Ssl test causes nginx to crash (SSL_do_handshake() failed)

Sadaf_N · May 4, 2016, 8:39am

I tried to do use the ssltest from qualys.com:
SSL Server Test (Powered by Qualys SSL Labs)

Every time i run it, my nginx server (ssl terminator) crashes and i have
to
restart it.

I get the following error in my nginx logs:

*734 SSL_do_handshake() failed (SSL: error:140A1175:SSL
routines:SSL_BYTES_TO_CIPHER_LIST:inappropriate fallback) while SSL
handshaking, client: …, server: …

I’ve got the following configuration:

server{
listen …:80;
add_header Strict-Transport-Security max-age=15768000;
server_name …;
rewrite ^ https://$server_name$uri? permanent;
#location / {

proxy_pass …:80;

proxy_set_header Host $host;

proxy_set_header X-Real-IP $remote_addr;

proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

}

server {
listen …:443;
ssl on;

ssl_certificate /etc/nginx/certkeys/…crt;
ssl_certificate_key /etc/nginx/certkeys/…key;
server_name …;
access_log /var/log/nginx/running.log;
error_log /var/log/nginx/errorReport.log;
keepalive_timeout 70;
ssl_session_timeout 30m;
ssl_protocols TLSv1.2 TLSv1.1 TLSv1;

ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;

location / {
proxy_pass …:80/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}

Posted at Nginx Forum:

kostbad · May 4, 2016, 9:27am

kostbad:

Every time i run it, my nginx server (ssl terminator) crashes and i have to
restart it.

I get the following error in my nginx logs:

*734 SSL_do_handshake() failed (SSL: error:140A1175:SSL
routines:SSL_BYTES_TO_CIPHER_LIST:inappropriate fallback) while SSL
handshaking, client: …, server: …

that’s not a “crash”
Scanning a server using ssllabs generate many error messages of this
kind.
That’s intentional.

While the scan run and also after the scan the server should be
accessible as usual.
If not, that would be an error - true.
But the logmessage you presented above don’t show such error.

Andreas

kostbad · May 4, 2016, 9:56am

When ssllabs tests for deprecated cipher suites, it stays there forever.
I have to close the ssllabs test page and then my nginx server stays
down
until i restart it.

I also got the following error:
113 upstream prematurely closed connection while reading response header
from upstream, client: … server: …, request: “GET
/…/images/logo.jpg HTTP/1.1”, upstream:
“http:…80/…/images/logo.jpg”, host: “…”,
referrer: “https://…”

Posted at Nginx Forum:

kostbad · May 4, 2016, 12:59pm

The nginx version is 1.2.6.

Posted at Nginx Forum:

kostbad · May 4, 2016, 11:47am

When ssllabs tests for deprecated cipher suites, it stays there forever.
I have to close the ssllabs test page and then my nginx server stays down
until i restart it.

Please provide the output ofnginx -V.

kostbad · May 5, 2016, 7:51am

Sorry, this is the output i get:
Thanks, it’s probably time to update my system.

nginx version: nginx/1.2.6
built by gcc 4.4.4 20100726 (Red Hat 4.4.4-13) (GCC)
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx/ --sbin-path=/usr/sbin/nginx
–conf-path=/etc/nginx/nginx.conf
–error-log-path=/var/log/nginx/error.log
–http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid
–lock-path=/var/run/nginx.lock
–http-client-body-temp-path=/var/cache/nginx/client_temp
–http-proxy-temp-path=/var/cache/nginx/proxy_temp
–http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp
–http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp
–http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx
–group=nginx
–with-http_ssl_module --with-http_realip_module
–with-http_addition_module
–with-http_sub_module --with-http_dav_module --with-http_flv_module
–with-http_mp4_module --with-http_gzip_static_module
–with-http_random_index_module --with-http_secure_link_module
–with-http_stub_status_module --with-mail --with-mail_ssl_module
–with-file-aio --with-ipv6 --with-cc-opt=‘-O2 -g’

Posted at Nginx Forum:

kostbad · May 5, 2016, 2:12pm

How do i update to the latest stable version of nginx on a CentOS 6.7
server?

Are there any precautions before the update? Will if affect my current
settings-conf ?

Posted at Nginx Forum:

kostbad · May 5, 2016, 5:45pm

nginx version: nginx/1.2.6
built by gcc 4.4.4 20100726 (Red Hat 4.4.4-13) (GCC)
[…]
CentOS 6.7 server

Try disabling kerberos cipher suites [1], you may be hitting
some obscure CentOS/RedHat libc issues [2].

[1]
https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=nginx-1.2.6&openssl=1.0.1e&hsts=no&profile=old
[2] debugging a crash in haproxy - atp

kostbad · May 4, 2016, 2:28pm

Hello!

On Wed, May 04, 2016 at 06:58:19AM -0400, kostbad wrote:

The nginx version is 1.2.6.

That’s not “nginx -V” output you were asked for. Nevertheless,
it’s probably enough to conclude you should upgrade before doing
anything else. The 1.2.x branch is not supported for more than 3
years now.

–
Maxim D.
http://nginx.org/

kostbad · May 11, 2016, 1:51pm

I updated nginx but the problem persists.

Could it be some sort of misconfiguration of my nginx?

No, but I suggest you try reconfiguring your cipher suitesanyway to
exclude anything kerberos related like previously suggested.

Lukas

kostbad · May 11, 2016, 1:07pm

I updated nginx but the problem persists.

Could it be some sort of misconfiguration of my nginx?

Posted at Nginx Forum: