Opened 4 years ago
Closed 4 years ago
#2205 closed defect (invalid)
SSL_do_handshake() failed (SSL: error:1408F10B:SSL routines:ssl3_get_record:wrong version number) while SSL handshaking to upstream
Reported by: | Owned by: | ||
---|---|---|---|
Priority: | major | Milestone: | |
Component: | nginx-module | Version: | |
Keywords: | http ssl proxy | Cc: | |
uname -a: | Linux eb8995b1adb1 4.4.0-174-generic #204-Ubuntu SMP Wed Jan 29 06:41:01 UTC 2020 x86_64 GNU/Linux | ||
nginx -V: |
nginx version: nginx/1.21.0
built by gcc 8.3.0 (Debian 8.3.0-6) built with OpenSSL 1.1.1d 10 Sep 2019 TLS SNI support enabled configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-cc-opt='-g -O2 -fdebug-prefix-map=/data/builder/debuild/nginx-1.21.0/debian/debuild-base/nginx-1.21.0=. -fstack-protector-strong -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fPIC' --with-ld-opt='-Wl,-z,relro -Wl,-z,now -Wl,--as-needed -pie' |
Description
Hello,
nginx fails to proxy service6.arcgis.com:443 service.
<nginx.conf> worker_processes 2; events { worker_connections 1024; } http { server { listen 80; error_log /var/log/nginx/error.log debug; location ~ ^/(.+)/arcgis/rest/services/(.+)$ { proxy_redirect off; proxy_pass_request_headers on; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Host $server_name; proxy_ssl_protocols TLSv1.2; proxy_ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256; proxy_ssl_verify off; resolver 10.248.205.1; set $gisAddress "services6.arcgis.com:443"; set $originAddress https://$gisAddress/$1/arcgis/rest/services/$2$is_args$args; proxy_pass $originAddress; } } } </nginx.conf>
<error> 2021/06/17 17:48:19 [debug] 34#34: *1 http upstream request: "/ssFJjBXIUyZDrSYZ/arcgis/rest/services/Digital_Obstacle_File/FeatureServer/0/query/?geometry={"xmin":-10204649.024184171,"ymin\ ":5097432.542281834,"xmax":-10194865.084563669,"ymax":5107216.481902337,"spatialReference":{"wkid": 3857}}&geometryType=esriGeometryEnvelope&outFields=*&f=json&callback=ng_jsonp_callback_1\ 54" 2021/06/17 17:48:19 [debug] 34#34: *1 http upstream send request handler 2021/06/17 17:48:19 [debug] 34#34: *1 malloc: 0000559279504AD0:96 2021/06/17 17:48:19 [debug] 34#34: *1 tcp_nodelay 2021/06/17 17:48:19 [debug] 34#34: *1 SSL_do_handshake: -1 2021/06/17 17:48:19 [debug] 34#34: *1 SSL_get_error: 2 2021/06/17 17:48:19 [debug] 34#34: *1 SSL handshake handler: 0 2021/06/17 17:48:19 [debug] 34#34: *1 SSL_do_handshake: -1 2021/06/17 17:48:19 [debug] 34#34: *1 SSL_get_error: 1 2021/06/17 17:48:19 [error] 34#34: *1 SSL_do_handshake() failed (SSL: error:1408F10B:SSL routines:ssl3_get_record:wrong version number) while SSL handshaking to upstream, client: 10.248.20\ 5.130, server: , request: "GET /ssFJjBXIUyZDrSYZ/arcgis/rest/services/Digital_Obstacle_File/FeatureServer/0/query/?geometry={"xmin":-10204649.024184171,"ymin":5097432.542281834,"xmax":-101\ 94865.084563669,"ymax":5107216.481902337,"spatialReference":{"wkid": 3857}}&geometryType=esriGeometryEnvelope&outFields=*&f=json&callback=ng_jsonp_callback_154 HTTP/1.1", upstream: "https:\ //13.32.199.107:443/ssFJjBXIUyZDrSYZ/arcgis/rest/services/Digital_Obstacle_File/FeatureServer/0/query/?geometry={"xmin":-10204649.024184171,"ymin":5097432.542281834,"xmax":-10194865.084563\ 669,"ymax":5107216.481902337,"spatialReference":{"wkid": 3857}}&geometryType=esriGeometryEnvelope&outFields=*&f=json&callback=ng_jsonp_callback_154", host: "10.248.205.132:8888" 2021/06/17 17:48:19 [debug] 34#34: *1 http upstream ssl handshake: "/ssFJjBXIUyZDrSYZ/arcgis/rest/services/Digital_Obstacle_File/FeatureServer/0/query/?geometry={"xmin":-10204649.024184171\ ,"ymin":5097432.542281834,"xmax":-10194865.084563669,"ymax":5107216.481902337,"spatialReference":{"wkid": 3857}}&geometryType=esriGeometryEnvelope&outFields=*&f=json&callback=ng_jsonp_call\ back_154" ... </error>
Another interesting fact that OpenSSL works on the same box
# openssl s_client -tls1_2 -cipher ECDHE-RSA-AES128-GCM-SHA256 -connect services6.arcgis.com:443 -servername services6.arcgis.com
<openssl response> ... --- No client certificate CA names sent Peer signing digest: SHA256 Peer signature type: RSA-PSS Server Temp Key: X25519, 253 bits --- SSL handshake has read 3472 bytes and written 258 bytes Verification: OK --- New, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES128-GCM-SHA256 Session-ID: 768C6EA4A2E209F7655D6F77BC10E66EF73D03139D064525F7A1ED35ACD86D9B ... </openssl response>
Adding a cert (generated by openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout client.key -out client.pem) as
proxy_ssl_certificate /etc/nginx/client.pem;
proxy_ssl_certificate_key /etc/nginx/client.key;
does not help as well.
Note:
See TracTickets
for help on using tickets.
Without
-servername services6.arcgis.com
,openssl
fails with exactly the same error:Clearly this is not an nginx issue, but rather backend server behaviour. Consider using proxy_ssl_server_name on; if your backend requires SNI.