Forum: NGINX SSL Handshake problems, nginx reverse web proxy.

7f2666745253d63a3137b1d053680877?d=identicon&s=25 Nathan (Guest)
on 2013-11-12 18:07
(Received via mailing list)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I am working on setting up an http reverse proxy in front of a
pre-packaged jetty server.  The jetty server is a pre-configured
application, and not very flexible.

Here's the quick and dirty.  I have nginx configured to listen on 443,
using its own SSL cert.  Then behind nginx, i have anohter server
running this jetty application, with its own cert, on port 9192.

My nginx config looks like this:

server {
    listen       139.147.165.99:443;
    server_name  papercut.dev.lafayette.edu papercut.dev;

    access_log  /var/log/nginx/papercut.dev.lafayette.edu_access;
    error_log   /var/log/nginx/papercut.dev.lafayette.edu_error debug;

    ssl                  on;
    ssl_certificate
/etc/nginx/ssl.crt/papercut.dev.lafayette.edu.crt;
    ssl_certificate_key
/etc/nginx/ssl.key/papercut.dev.lafayette.edu.key;

    ssl_session_timeout  5m;

    ssl_protocols  SSLv3 TLSv1;
    ssl_ciphers
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:!SSLv2:+EXP;

    ssl_prefer_server_ciphers   on;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header Host $http_host;

    location / {
      proxy_pass  https://printman.dev.lafayette.edu:9192;
    }
}

If i hit my vhost on https, i get a 502, bad gateway.

The error log reports:
2013/11/12 12:02:10 [error] 28416#0: *230 SSL_do_handshake() failed
(SSL: error:140773F2:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert
unexpected message) while SSL handshaking to upstream, client:
10.100.0.12, server: papercut.dev.lafayette.edu, request: "GET /
HTTP/1.1", upstream: "https://139.147.165.80:9192/", host:
"papercut.dev.lafayette.edu"

- From what I can tell, this is saying that the ssl connection from my
proxy, to my jetty host is failing negotiation.

If i browse directly to the target, on https and port 9192, it works
perfectly.

openssl s_connect from the proxy to the target seems to work ONLY if i
force sslv3, If i use TSLv1, or sslv2 it fails.  If i use TLSv2 and
use -no_ticket, it works.

I'm wondering if one of these would solve the proxy problem? But how
can i force nginx to use sslv3, or no ticket, when connecting to its
target?

Thanks!
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlKCYDwACgkQsZqG4IN3suly1QCfbUmLesdBHsrm/diS/Sg0+n8O
XN8An3XkdTp3m8P2dzEeoZAKMzp5qjX9
=4UkA
-----END PGP SIGNATURE-----
A8108a0961c6087c43cda32c8616dcba?d=identicon&s=25 Maxim Dounin (Guest)
on 2013-11-12 18:15
(Received via mailing list)
Hello!

On Tue, Nov 12, 2013 at 12:07:08PM -0500, Nathan wrote:

> I am working on setting up an http reverse proxy in front of a
> pre-packaged jetty server.  The jetty server is a pre-configured
> application, and not very flexible.
>
> Here's the quick and dirty.  I have nginx configured to listen on 443,
> using its own SSL cert.  Then behind nginx, i have anohter server
> running this jetty application, with its own cert, on port 9192.

[...]

>
> If i browse directly to the target, on https and port 9192, it works
> perfectly.
>
> openssl s_connect from the proxy to the target seems to work ONLY if i
> force sslv3, If i use TSLv1, or sslv2 it fails.  If i use TLSv2 and
> use -no_ticket, it works.
>
> I'm wondering if one of these would solve the proxy problem? But how
> can i force nginx to use sslv3, or no ticket, when connecting to its
> target?

As of nginx 1.5.6+, there is the proxy_ssl_protocols directive
exacly for this kind of problems.  Restricting proxy_ssl_ciphers
to a smaller set may help too (again, in 1.5.6+).

See here for more details:

http://nginx.org/r/proxy_ssl_protocols
http://nginx.org/r/proxy_ssl_ciphers

--
Maxim Dounin
http://nginx.org/en/donation.html
7f2666745253d63a3137b1d053680877?d=identicon&s=25 Nathan (Guest)
on 2013-11-12 18:23
(Received via mailing list)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



On 11/12/2013 12:14 PM, Maxim Dounin wrote:
> Hello!
Hi!


>
> As of nginx 1.5.6+, there is the proxy_ssl_protocols directive
> exacly for this kind of problems.  Restricting proxy_ssl_ciphers to
> a smaller set may help too (again, in 1.5.6+).
>
Good, so now all i have to do is convince Epel to carry a newer
version of nginx.

# rpm -qa | grep nginx
nginx-1.0.15-5.el6.x86_64

I could to and get an rpm elsewhere i'm sure, that breaks our
standards though.


Any other suggestions?


> See here for more details:
>
> http://nginx.org/r/proxy_ssl_protocols
> http://nginx.org/r/proxy_ssl_ciphers
>

- --
- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Nathan Lager, RHCSA, RHCE, RHCVA (#110-011-426)
System Administrator
11 Pardee Hall
Lafayette College, Easton, PA 18042
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlKCY9AACgkQsZqG4IN3sulH2ACcD6rCaefiWyNC11WeHm29jXdq
nuEAn0JLJiK6ugUmmQY9csA0JAH9ietm
=eSmS
-----END PGP SIGNATURE-----
A8108a0961c6087c43cda32c8616dcba?d=identicon&s=25 Maxim Dounin (Guest)
on 2013-11-12 22:19
(Received via mailing list)
Hello!

On Tue, Nov 12, 2013 at 12:22:24PM -0500, Nathan wrote:

> nginx-1.0.15-5.el6.x86_64
>
> I could to and get an rpm elsewhere i'm sure, that breaks our
> standards though.
>
>
> Any other suggestions?

Source code can be downloaded here:

http://nginx.org/en/download.html

It's more or less trivial to compile.  And we've even added
precompiled mainline packages for various Linux'es, see links on
the same page.

If it doesn't work for you, you have another obvious option:
fixing a backend will do the trick, too.

--
Maxim Dounin
http://nginx.org/en/donation.html
7f2666745253d63a3137b1d053680877?d=identicon&s=25 Nathan (Guest)
on 2013-11-13 14:49
(Received via mailing list)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



On 11/12/2013 04:18 PM, Maxim Dounin wrote:
> If it doesn't work for you, you have another obvious option: fixing
> a backend will do the trick, too.

Yes, i think this is the optimal solution, but the back end is a
blackbox controlled by a vendor.  It's jetty, so its likely that it
_could_ be fixed, but working with them is like pulling teeth.

Thanks for the help.  I'll start digging on both options (upgrading,
or getting the backend fixed).  At least now I know that its possible
tofix at the nginx end if we're willing to update to latest.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEUEARECAAYFAlKDg20ACgkQsZqG4IN3sumVTQCYqc7U0biS0DuNGifoUd8BIrid
9QCeMipoeU9sqmXgCPlAvFcc4U3RL0k=
=aKa2
-----END PGP SIGNATURE-----
Please log in before posting. Registration is free and takes only a minute.
Existing account

NEW: Do you have a Google/GoogleMail, Yahoo or Facebook account? No registration required!
Log in with Google account | Log in with Yahoo account | Log in with Facebook account
No account? Register here.