Opened 3 years ago
Closed 3 years ago
#2205 closed defect (invalid)
SSL_do_handshake() failed (SSL: error:1408F10B:SSL routines:ssl3_get_record:wrong version number) while SSL handshaking to upstream
| Reported by: | Owned by: | ||
|---|---|---|---|
| Priority: | major | Milestone: | |
| Component: | nginx-module | Version: | |
| Keywords: | http ssl proxy | Cc: | |
| uname -a: | Linux eb8995b1adb1 4.4.0-174-generic #204-Ubuntu SMP Wed Jan 29 06:41:01 UTC 2020 x86_64 GNU/Linux | ||
| nginx -V: |
nginx version: nginx/1.21.0
built by gcc 8.3.0 (Debian 8.3.0-6) built with OpenSSL 1.1.1d 10 Sep 2019 TLS SNI support enabled configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-cc-opt='-g -O2 -fdebug-prefix-map=/data/builder/debuild/nginx-1.21.0/debian/debuild-base/nginx-1.21.0=. -fstack-protector-strong -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fPIC' --with-ld-opt='-Wl,-z,relro -Wl,-z,now -Wl,--as-needed -pie' |
||
Description
Hello,
nginx fails to proxy service6.arcgis.com:443 service.
<nginx.conf>
worker_processes 2;
events { worker_connections 1024; }
http {
server {
listen 80;
error_log /var/log/nginx/error.log debug;
location ~ ^/(.+)/arcgis/rest/services/(.+)$ {
proxy_redirect off;
proxy_pass_request_headers on;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $server_name;
proxy_ssl_protocols TLSv1.2;
proxy_ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256;
proxy_ssl_verify off;
resolver 10.248.205.1;
set $gisAddress "services6.arcgis.com:443";
set $originAddress https://$gisAddress/$1/arcgis/rest/services/$2$is_args$args;
proxy_pass $originAddress;
}
}
}
</nginx.conf>
<error>
2021/06/17 17:48:19 [debug] 34#34: *1 http upstream request: "/ssFJjBXIUyZDrSYZ/arcgis/rest/services/Digital_Obstacle_File/FeatureServer/0/query/?geometry={"xmin":-10204649.024184171,"ymin\
":5097432.542281834,"xmax":-10194865.084563669,"ymax":5107216.481902337,"spatialReference":{"wkid": 3857}}&geometryType=esriGeometryEnvelope&outFields=*&f=json&callback=ng_jsonp_callback_1\
54"
2021/06/17 17:48:19 [debug] 34#34: *1 http upstream send request handler
2021/06/17 17:48:19 [debug] 34#34: *1 malloc: 0000559279504AD0:96
2021/06/17 17:48:19 [debug] 34#34: *1 tcp_nodelay
2021/06/17 17:48:19 [debug] 34#34: *1 SSL_do_handshake: -1
2021/06/17 17:48:19 [debug] 34#34: *1 SSL_get_error: 2
2021/06/17 17:48:19 [debug] 34#34: *1 SSL handshake handler: 0
2021/06/17 17:48:19 [debug] 34#34: *1 SSL_do_handshake: -1
2021/06/17 17:48:19 [debug] 34#34: *1 SSL_get_error: 1
2021/06/17 17:48:19 [error] 34#34: *1 SSL_do_handshake() failed (SSL: error:1408F10B:SSL routines:ssl3_get_record:wrong version number) while SSL handshaking to upstream, client: 10.248.20\
5.130, server: , request: "GET /ssFJjBXIUyZDrSYZ/arcgis/rest/services/Digital_Obstacle_File/FeatureServer/0/query/?geometry={"xmin":-10204649.024184171,"ymin":5097432.542281834,"xmax":-101\
94865.084563669,"ymax":5107216.481902337,"spatialReference":{"wkid": 3857}}&geometryType=esriGeometryEnvelope&outFields=*&f=json&callback=ng_jsonp_callback_154 HTTP/1.1", upstream: "https:\
//13.32.199.107:443/ssFJjBXIUyZDrSYZ/arcgis/rest/services/Digital_Obstacle_File/FeatureServer/0/query/?geometry={"xmin":-10204649.024184171,"ymin":5097432.542281834,"xmax":-10194865.084563\
669,"ymax":5107216.481902337,"spatialReference":{"wkid": 3857}}&geometryType=esriGeometryEnvelope&outFields=*&f=json&callback=ng_jsonp_callback_154", host: "10.248.205.132:8888"
2021/06/17 17:48:19 [debug] 34#34: *1 http upstream ssl handshake: "/ssFJjBXIUyZDrSYZ/arcgis/rest/services/Digital_Obstacle_File/FeatureServer/0/query/?geometry={"xmin":-10204649.024184171\
,"ymin":5097432.542281834,"xmax":-10194865.084563669,"ymax":5107216.481902337,"spatialReference":{"wkid": 3857}}&geometryType=esriGeometryEnvelope&outFields=*&f=json&callback=ng_jsonp_call\
back_154"
...
</error>
Another interesting fact that OpenSSL works on the same box
# openssl s_client -tls1_2 -cipher ECDHE-RSA-AES128-GCM-SHA256 -connect services6.arcgis.com:443 -servername services6.arcgis.com
<openssl response>
...
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 3472 bytes and written 258 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES128-GCM-SHA256
Session-ID: 768C6EA4A2E209F7655D6F77BC10E66EF73D03139D064525F7A1ED35ACD86D9B
...
</openssl response>
Adding a cert (generated by openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout client.key -out client.pem) as
proxy_ssl_certificate /etc/nginx/client.pem;
proxy_ssl_certificate_key /etc/nginx/client.key;
does not help as well.
Note:
See TracTickets
for help on using tickets.
Without
-servername services6.arcgis.com,opensslfails with exactly the same error:$ openssl s_client -tls1_2 -cipher ECDHE-RSA-AES128-GCM-SHA256 -connect services6.arcgis.com:443 CONNECTED(00000003) 675854824:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:/usr/src/crypto/openssl/ssl/s3_pkt.c:365: --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 5 bytes and written 7 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : 0000 Session-ID: Session-ID-ctx: Master-Key: Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None Start Time: 1623966056 Timeout : 7200 (sec) Verify return code: 0 (ok) ---Clearly this is not an nginx issue, but rather backend server behaviour. Consider using proxy_ssl_server_name on; if your backend requires SNI.