Hi All, I am using Nginx 1.4.4 as reverse proxy for my tomcat server. My problem is: SSL handshake failed between Nginx and tomcat with mutual SSL authentication. I have verified that Client to Nginx with mutual SSL is working. But if my upstream backend is also using https:mutual port, the path will fail with error: [error] 1816#3436: *23 SSL_do_handshake() failed (SSL: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate:SSL alert number 42) while SSL handshaking to upstream, client: xx.xx.xx.xx, server: xx.xxx.xxx.xxx, request: "GET / HTTP/1.1", upstream: "https://xx.xx.xx.xx:8082/";, host: "xx.xx.xx.xx:8002"
My upstream server https://xx.xx.xx.xx:8082 is using mutual SSL and working perfectly without Nginx. the Nginx host https://xx.xx.xx.xx:8002 is using mutual SSL and also working perfectly without the upstream mutual ssl or with only http port. The problem is: when both Nginx and upstream require mutual SSL, and I would like to pass the client certificate to Nginx then to my upstream server, the SSL handshake error occurs. I have tried to add client cert in headers, but no luck. Here is part of my nginx config #### server { listen xx.xx.xx.xx:8002; server_name xx.xx.xx.xx; ssl on; ssl_certificate C:/nginx-1.4.4/cert/MyServer.crt; ssl_certificate_key C:/nginx-1.4.4/cert/MyServer.key; ssl_client_certificate C:/nginx-1.4.4/cert/MyCA.pem; ssl_trusted_certificate C:/nginx-1.4.4/cert/MyCA.pem; ssl_prefer_server_ciphers on; ssl_verify_client on; ssl_verify_depth 3; ssl_protocols SSLv2 SSLv3 TLSv1; access_log C:/nginx-1.4.4/logs/access_8002.log; error_log C:/nginx-1.4.4/logs/error_8002.log debug; root html; index index.html index.htm; location / { proxy_pass https://10.128.103.47:8082/; proxy_redirect default; proxy_set_header Host $host:$server_port; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Client-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Ssl on; proxy_set_header X-Client-Verify $ssl_client_verify; proxy_set_header X-SSL-Client-Cert $ssl_client_cert; proxy_set_header X-SSL-Client-Serial $ssl_client_serial; proxy_set_header X-SSL-Client-Verify $ssl_client_verify; proxy_set_header X-SSL-Client-S-DN $ssl_client_s_dn; } } Is this usage supported by Nginx? I would be very grateful if someone can point me some clues or suggestions. Thanks and Best Regards, Flash008 Posted at Nginx Forum: http://forum.nginx.org/read.php?2,245971,245971#msg-245971 _______________________________________________ nginx mailing list [email protected] http://mailman.nginx.org/mailman/listinfo/nginx
