-” “-” [-] - - - [-] [-]

“\x16…” is SSLv3 handshake message. It seems that nginx logs it as
request line since nginx treats it like a bad request.


Igor S.
http://sysoev.ru/en/

On Mon, Feb 08, 2010 at 06:11:21PM +0100, Slawek Zak wrote:

Hi,

I use nginx 0.7.62 to proxy a web application and secure it with
client certificates. Quite often NGINX just responds with connection
reset to Firefox and generates this error:

2010/02/08 18:04:49 [crit] 8248#0: *41 SSL_do_handshake() failed (SSL:
error:140D9115:SSL routines:SSL_GET_PREV_SESSION:session id context
uninitialized) while SSL handshaking, client: 77.x.x.x, server
89.x.x.x

Do you see it with Firefox only or with other browsers too ?
What is your ssl_session_cache settings ?


Igor S.
http://sysoev.ru/en/

Hello,

On 02/23/2010 06:24 PM, Igor S. wrote:

error:140D9115:SSL routines:SSL_GET_PREV_SESSION:session id context
example.com

What is your ssl_session_cache settings ?

At the moment it is not set, so it is using whatever the default is.
Here is a short example of what I am using:

server {
     listen 443;

     ssl                  on;
     ssl_certificate      /etc/nginx/ssl/data.crt;
     ssl_certificate_key  /etc/nginx/ssl/data.key;
     ssl_protocols SSLv3 TLSv1;

     # Make sure we verify client side SSL
     ssl_verify_client on;
     ssl_client_certificate /etc/nginx/ssl/data.pem;
}

I also get lots of odd entries in my access logs related to this.
192.x.x.x - - [23/Feb/2010:16:47:04 +0900] “\x16…(snip lots of codes)”
400 173 “-” “-” 0.000 “-” “-” “-” [-] - - - [-] [-]

“\x16…” is SSLv3 handshake message. It seems that nginx logs it as
request line since nginx treats it like a bad request.

So I guess there is not much we can do about that.

Thanks,
Zev

Hello,

On 02/23/2010 06:48 PM, Igor S. wrote:

I use nginx 0.7.62 to proxy a web application and secure it with
I too am getting similar errors with 0.7.65:

      ssl_client_certificate /etc/nginx/ssl/data.pem;
 }

Could you try the attached patch ?

I have installed the patch on one of our internal servers.
The server works and accepts my ssl client certificate.
Also, the error logs are clean.

Unfortunately, I am not able to recreate the errors pm our own
production server that created these errors. So I am not sure
if applying the patch will show that it was fixed or not.

Thanks,
Zev

On Tue, Feb 23, 2010 at 06:35:54PM +0900, Zev B. wrote:

reset to Firefox and generates this error:
2010/02/23 16:02:19 [crit] 7224#0: *46254 SSL_do_handshake() failed
listen 443;

     ssl                  on;
     ssl_certificate      /etc/nginx/ssl/data.crt;
     ssl_certificate_key  /etc/nginx/ssl/data.key;
     ssl_protocols SSLv3 TLSv1;

     # Make sure we verify client side SSL
     ssl_verify_client on;
     ssl_client_certificate /etc/nginx/ssl/data.pem;
}

Could you try the attached patch ?

Hello,

On 02/23/2010 06:48 PM, Igor S. wrote:

error:140D9115:SSL routines:SSL_GET_PREV_SESSION:session id context
uninitialized) while SSL handshaking, client: 77.x.x.x, server
89.x.x.x

Could you try the attached patch ?

I have installed the patch on a production server and this appears to
work!

Thanks,
Zev

Igor S. wrote:

On Tue, Feb 23, 2010 at 06:35:54PM +0900, Zev B. wrote:

reset to Firefox and generates this error:
2010/02/23 16:02:19 [crit] 7224#0: *46254 SSL_do_handshake() failed
listen 443;

     ssl                  on;
     ssl_certificate      /etc/nginx/ssl/data.crt;
     ssl_certificate_key  /etc/nginx/ssl/data.key;
     ssl_protocols SSLv3 TLSv1;

     # Make sure we verify client side SSL
     ssl_verify_client on;
     ssl_client_certificate /etc/nginx/ssl/data.pem;
}

Could you try the attached patch ?

Hi, Igor! I also have the above problem - nginx is working on Windows
(currently on my local computer) and hope the patch will help to fix the
problem. Sorry for the silly question - how to install the patch you
posted here? As far as I can understand - this module is written on C
language. I didn’t have a deal with C anytime unfortunately :frowning: I am a
Java developer. And our system administrator is out of office now. Can
you help me, please?

Igor S. wrote:

On Tue, Apr 06, 2010 at 08:50:26AM +0200, Anna Malova wrote:

     ssl_protocols SSLv3 TLSv1;

problem. Sorry for the silly question - how to install the patch you
posted here? As far as I can understand - this module is written on C
language. I didn’t have a deal with C anytime unfortunately :frowning: I am a
Java developer. And our system administrator is out of office now. Can
you help me, please?

This bug has been fixed in 0.8.34:

*) Bugfix: if ssl_session_cache was not set or was set to "none", 

then
during client certificate verify the error “session id context
uninitialized” might occur; the bug had appeared in 0.7.1.


Igor S.
http://sysoev.ru/en/

I put the ssl_session_cashe parameter to shared:SSL:10m; and certificate
was ok, no errors in log file, but every time when i stop the nginx I
receive the unhandled win32 exception in nginx.exe[6116]. And also the
same unhandled win32 exception in nginx.exe[3480] after checking the
user certificate and passing request to the application server. As a
result, application doesn’t open at all :frowning:

On Tue, Apr 06, 2010 at 08:50:26AM +0200, Anna Malova wrote:

     ssl_protocols SSLv3 TLSv1;

problem. Sorry for the silly question - how to install the patch you
posted here? As far as I can understand - this module is written on C
language. I didn’t have a deal with C anytime unfortunately :frowning: I am a
Java developer. And our system administrator is out of office now. Can
you help me, please?

This bug has been fixed in 0.8.34:

*) Bugfix: if ssl_session_cache was not set or was set to "none", 

then
during client certificate verify the error “session id context
uninitialized” might occur; the bug had appeared in 0.7.1.


Igor S.
http://sysoev.ru/en/

Hello!

On Tue, Apr 06, 2010 at 11:46:25AM +0200, Anna Malova wrote:

This bug has been fixed in 0.8.34:

I put the ssl_session_cashe parameter to shared:SSL:10m; and certificate
was ok, no errors in log file, but every time when i stop the nginx I
receive the unhandled win32 exception in nginx.exe[6116]. And also the
same unhandled win32 exception in nginx.exe[3480] after checking the
user certificate and passing request to the application server. As a
result, application doesn’t open at all :frowning:

Which OS do you use? It’s expected that shared memory won’t work
on Windows Vista and up, see here:

http://nginx.org/en/docs/windows.html

Maxim D.

On Tue, Apr 06, 2010 at 12:24:03PM +0200, Anna Malova wrote:

same unhandled win32 exception in nginx.exe[3480] after checking the
Thank you for the reply! I have Windows XP SP2. I changed nginx to the
older version - the last stable from the nginx.org and it works well. :slight_smile:

What version causes exception - 0.8.34 or 0.8.35 ?


Igor S.
http://sysoev.ru/en/

Igor S. wrote:

On Tue, Apr 06, 2010 at 12:24:03PM +0200, Anna Malova wrote:

same unhandled win32 exception in nginx.exe[3480] after checking the
Thank you for the reply! I have Windows XP SP2. I changed nginx to the
older version - the last stable from the nginx.org and it works well. :slight_smile:

What version causes exception - 0.8.34 or 0.8.35 ?


Igor S.
http://sysoev.ru/en/

0.8.35 causes the exception

Maxim D. wrote:

Hello!

On Tue, Apr 06, 2010 at 11:46:25AM +0200, Anna Malova wrote:

This bug has been fixed in 0.8.34:

I put the ssl_session_cashe parameter to shared:SSL:10m; and certificate
was ok, no errors in log file, but every time when i stop the nginx I
receive the unhandled win32 exception in nginx.exe[6116]. And also the
same unhandled win32 exception in nginx.exe[3480] after checking the
user certificate and passing request to the application server. As a
result, application doesn’t open at all :frowning:

Which OS do you use? It’s expected that shared memory won’t work
on Windows Vista and up, see here:

http://nginx.org/en/docs/windows.html

Maxim D.

Thank you for the reply! I have Windows XP SP2. I changed nginx to the
older version - the last stable from the nginx.org and it works well. :slight_smile:

On Tue, Apr 06, 2010 at 12:34:57PM +0200, Anna Malova wrote:

Igor S. wrote:

On Tue, Apr 06, 2010 at 12:24:03PM +0200, Anna Malova wrote:

same unhandled win32 exception in nginx.exe[3480] after checking the
Thank you for the reply! I have Windows XP SP2. I changed nginx to the
older version - the last stable from the nginx.org and it works well. :slight_smile:

What version causes exception - 0.8.34 or 0.8.35 ?

0.8.35 causes the exception

Could you try 0.8.34 ? 0.8.35 has been built with OpenSSL 1.0.0 while
0.8.34 has been built with OpenSSL 0.9.8k.


Igor S.
http://sysoev.ru/en/

Anna Malova wrote:

Igor S. wrote:

0.8.35 causes the exception

Could you try 0.8.34 ? 0.8.35 has been built with OpenSSL 1.0.0 while
0.8.34 has been built with OpenSSL 0.9.8k.

ok, now I will try it. Thank you for the help.

I just tried it. 0.8.34 doesn’t cause unhandled exceptions at stopping
the nginx, but causes unhandled win32 exception when trying to connect
to application server after receiving user certificate.

Hello!

On Tue, Apr 06, 2010 at 12:24:03PM +0200, Anna Malova wrote:

same unhandled win32 exception in nginx.exe[3480] after checking the
Thank you for the reply! I have Windows XP SP2. I changed nginx to the
older version - the last stable from the nginx.org and it works well. :slight_smile:

Looks like I’m able to reproduce fault on Windows XP even without
ssl_session_cache used, just ssl server configured is enough.
It’s triggered in nginx 0.8.35 by

nginx -s reload
nginx -s stop

sequence. And indeed nginx 0.7.65 doesn’t have this problem.

Maxim D.

Igor S. wrote:

0.8.35 causes the exception

Could you try 0.8.34 ? 0.8.35 has been built with OpenSSL 1.0.0 while
0.8.34 has been built with OpenSSL 0.9.8k.

ok, now I will try it. Thank you for the help.

This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.

| Privacy Policy | Terms of Service | Remote Ruby Jobs