CODEWITHSUNDEEP
sslnginx
Venkatesh Nannan
Venkatesh Nannan

Reputation: 1677

Nginx - SSL handshake error when connecting to upstream with self signed certificate

I am trying to proxy a old server running with self signed certificate.

Simple nginx conf:

server {
  listen 8009;
   location / {
     proxy_ssl_verify off;
     proxy_ssl_session_reuse off;
     proxy_pass https://192.168.10.20:8009/;
  }
}

I get SSL Handshake error in nginx log.

2018/05/02 11:31:39 [crit] 3500#2284: *1 SSL_do_handshake() failed (SSL: error:14082174:SSL routines:ssl3_check_cert_and_algorithm:dh key too small) while SSL handshaking to upstream, client: 127.0.0.1, server: , request: "GET /ping HTTP/1.1", upstream: "https://192.168.10.20:8009/ping", host: "localhost:8009"

I was hoping that adding the "proxy_ssl_verify off;" will ignore all the SSL errors but does not seem to .

Upvotes: 4

Views: 9227

Answers (1)

Steffen Ullrich
Steffen Ullrich

Reputation: 123461

ssl3_check_cert_and_algorithm:dh key too small

The problem is that the old server is providing a DH key which is considered insecure (logjam attack). This has nothing to do with certificate validation and thus trying to disable certificate validation will not help - and is a bad idea anyway.

Instead this problem need to be fixed at the server side to provide stronger DH parameters. Alternatively one might try to enforce nginx to not use DH ciphers in the first place by using the proxy_ssl_ciphers parameter. Which ciphers can be chosen there depends on what the old server supports but you might try something like HIGH:!DH as argument which allows nginx to offer all strong ciphers except the DH ciphers.

Upvotes: 8

Related Questions