Hi All
I’m trying to use nginx to also proxy to owa. I am getting the error peer closed connection in SSL handshake while SSL handshaking to
upstream
I have read that this is due to a bug and that the solution is to
downgrade
to openssl 1.0
I don’t want to downgrade because I would want users to be able to
connect
using TLS-1.1 and 1.2 and my understanding is that support for these
protocols was introduced in openssl-1.0.1
So my question is: Is this a bug in nginx or in openssl? If nginx, has
it
been fixed yet or will it be soon?
The full error is this: peer closed connection in SSL handshake while
SSL
handshaking, client: <client_IP>, server: <Server_FQDN> request: “POST
/Microsoft-Server-ActiveSync?Cmd=Ping&User=%5C<user_name>&DeviceId=SEC090121863242D&DeviceType=SAMSUNGSMT800
HTTP/1.1”, upstream:
“https://SERVER_IP:443/Microsoft-Server-ActiveSync?Cmd=Ping&User= https://SERVER_IP:443/Microsoft-Server-ActiveSync?Cmd=Ping&User=%5C<USER_NAME>&DeviceId=SAMSUNGSGHI337”,
host: “<SERVER_FQDN>”
produced with debugging enabled.
If I run openssl s_client -connect <SERVER_IP:443 I get:
CONNECTED(00000003)
675508300:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake
failure:/usr/src/secure/lib/libssl/…/…/…/crypto/openssl/ssl/s23_lib.c:184:
no peer certificate available
No client certificate CA names sent
SSL handshake has read 0 bytes and written 307 bytes
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
If I run
openssl s_client -connect <SERVER_IP:443 -SSL3 the connection works but
it
won’t work from nginx even when I enable SSLv3.
Hope I provided enough info. If not please let me know.
failure:/usr/src/secure/lib/libssl/…/…/…/crypto/openssl/ssl/s23_lib.c:184:
[…]
If I run openssl s_client -connect <SERVER_IP:443 -SSL3 the connection
works but it won’t work from nginx even when I enable SSLv3.
Ok, so you are running in this particular bug. However, its supposed to
be
fixed a very long time ago, in openssl 1.0.1b.
I guess are running with an nginx executable from a third party, that
has
been linked to an older release of openssl.
What OS/kernel/nginx/openssl release are you running exactly and how
did you install it (for example did you install openssl and nginx via
apt-get from original ubuntu repositoriers, or did you install from
nginx
repository or from source)?
Sorry for taking so long to reply. I am running FreeBSD 10.1 RELEASE and
it
is Openssl version is OpenSSL 1.0.1j and I installed it from the ports
tree
(source).
I did an ssldump and this is the conversation between both servers:
New TCP connection #1:nginx.domain.net(46318) ↔ backend.domain.net((443)
TCP: nginx.domain.net((46318) → backend.domain.net((443) Seq
54751863.(307) ACK 350741031 PUSH
1 1 1421082336.3009 (0.0012) C>SV3.1(302) Handshake
ClientHello
Version 3.3
random[32]=
62 5f 64 b9 b1 3f b7 22 17 f0 87 92 f1 0e e5 9f
5d c5 1b 66 c8 49 af 17 dc f7 5d b7 cc 7d 8d 49
cipher suites
Unknown value 0xc030
Unknown value 0xc02c
Unknown value 0xc028
Unknown value 0xc024
Unknown value 0xc014
Unknown value 0xc00a
Unknown value 0xa3
Unknown value 0x9f
Unknown value 0x6b
Unknown value 0x6a
Unknown value 0x39
Unknown value 0x38
Unknown value 0x88
Unknown value 0x87
Unknown value 0xc032
Unknown value 0xc02e
Unknown value 0xc02a
Unknown value 0xc026
Unknown value 0xc00f
Unknown value 0xc005
Unknown value 0x9d
Unknown value 0x3d
Unknown value 0x35
Unknown value 0x84
Unknown value 0xc02f
Unknown value 0xc02b
Unknown value 0xc027
Unknown value 0xc023
Unknown value 0xc013
Unknown value 0xc009
Unknown value 0xa2
Unknown value 0x9e
TLS_DHE_DSS_WITH_NULL_SHA
Unknown value 0x40
Unknown value 0x33
Unknown value 0x32
Unknown value 0x9a
Unknown value 0x99
Unknown value 0x45
Unknown value 0x44
Unknown value 0xc031
Unknown value 0xc02d
Unknown value 0xc029
Unknown value 0xc025
Unknown value 0xc00e
Unknown value 0xc004
Unknown value 0x9c
Unknown value 0x3c
Unknown value 0x2f
Unknown value 0x96
Unknown value 0x41
TLS_RSA_WITH_IDEA_CBC_SHA
Unknown value 0xc011
Unknown value 0xc007
Unknown value 0xc00c
Unknown value 0xc002
TLS_RSA_WITH_RC4_128_SHA
TLS_RSA_WITH_RC4_128_MD5
Unknown value 0xc012
Unknown value 0xc008
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
Unknown value 0xc00d
Unknown value 0xc003
TLS_RSA_WITH_3DES_EDE_CBC_SHA
TLS_DHE_RSA_WITH_DES_CBC_SHA
TLS_DHE_DSS_WITH_DES_CBC_SHA
TLS_RSA_WITH_DES_CBC_SHA
TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
TLS_RSA_EXPORT_WITH_DES40_CBC_SHA
TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5
TLS_RSA_EXPORT_WITH_RC4_40_MD5
Unknown value 0xff
compression methods
NULL
You were absolutely correct. It is working now. I changed three things.
I
firstly forced TLS 1.0 then changed the directive ssl_protocols to
proxy_ssl_protocols as you suggested. Finally, I restricted to Cipher
list
as you also mentioned. I had thought that I would leave all that out and
tie things down when I got it working. I never thought being so liberal
would prevent it from working in the first place. Thanks for your
thoughts.
I did an ssldump and this is the conversation between both servers:
This ssldump seems incomplete, there is no response. Please post the
full ssldump.
The bug is probably neither in openssl nor in nginx, but in the origin
server (but we don’t have the full handshake here).
Since nginx 1.5.6, you can configure proxy_ssl_protocols and
proxy_ssl_ciphers to configure backend ssl traffic, which may
allows you to workaround certain backend bugs.
Certainly a lot of bogus ciphers are enabled by default in your
setup (NULL, EXPORT, etc).
If you have nginx>= 1.5.6, you can probably workaround this
by forcing SSLv3 (which I would not recommend at all):
proxy_ssl_protocols SSLv3;
But I would rather configure a sane cipher list with
proxy_ssl_ciphers and see to get it working with it (see [1]).
Try playing with “openssl s_client -cipher ” to find
a secure and working configuration.