Forum: NGINX ssl handshake fail when proxy between two tomcat with mutual authentication

2974d09ac2541e892966b762aad84943?d=identicon&s=25 drinsnow (Guest)
on 2013-07-24 02:15
(Received via mailing list)
Hi,

I've got a problem when setting up nginx as load balancer between two
tomcats with mutual authentication.

The system is like: Tomcat1 <--https-> Nginx <--https--> Tomcat2.

Before adding nginx, the mutual authentication between tomcat1 and
tomcat2
works fine, using cert/key and keystore/truststore. Now with nginx,
links
between tomcat1 and nginx is OK, but the SSL handshake between nginx and
tomcat2 not work. Wonder how to assign the keystore/truststore stuff
that
needed when communicating with tomcat2, can't find related directive in
nginx ssl module configuration.

Any idea for this? Thanks!

My nginx configuration is like:

    upstream backend {
        server 10.1.1.1:8443;
        server 10.1.1.2:8443;
    }

    server {
        listen       8443 ssl;
        server_name  localhost;
        ssl_certificate             /etc/nginx/ssl/server.crt;
        ssl_certificate_key         /etc/nginx/ssl/server.key;
        ssl_client_certificate      /etc/nginx/ssl/ca.crt;
        ssl_ciphers ALL:!ADH:!kEDH:!SSLv2:!EXPORT40:!EXP:!LOW;
        ssl_verify_client on;
        ssl_verify_depth 2;

        location / {
            proxy_pass https://backend;
        }
    }

And tomcat2 configuration is like:
    <Connector port="8443" maxHttpHeaderSize="8192"
               maxThreads="100"
               enableLookups="false" disableUploadTimeout="true"
               acceptCount="100" scheme="https" secure="true"
               SSLEnabled="true"
               SSLCertificateFile="${catalina.base}/conf/ssl/server.crt"
               SSLCertificateKeyFile="${catalina.base}/conf/ssl/server.key"
               SSLCACertificateFile="${catalina.base}/conf/ssl/ca.crt"
               SSLCipherSuite="ALL:!ADH:!kEDH:!SSLv2:!EXPORT40:!EXP:!LOW"
               SSLVerifyClient="require" />

And the error log is:
2013/07/23 20:25:11 [error] 18116#0: *1 SSL_do_handshake() failed (SSL:
error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake
failure:SSL alert number 40) while SSL handshaking to upstream, client
***

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,241171,241171#msg-241171
2974d09ac2541e892966b762aad84943?d=identicon&s=25 flash008 (Guest)
on 2013-12-30 01:53
(Received via mailing list)
Hi Dirnsnow,

Have you find the solution for your problem of mutual auth between Nginx
and
Tomcat2? I meet the same error as yours when I am using Nginx as a
reverse
proxy and trying to mutual talk my backend server through mutual SSL.

Thank you,
flash008

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,241171,245912#msg-245912
Please log in before posting. Registration is free and takes only a minute.
Existing account

NEW: Do you have a Google/GoogleMail, Yahoo or Facebook account? No registration required!
Log in with Google account | Log in with Yahoo account | Log in with Facebook account
No account? Register here.