Hello! On Tue, Nov 12, 2013 at 12:07:08PM -0500, Nathan wrote:
> I am working on setting up an http reverse proxy in front of a > pre-packaged jetty server. The jetty server is a pre-configured > application, and not very flexible. > > Here's the quick and dirty. I have nginx configured to listen on 443, > using its own SSL cert. Then behind nginx, i have anohter server > running this jetty application, with its own cert, on port 9192. [...] > The error log reports: > 2013/11/12 12:02:10 [error] 28416#0: *230 SSL_do_handshake() failed > (SSL: error:140773F2:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert > unexpected message) while SSL handshaking to upstream, client: > 10.100.0.12, server: papercut.dev.lafayette.edu, request: "GET / > HTTP/1.1", upstream: "https://139.147.165.80:9192/";, host: > "papercut.dev.lafayette.edu" > > - From what I can tell, this is saying that the ssl connection from my > proxy, to my jetty host is failing negotiation. > > If i browse directly to the target, on https and port 9192, it works > perfectly. > > openssl s_connect from the proxy to the target seems to work ONLY if i > force sslv3, If i use TSLv1, or sslv2 it fails. If i use TLSv2 and > use -no_ticket, it works. > > I'm wondering if one of these would solve the proxy problem? But how > can i force nginx to use sslv3, or no ticket, when connecting to its > target? As of nginx 1.5.6+, there is the proxy_ssl_protocols directive exacly for this kind of problems. Restricting proxy_ssl_ciphers to a smaller set may help too (again, in 1.5.6+). See here for more details: http://nginx.org/r/proxy_ssl_protocols http://nginx.org/r/proxy_ssl_ciphers -- Maxim Dounin http://nginx.org/en/donation.html _______________________________________________ nginx mailing list [email protected] http://mailman.nginx.org/mailman/listinfo/nginx
