CODEWITHSUNDEEP
sslnginxhttpsproxy
Karthik S
Karthik S

Reputation: 137

SSL Handshake problems with nginx reverse proxy

I have setup http reverse proxy in front of a pre-packaged jetty server. The jetty server is a pre-configured application, and not very flexible. This Jetty server will accept only SSL requests.

I have nginx configured to listen on 443 with SSL traffic, using its own SSL cert. Then behind nginx, i have anohter server in other machine running the jetty server, with its own cert, on port 443.

My Nginx configuration looks like this,

server 
{
    listen       443;
    server_name  _;
    ssl                  on;
    ssl_certificate      cc_net.pem;
    ssl_certificate_key  cc_net.key;

    ssl_session_timeout  5m;

    ssl_protocols  SSLv2 SSLv3 TLSv1;
    ssl_ciphers  ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
    ssl_prefer_server_ciphers   on;
    location /rest/api/box/get_user_info {
        proxy_pass https://fssdemo.cc.net/rest/api/box/get_user_info?external=true&server=$host;
   }
   location /rest/api/box/is_running {
        proxy_pass https://fssdemo.cc.net/rest/api/box/is_running;
   }
   location / {
        root   html;
        index  index.html index.htm;
    }
}

If i hit my jetty server on https, i get a 502, bad gateway.

The error log reports:

2014/04/10 08:52:48 [error] 648#0: *1 SSL_do_handshake() failed (SSL: error:100AE081:elliptic curve routines:EC_GROUP_new_by_curve_name:unknown group error:1408D010:SSL routines:SSL3_GET_KEY_EXCHANGE:EC lib) while SSL handshaking to upstream, client: 172.16.9.140, server: _, request: "GET /rest/api/box/is_running HTTP/1.1", upstream: "https://<54.221.108.189:443>/rest/api/box/is_running", host: "ext.cc.net"

I put <> in the above error log, it was not allowed me to post the link with IP.

From the above I can tell, this is saying that the ssl connection from my proxy, to my jetty host is failing .

If i browse directly to the target, on https and port 443, it works perfectly.

I'm wondering if one of these would solve the proxy problem? But how can i force nginx to use ssl, when connecting to its target?

Thanks

Upvotes: 1

Views: 5526

Answers (1)

Steffen Ullrich
Steffen Ullrich

Reputation: 123260

The bug is probably that your openssl is announcing more elliptic curves than it suports and then the server picks a unsupported one. See https://bugzilla.redhat.com/show_bug.cgi?id=1019390 . You need to upgrade your openssl.

Upvotes: 2

Related Questions