Forum: NGINX SSL handshake fail between nginx and my tomcat with mutual authentication

Announcement (2017-05-07): is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see and for other Rails- und Ruby-related community platforms.
flash008 (Guest)
on 2014-01-03 10:35
(Received via mailing list)
Hi All,

I am using Nginx 1.4.4 as reverse proxy for my tomcat server. My problem
SSL handshake failed between Nginx and tomcat with mutual SSL
authentication. I have verified that Client to Nginx with mutual SSL is
working. But if my upstream backend is also using https:mutual port, the
path will fail with error:
[error] 1816#3436: *23 SSL_do_handshake() failed (SSL:
routines:SSL3_READ_BYTES:sslv3 alert bad certificate:SSL alert number
while SSL handshaking to upstream, client: xx.xx.xx.xx, server:, request: "GET / HTTP/1.1", upstream:
"https://xx.xx.xx.xx:8082/", host: "xx.xx.xx.xx:8002"

My upstream server https://xx.xx.xx.xx:8082 is using mutual SSL and
perfectly without Nginx.
the Nginx host https://xx.xx.xx.xx:8002 is using mutual SSL and also
perfectly without the upstream mutual ssl or with only http port.
The problem is: when both Nginx and upstream require mutual SSL, and I
like to pass the client certificate to Nginx then to my upstream server,
SSL handshake error occurs.

I have tried to add client cert in headers, but no luck. Here is part of
nginx config
  server {
    listen       xx.xx.xx.xx:8002;
    server_name  xx.xx.xx.xx;

    ssl on;
    ssl_certificate C:/nginx-1.4.4/cert/MyServer.crt;
    ssl_certificate_key C:/nginx-1.4.4/cert/MyServer.key;

    ssl_client_certificate C:/nginx-1.4.4/cert/MyCA.pem;
    ssl_trusted_certificate  C:/nginx-1.4.4/cert/MyCA.pem;

    ssl_prefer_server_ciphers  on;
    ssl_verify_client on;
                ssl_verify_depth 3;
    ssl_protocols  SSLv2 SSLv3 TLSv1;

    access_log  C:/nginx-1.4.4/logs/access_8002.log;
    error_log  C:/nginx-1.4.4/logs/error_8002.log debug;

    root   html;
    index  index.html index.htm;

    location / {
     proxy_redirect default;
     proxy_set_header Host $host:$server_port;

     proxy_set_header        X-Real-IP       $remote_addr;
     proxy_set_header     Client-IP $remote_addr;
     proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
     proxy_set_header     X-Forwarded-Ssl on;
    proxy_set_header    X-Client-Verify  $ssl_client_verify;
    proxy_set_header  X-SSL-Client-Cert $ssl_client_cert;
    proxy_set_header   X-SSL-Client-Serial $ssl_client_serial;
    proxy_set_header   X-SSL-Client-Verify $ssl_client_verify;
    proxy_set_header   X-SSL-Client-S-DN   $ssl_client_s_dn;


Is this usage supported by Nginx?
I would be very grateful if someone can point me some clues or

Thanks and Best Regards,

Posted at Nginx Forum:,245971,245971#msg-245971
rjoshi (Guest)
on 2014-08-19 04:29
(Received via mailing list)
This topic is locked and can not be replied to.