> Попробуйте подключиться _штатным_ ( из пакетов ) s_client'ом к glassfish'у: > openssl s_client -debug -connect localhost:8002
Включил > -Djavax.net.debug=ssl На данный момент openssl # openssl version OpenSSL 1.0.1e 11 Feb 2013 # dpkg -l|grep openssl ii openssl 1.0.1e-2 но nginx 1.5.7 использует все равно 0.9.8: # ldd `which nginx` linux-vdso.so.1 => (0x00007fffae33d000) libpthread.so.0 => /lib/libpthread.so.0 (0x00007fdd24f6b000) libcrypt.so.1 => /lib/libcrypt.so.1 (0x00007fdd24d34000) libpcre.so.3 => /lib/libpcre.so.3 (0x00007fdd24b03000) libssl.so.0.9.8 => /usr/lib/libssl.so.0.9.8 (0x00007fdd248ac000) libcrypto.so.0.9.8 => /usr/lib/libcrypto.so.0.9.8 (0x00007fdd2450b000) libz.so.1 => /usr/lib/libz.so.1 (0x00007fdd242f3000) libc.so.6 => /lib/libc.so.6 (0x00007fdd23f91000) /lib64/ld-linux-x86-64.so.2 (0x00007fdd25195000) libdl.so.2 => /lib/libdl.so.2 (0x00007fdd23d8d000) nginx 1.5.4: # ldd `which /data/nginx-gost/sbin/nginx` linux-vdso.so.1 => (0x00007fff695ff000) libpthread.so.0 => /lib/libpthread.so.0 (0x00007ff4330f4000) libcrypt.so.1 => /lib/libcrypt.so.1 (0x00007ff432ebd000) libpcre.so.3 => /lib/libpcre.so.3 (0x00007ff432c8c000) libssl.so.1.0.0 => /usr/lib/x86_64-linux-gnu/libssl.so.1.0.0 (0x00007ff432a2d000) libcrypto.so.1.0.0 => /usr/lib/x86_64-linux-gnu/libcrypto.so.1.0.0 (0x00007ff432649000) libdl.so.2 => /lib/libdl.so.2 (0x00007ff432444000) libz.so.1 => /usr/lib/libz.so.1 (0x00007ff43222d000) libc.so.6 => /lib/libc.so.6 (0x00007ff431ecb000) /lib64/ld-linux-x86-64.so.2 (0x00007ff43331e000) # openssl s_client -connect localhost:8002 -tlsextdebug CONNECTED(00000003) depth=0 C = US, ST = California, L = Santa Clara, O = Oracle Corporation, OU = GlassFish, CN = myhost.domain.local verify error:num=18:self signed certificate verify return:1 depth=0 C = US, ST = California, L = Santa Clara, O = Oracle Corporation, OU = GlassFish, CN = myhost.domain.local verify return:1 --- Certificate chain 0 s:/C=US/ST=California/L=Santa Clara/O=Oracle Corporation/OU=GlassFish/CN=myhost.domain.local i:/C=US/ST=California/L=Santa Clara/O=Oracle Corporation/OU=GlassFish/CN=myhost.domain.local --- Server certificate -----BEGIN CERTIFICATE----- MIICsDCCAhmgAwIBAgIEUTCRSzANBgkqhkiG9w0BAQUFADCBijELMAkGA1UEBhMC VVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFDASBgNVBAcTC1NhbnRhIENsYXJhMRsw GQYDVQQKExJPcmFjbGUgQ29ycG9yYXRpb24xEjAQBgNVBAsTCUdsYXNzRmlzaDEf MB0GA1UEAxMWb2N0b3B1cy5sYW4uaWFjLnNwYi5ydTAeFw0xMzAzMDExMTMwMTla Fw0yMzAyMjcxMTMwMTlaMIGKMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZv cm5pYTEUMBIGA1UEBxMLU2FudGEgQ2xhcmExGzAZBgNVBAoTEk9yYWNsZSBDb3Jw b3JhdGlvbjESMBAGA1UECxMJR2xhc3NGaXNoMR8wHQYDVQQDExZvY3RvcHVzLmxh bi5pYWMuc3BiLnJ1MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDHZ0/bGIlY r12glRa0B8ykVXGuXtzbNr6cqOlQ5ELkyAlW1zwju/JSPxw00zy/elOep/VMFlAg K7Sp+xQYqueWgF6u+05K1FTZeQSsgVO3fSkwbBiX4ObUVawuZoTW0tUs8t1RLUm6 widfiIsFrEjrbMWJ5xqxMwBzMdQnyggN3wIDAQABoyEwHzAdBgNVHQ4EFgQUPsyT ixhlk4gfm5ripc8C1E+J8EwwDQYJKoZIhvcNAQEFBQADgYEAAuaaVnxJN4jsxqHT AAwNyJl0493xApcKnWCFjdugNbCMvv0ez2tYJ4xuQsG0G4rL/zPLATJvQbJM36TO JGXR4P3S/QIDFYDpy6cpCBqg/2P0c/vwh/mK5U10sWnrbfLUlh5sBCM1jza3/wtX /Vqm9py36r3NhaX7hF2KKLG1s7A= -----END CERTIFICATE----- subject=/C=US/ST=California/L=Santa Clara/O=Oracle Corporation/OU=GlassFish/CN=myhost.domain.local issuer=/C=US/ST=California/L=Santa Clara/O=Oracle Corporation/OU=GlassFish/CN=myhost.domain.local --- No client certificate CA names sent --- SSL handshake has read 1264 bytes and written 478 bytes --- New, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA Server public key is 1024 bit Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : EDH-RSA-DES-CBC3-SHA Session-ID: 52A5C7084B96822C644DA72CADECFADD2C8684AFE17E63158BD8EB90819682B1 Session-ID-ctx: Master-Key: ECB9F34696C2F27C330007773E9272D9FE539517AC74FD3E94F5CF105AA77BF2DFFEFEE93BE22066F68D42CB080F289F Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None Start Time: 1386596104 Timeout : 300 (sec) Verify return code: 18 (self signed certificate) --- Если дедлаю запрос с nginx 1.5.7 (из репозитория), в логах glassfish'а: [#|2013-12-09T18:27:35.338+0400|INFO|oracle-glassfish3.1.2|javax.enterprise.system.std.com.sun.enterprise.server.logging|_ThreadID=36;_ThreadName=Thread-2;|Using SSLEngineImpl.|#] [#|2013-12-09T18:27:35.338+0400|INFO|oracle-glassfish3.1.2|javax.enterprise.system.std.com.sun.enterprise.server.logging|_ThreadID=36;_ThreadName=Thread-2;|http-thread-pool-8002(5), READ: TLSv1 Handshake, length = 89|#] [#|2013-12-09T18:27:35.339+0400|INFO|oracle-glassfish3.1.2|javax.enterprise.system.std.com.sun.enterprise.server.logging|_ThreadID=36;_ThreadName=Thread-2;|http-thread-pool-8002(5), fatal error: 80: problem unwrapping net record javax.net.ssl.SSLException: Unexpected end of handshake data|#] [#|2013-12-09T18:27:35.339+0400|INFO|oracle-glassfish3.1.2|javax.enterprise.system.std.com.sun.enterprise.server.logging|_ThreadID=36;_ThreadName=Thread-2;|http-thread-pool-8002(5)|#] [#|2013-12-09T18:27:35.339+0400|INFO|oracle-glassfish3.1.2|javax.enterprise.system.std.com.sun.enterprise.server.logging|_ThreadID=36;_ThreadName=Thread-2;|, SEND TLSv1 ALERT: |#] [#|2013-12-09T18:27:35.339+0400|INFO|oracle-glassfish3.1.2|javax.enterprise.system.std.com.sun.enterprise.server.logging|_ThreadID=36;_ThreadName=Thread-2;|fatal, |#] [#|2013-12-09T18:27:35.340+0400|INFO|oracle-glassfish3.1.2|javax.enterprise.system.std.com.sun.enterprise.server.logging|_ThreadID=36;_ThreadName=Thread-2;|description = internal_error|#] [#|2013-12-09T18:27:35.340+0400|INFO|oracle-glassfish3.1.2|javax.enterprise.system.std.com.sun.enterprise.server.logging|_ThreadID=36;_ThreadName=Thread-2;|http-thread-pool-8002(5), WRITE: TLSv1 Alert, length = 2|#] Других записей нет в логе Если дедлаю запрос с nginx 1.5.7 (сборка в ручную), в логах glassfish'а: [#|2013-12-09T18:30:54.568+0400|INFO|oracle-glassfish3.1.2|javax.enterprise.system.std.com.sun.enterprise.server.logging|_ThreadID=35;_ThreadName=Thread-2;|Using SSLEngineImpl.|#] [#|2013-12-09T18:30:54.568+0400|INFO|oracle-glassfish3.1.2|javax.enterprise.system.std.com.sun.enterprise.server.logging|_ThreadID=35;_ThreadName=Thread-2;|http-thread-pool-8002(4), READ: TLSv1 Handshake, length = 258|#] [#|2013-12-09T18:30:54.569+0400|INFO|oracle-glassfish3.1.2|javax.enterprise.system.std.com.sun.enterprise.server.logging|_ThreadID=35;_ThreadName=Thread-2;|*** ClientHello, TLSv1|#] [#|2013-12-09T18:30:54.569+0400|INFO|oracle-glassfish3.1.2|javax.enterprise.system.std.com.sun.enterprise.server.logging|_ThreadID=35;_ThreadName=Thread-2;|RandomCookie: |#] ... [#|2013-12-09T18:30:54.580+0400|INFO|oracle-glassfish3.1.2|javax.enterprise.system.std.com.sun.enterprise.server.logging|_ThreadID=35;_ThreadName=Thread-2;|Ciph er Suites: [TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, Unknown 0xc0:0x22, Unknown 0xc0:0x21, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TL S_DHE_DSS_WITH_AES_256_CBC_SHA, Unknown 0x0:0x88, Unknown 0x0:0x87, Unknown 0x0:0x81, Unknown 0x0:0x80, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_A ES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, Unknown 0x0:0x84, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, Unknown 0xc0:0x1c, U nknown 0xc0:0x1b, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA , SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, Unknown 0xc0:0x1f, Unknown 0xc0:0x1e, TLS_DHE_RSA_WIT H_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, Unknown 0x0:0x9a, Unknown 0x0:0x99, Unknown 0x0:0x45, Unknown 0x0:0x44, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, Unknown 0x0:0x96, Unknown 0x0:0x41, SSL_RSA_WITH_IDEA_CBC_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA , TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDH_RSA_WITH_RC4_128_SHA, TLS_ECDH_ECDSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_MD5, SSL_DHE_ RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA, SSL_ RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5, SSL_RSA_EXPORT_WITH_RC4_40_MD5, Unknown 0x0:0xff]|#] [#|2013-12-09T18:30:54.580+0400|INFO|oracle-glassfish3.1.2|javax.enterprise.system.std.com.sun.enterprise.server.logging|_ThreadID=35;_ThreadName=Thread-2;|Comp ression Methods: { |#] [#|2013-12-09T18:30:54.580+0400|INFO|oracle-glassfish3.1.2|javax.enterprise.system.std.com.sun.enterprise.server.logging|_ThreadID=35;_ThreadName=Thread-2;|0|#] [#|2013-12-09T18:30:54.580+0400|INFO|oracle-glassfish3.1.2|javax.enterprise.system.std.com.sun.enterprise.server.logging|_ThreadID=35;_ThreadName=Thread-2;| }|# ] [#|2013-12-09T18:30:54.580+0400|INFO|oracle-glassfish3.1.2|javax.enterprise.system.std.com.sun.enterprise.server.logging|_ThreadID=35;_ThreadName=Thread-2;|Exte nsion ec_point_formats, formats: [uncompressed, ansiX962_compressed_prime, ansiX962_compressed_char2]|#] [#|2013-12-09T18:30:54.580+0400|INFO|oracle-glassfish3.1.2|javax.enterprise.system.std.com.sun.enterprise.server.logging|_ThreadID=35;_ThreadName=Thread-2;|Exte nsion elliptic_curves, curve names: {sect571r1, sect571k1, secp521r1, sect409k1, sect409r1, secp384r1, sect283k1, sect283r1, secp256k1, secp256r1, sect239k1, se ct233k1, sect233r1, secp224k1, secp224r1, sect193r1, sect193r2, secp192k1, secp192r1, sect163k1, sect163r1, sect163r2, secp160k1, secp160r1, secp160r2}|#] [#|2013-12-09T18:30:54.581+0400|INFO|oracle-glassfish3.1.2|javax.enterprise.system.std.com.sun.enterprise.server.logging|_ThreadID=35;_ThreadName=Thread-2;|Unsu pported extension type_35, data: |#] [#|2013-12-09T18:30:54.581+0400|INFO|oracle-glassfish3.1.2|javax.enterprise.system.std.com.sun.enterprise.server.logging|_ThreadID=35;_ThreadName=Thread-2;|Unsu pported extension type_15, data: 01|#] [#|2013-12-09T18:30:54.581+0400|INFO|oracle-glassfish3.1.2|javax.enterprise.system.std.com.sun.enterprise.server.logging|_ThreadID=35;_ThreadName=Thread-2;|***| #] [#|2013-12-09T18:30:54.582+0400|INFO|oracle-glassfish3.1.2|javax.enterprise.system.std.com.sun.enterprise.server.logging|_ThreadID=35;_ThreadName=Thread-2;|%% R esuming [Session-16, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA]|#] ... Posted at Nginx Forum: http://forum.nginx.org/read.php?21,245360,245366#msg-245366 _______________________________________________ nginx-ru mailing list nginx-ru@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx-ru