Hello! On Thu, Apr 17, 2014 at 11:34:14AM -0700, Venkat Morampudi wrote:
> Hi, > > We are using NGINX (version 1.4.4) in front of HAProxy for SSl > termination. We are seeing intermittent "Could not create > SSL/TLS secure channel" failure from our .net client. On > enabling debug logging on NGINX the following error is being > recorded at the same time the client see the error. > > [info] 27456#0: *43842 SSL_do_handshake() failed (SSL: > error:1408C095:SSL routines:SSL3_GET_FINISHED:digest check > failed) while SSL handshaking, client: 10.76.121.148, server: > 0.0.0.0:443 >From the error message it looks like that handshake failed due to incorrect digest value got from the client. Do you control network and are able to eliminate a possibility of real man-in-the-middle attack? If yes, this is likely a bug either in the client or in OpenSSL library on nginx side. Some things to test, in no particular order: - A workaround from here may work, as well as advise to obtain more details from the client: http://stackoverflow.com/questions/2078682/net-httpwebrequest-https-error - Try to add SSL_OP_TLS_ROLLBACK_BUG option in nginx, it may help in case of some client bugs which used to result in digest check failures (see "man SSL_set_options" for details). - Checking if the problem persists with latest OpenSSL library (or, vice versa, with old good 0.9.8*) may be beneficial, as well as upgrading nginx to at least latest 1.4.x version. > Based on the documentation I have disabled ssl session reuse, it > didn't seem to help. Did you do this in your .net client? [...] > This message and any attachments contain information that may be > RMS Inc. confidential and/or privileged. If you are not the > intended recipient (or authorized to receive for the intended Just a side note: sending messages to the whole world with such a disclaimer looks silly. -- Maxim Dounin http://nginx.org/ _______________________________________________ nginx mailing list [email protected] http://mailman.nginx.org/mailman/listinfo/nginx
