SSL with client certificate errors

Slawek_Zak · February 8, 2010, 6:11pm

Hi,

I use nginx 0.7.62 to proxy a web application and secure it with
client certificates. Quite often NGINX just responds with connection
reset to Firefox and generates this error:

2010/02/08 18:04:49 [crit] 8248#0: *41 SSL_do_handshake() failed (SSL:
error:140D9115:SSL routines:SSL_GET_PREV_SESSION:session id context
uninitialized) while SSL handshaking, client: 77.x.x.x, server
89.x.x.x

Any ideas?

Thanks, /S

Slawek_Zak · February 23, 2010, 8:53am

On 02/09/2010 02:11 AM, Slawek Zak wrote:

Any ideas?

I too am getting similar errors with 0.7.65:

2010/02/23 16:02:19 [crit] 7224#0: *46254 SSL_do_handshake() failed
(SSL: error:140D9115:SSL routines:SSL_GET_PREV_SESSION:session id
context uninitialized) while SSL handshaking, client: 192.x.x.x, server:
example.com

I also get lots of odd entries in my access logs related to this.
192.x.x.x - - [23/Feb/2010:16:47:04 +0900] “\x16…(snip lots of codes)”
400 173 “-” “-” 0.000 “-” “-” “-” [-] - - - [-] [-]

Thanks
Zev

Slawek_Zak · February 23, 2010, 10:24am

On Tue, Feb 23, 2010 at 04:52:29PM +0900, Zev B. wrote:

89.x.x.x

Any ideas?

I too am getting similar errors with 0.7.65:

2010/02/23 16:02:19 [crit] 7224#0: *46254 SSL_do_handshake() failed
(SSL: error:140D9115:SSL routines:SSL_GET_PREV_SESSION:session id
context uninitialized) while SSL handshaking, client: 192.x.x.x, server:
example.com

What is your ssl_session_cache settings ?

I also get lots of odd entries in my access logs related to this.
192.x.x.x - - [23/Feb/2010:16:47:04 +0900] “\x16…(snip lots of codes)”
400 173 “-” “-” 0.000 “-” “-” “-” [-] - - - [-] [-]

“\x16…” is SSLv3 handshake message. It seems that nginx logs it as
request line since nginx treats it like a bad request.

–
Igor S.
http://sysoev.ru/en/

Slawek_Zak · February 23, 2010, 10:22am

On Mon, Feb 08, 2010 at 06:11:21PM +0100, Slawek Zak wrote:

Hi,

I use nginx 0.7.62 to proxy a web application and secure it with
client certificates. Quite often NGINX just responds with connection
reset to Firefox and generates this error:

2010/02/08 18:04:49 [crit] 8248#0: *41 SSL_do_handshake() failed (SSL:
error:140D9115:SSL routines:SSL_GET_PREV_SESSION:session id context
uninitialized) while SSL handshaking, client: 77.x.x.x, server
89.x.x.x

Do you see it with Firefox only or with other browsers too ?
What is your ssl_session_cache settings ?

–
Igor S.
http://sysoev.ru/en/

Slawek_Zak · February 23, 2010, 10:36am

Hello,

On 02/23/2010 06:24 PM, Igor S. wrote:

error:140D9115:SSL routines:SSL_GET_PREV_SESSION:session id context
example.com

What is your ssl_session_cache settings ?

At the moment it is not set, so it is using whatever the default is.
Here is a short example of what I am using:

server {
     listen 443;

     ssl                  on;
     ssl_certificate      /etc/nginx/ssl/data.crt;
     ssl_certificate_key  /etc/nginx/ssl/data.key;
     ssl_protocols SSLv3 TLSv1;

     # Make sure we verify client side SSL
     ssl_verify_client on;
     ssl_client_certificate /etc/nginx/ssl/data.pem;
}

I also get lots of odd entries in my access logs related to this.
192.x.x.x - - [23/Feb/2010:16:47:04 +0900] “\x16…(snip lots of codes)”
400 173 “-” “-” 0.000 “-” “-” “-” [-] - - - [-] [-]

“\x16…” is SSLv3 handshake message. It seems that nginx logs it as
request line since nginx treats it like a bad request.

So I guess there is not much we can do about that.

Thanks,
Zev

Slawek_Zak · February 25, 2010, 10:20am

Hello,

On 02/23/2010 06:48 PM, Igor S. wrote:

I use nginx 0.7.62 to proxy a web application and secure it with
I too am getting similar errors with 0.7.65:
      ssl_client_certificate /etc/nginx/ssl/data.pem;
 }
Could you try the attached patch ?

I have installed the patch on one of our internal servers.
The server works and accepts my ssl client certificate.
Also, the error logs are clean.

Unfortunately, I am not able to recreate the errors pm our own
production server that created these errors. So I am not sure
if applying the patch will show that it was fixed or not.

Thanks,
Zev

Slawek_Zak · February 23, 2010, 10:48am

On Tue, Feb 23, 2010 at 06:35:54PM +0900, Zev B. wrote:

reset to Firefox and generates this error:
2010/02/23 16:02:19 [crit] 7224#0: *46254 SSL_do_handshake() failed
listen 443;

     ssl                  on;
     ssl_certificate      /etc/nginx/ssl/data.crt;
     ssl_certificate_key  /etc/nginx/ssl/data.key;
     ssl_protocols SSLv3 TLSv1;

     # Make sure we verify client side SSL
     ssl_verify_client on;
     ssl_client_certificate /etc/nginx/ssl/data.pem;
}

Could you try the attached patch ?

Slawek_Zak · March 2, 2010, 7:49am

Hello,

On 02/23/2010 06:48 PM, Igor S. wrote:

error:140D9115:SSL routines:SSL_GET_PREV_SESSION:session id context
uninitialized) while SSL handshaking, client: 77.x.x.x, server
89.x.x.x

Could you try the attached patch ?

I have installed the patch on a production server and this appears to
work!

Thanks,
Zev

Slawek_Zak · April 6, 2010, 8:50am

Igor S. wrote:

On Tue, Feb 23, 2010 at 06:35:54PM +0900, Zev B. wrote:
reset to Firefox and generates this error:
2010/02/23 16:02:19 [crit] 7224#0: *46254 SSL_do_handshake() failed
listen 443;
     ssl                  on;
     ssl_certificate      /etc/nginx/ssl/data.crt;
     ssl_certificate_key  /etc/nginx/ssl/data.key;
     ssl_protocols SSLv3 TLSv1;

     # Make sure we verify client side SSL
     ssl_verify_client on;
     ssl_client_certificate /etc/nginx/ssl/data.pem;
}
Could you try the attached patch ?

Hi, Igor! I also have the above problem - nginx is working on Windows
(currently on my local computer) and hope the patch will help to fix the
problem. Sorry for the silly question - how to install the patch you
posted here? As far as I can understand - this module is written on C
language. I didn’t have a deal with C anytime unfortunately I am a
Java developer. And our system administrator is out of office now. Can
you help me, please?

Slawek_Zak · April 6, 2010, 11:46am

Igor S. wrote:

On Tue, Apr 06, 2010 at 08:50:26AM +0200, Anna Malova wrote:
     ssl_protocols SSLv3 TLSv1;
problem. Sorry for the silly question - how to install the patch you
posted here? As far as I can understand - this module is written on C
language. I didn’t have a deal with C anytime unfortunately I am a
Java developer. And our system administrator is out of office now. Can
you help me, please?
This bug has been fixed in 0.8.34:
*) Bugfix: if ssl_session_cache was not set or was set to "none", 
then
during client certificate verify the error “session id context
uninitialized” might occur; the bug had appeared in 0.7.1.

–
Igor S.
Igor Sysoev

I put the ssl_session_cashe parameter to shared:SSL:10m; and certificate
was ok, no errors in log file, but every time when i stop the nginx I
receive the unhandled win32 exception in nginx.exe[6116]. And also the
same unhandled win32 exception in nginx.exe[3480] after checking the
user certificate and passing request to the application server. As a
result, application doesn’t open at all

Slawek_Zak · April 6, 2010, 10:16am

On Tue, Apr 06, 2010 at 08:50:26AM +0200, Anna Malova wrote:

     ssl_protocols SSLv3 TLSv1;
problem. Sorry for the silly question - how to install the patch you
posted here? As far as I can understand - this module is written on C
language. I didn’t have a deal with C anytime unfortunately I am a
Java developer. And our system administrator is out of office now. Can
you help me, please?

This bug has been fixed in 0.8.34:

*) Bugfix: if ssl_session_cache was not set or was set to "none",

then
during client certificate verify the error “session id context
uninitialized” might occur; the bug had appeared in 0.7.1.

–
Igor S.
http://sysoev.ru/en/

Slawek_Zak · April 6, 2010, 12:18pm

Hello!

On Tue, Apr 06, 2010 at 11:46:25AM +0200, Anna Malova wrote:

This bug has been fixed in 0.8.34:

I put the ssl_session_cashe parameter to shared:SSL:10m; and certificate
was ok, no errors in log file, but every time when i stop the nginx I
receive the unhandled win32 exception in nginx.exe[6116]. And also the
same unhandled win32 exception in nginx.exe[3480] after checking the
user certificate and passing request to the application server. As a
result, application doesn’t open at all

Which OS do you use? It’s expected that shared memory won’t work
on Windows Vista and up, see here:

http://nginx.org/en/docs/windows.html

Maxim D.

Slawek_Zak · April 6, 2010, 12:33pm

On Tue, Apr 06, 2010 at 12:24:03PM +0200, Anna Malova wrote:

same unhandled win32 exception in nginx.exe[3480] after checking the
Thank you for the reply! I have Windows XP SP2. I changed nginx to the
older version - the last stable from the nginx.org and it works well.

What version causes exception - 0.8.34 or 0.8.35 ?

–
Igor S.
http://sysoev.ru/en/

Slawek_Zak · April 6, 2010, 12:34pm

Igor S. wrote:

On Tue, Apr 06, 2010 at 12:24:03PM +0200, Anna Malova wrote:

same unhandled win32 exception in nginx.exe[3480] after checking the
Thank you for the reply! I have Windows XP SP2. I changed nginx to the
older version - the last stable from the nginx.org and it works well.

What version causes exception - 0.8.34 or 0.8.35 ?

–
Igor S.
Igor Sysoev

0.8.35 causes the exception

Slawek_Zak · April 6, 2010, 12:24pm

Maxim D. wrote:

Hello!

On Tue, Apr 06, 2010 at 11:46:25AM +0200, Anna Malova wrote:

This bug has been fixed in 0.8.34:

I put the ssl_session_cashe parameter to shared:SSL:10m; and certificate
was ok, no errors in log file, but every time when i stop the nginx I
receive the unhandled win32 exception in nginx.exe[6116]. And also the
same unhandled win32 exception in nginx.exe[3480] after checking the
user certificate and passing request to the application server. As a
result, application doesn’t open at all

Which OS do you use? It’s expected that shared memory won’t work
on Windows Vista and up, see here:

nginx for Windows

Maxim D.

Thank you for the reply! I have Windows XP SP2. I changed nginx to the
older version - the last stable from the nginx.org and it works well.

Slawek_Zak · April 6, 2010, 12:38pm

On Tue, Apr 06, 2010 at 12:34:57PM +0200, Anna Malova wrote:

Igor S. wrote:

On Tue, Apr 06, 2010 at 12:24:03PM +0200, Anna Malova wrote:

same unhandled win32 exception in nginx.exe[3480] after checking the
Thank you for the reply! I have Windows XP SP2. I changed nginx to the
older version - the last stable from the nginx.org and it works well.

What version causes exception - 0.8.34 or 0.8.35 ?

0.8.35 causes the exception

Could you try 0.8.34 ? 0.8.35 has been built with OpenSSL 1.0.0 while
0.8.34 has been built with OpenSSL 0.9.8k.

–
Igor S.
http://sysoev.ru/en/

Slawek_Zak · April 6, 2010, 12:42pm

Anna Malova wrote:

Igor S. wrote:

0.8.35 causes the exception

Could you try 0.8.34 ? 0.8.35 has been built with OpenSSL 1.0.0 while
0.8.34 has been built with OpenSSL 0.9.8k.

ok, now I will try it. Thank you for the help.

I just tried it. 0.8.34 doesn’t cause unhandled exceptions at stopping
the nginx, but causes unhandled win32 exception when trying to connect
to application server after receiving user certificate.

Slawek_Zak · April 6, 2010, 1:04pm

Hello!

On Tue, Apr 06, 2010 at 12:24:03PM +0200, Anna Malova wrote:

same unhandled win32 exception in nginx.exe[3480] after checking the
Thank you for the reply! I have Windows XP SP2. I changed nginx to the
older version - the last stable from the nginx.org and it works well.

Looks like I’m able to reproduce fault on Windows XP even without
ssl_session_cache used, just ssl server configured is enough.
It’s triggered in nginx 0.8.35 by

nginx -s reload
nginx -s stop

sequence. And indeed nginx 0.7.65 doesn’t have this problem.

Maxim D.

Slawek_Zak · April 6, 2010, 12:41pm

Igor S. wrote:

0.8.35 causes the exception

Could you try 0.8.34 ? 0.8.35 has been built with OpenSSL 1.0.0 while
0.8.34 has been built with OpenSSL 0.9.8k.

ok, now I will try it. Thank you for the help.