Hello, is there a way to make NGINX more forgiving on TLS certificate errors? Or would that have to be done in OpenSSL instead?
When I use openssl s_client, I get the following errors from the upstream server: 140226185430680:error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1:block type is not 01:rsa_pk1.c:103: 140226185430680:error:04067072:rsa routines:RSA_EAY_PUBLIC_DECRYPT:padding check failed:rsa_eay.c:705: 140226185430680:error:1408D07B:SSL routines:ssl3_get_key_exchange:bad signature:s3_clnt.c:2010: This causes NGINX (reverse proxy) to return 502 Bad Gateway to the browser. The NGINX error log shows: 2018/08/29 09:09:59 [crit] 11633#11633: *28 SSL_do_handshake() failed (SSL: error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1:block type is not 01 error:04067072:rsa routines:RSA_EAY_PUBLIC_DECRYPT:padding check failed error:1408D07B:SSL routines:ssl3_get_key_exchange:bad signature) while SSL handshaking to upstream, client: 192.168.1.66, server: s5.example.com, request: "GET /xyz I have added “proxy_ssl_verify off;”, but that did not make any difference. Surprisingly, the browser (directly to the upstream server) does not complain about the TLS error. Is there anything else I can do either in NGINX or openssl to suppress the 502 Bad Gateway? Thanks… Roger PS: I don’t have control over the upstream server, so I can’t fix the root cause (faulty certificate).
_______________________________________________ nginx mailing list [email protected] http://mailman.nginx.org/mailman/listinfo/nginx
