Opened 4 months ago

Closed 4 months ago

#2205 closed defect (invalid)

SSL_do_handshake() failed (SSL: error:1408F10B:SSL routines:ssl3_get_record:wrong version number) while SSL handshaking to upstream

Reported by: arrcher@… Owned by:
Priority: major Milestone:
Component: nginx-module Version:
Keywords: http ssl proxy Cc:
uname -a: Linux eb8995b1adb1 4.4.0-174-generic #204-Ubuntu SMP Wed Jan 29 06:41:01 UTC 2020 x86_64 GNU/Linux
nginx -V: nginx version: nginx/1.21.0
built by gcc 8.3.0 (Debian 8.3.0-6)
built with OpenSSL 1.1.1d 10 Sep 2019
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-cc-opt='-g -O2 -fdebug-prefix-map=/data/builder/debuild/nginx-1.21.0/debian/debuild-base/nginx-1.21.0=. -fstack-protector-strong -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fPIC' --with-ld-opt='-Wl,-z,relro -Wl,-z,now -Wl,--as-needed -pie'

Description

Hello,
nginx fails to proxy service6.arcgis.com:443 service.

<nginx.conf>
worker_processes 2;
events { worker_connections 1024; }
http {
    server {
        listen 80;
        error_log /var/log/nginx/error.log debug;
        location ~ ^/(.+)/arcgis/rest/services/(.+)$ {

            proxy_redirect      off;
            proxy_pass_request_headers on;
            proxy_set_header    X-Real-IP $remote_addr;
            proxy_set_header    X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header    X-Forwarded-Host $server_name;

            proxy_ssl_protocols TLSv1.2;
            proxy_ssl_ciphers   ECDHE-RSA-AES128-GCM-SHA256;
            proxy_ssl_verify    off;

            resolver 10.248.205.1;
            set $gisAddress    "services6.arcgis.com:443";
            set $originAddress https://$gisAddress/$1/arcgis/rest/services/$2$is_args$args;
            proxy_pass         $originAddress;
        }
    }
}
</nginx.conf>
<error>
2021/06/17 17:48:19 [debug] 34#34: *1 http upstream request: "/ssFJjBXIUyZDrSYZ/arcgis/rest/services/Digital_Obstacle_File/FeatureServer/0/query/?geometry={"xmin":-10204649.024184171,"ymin\
":5097432.542281834,"xmax":-10194865.084563669,"ymax":5107216.481902337,"spatialReference":{"wkid": 3857}}&geometryType=esriGeometryEnvelope&outFields=*&f=json&callback=ng_jsonp_callback_1\
54"
2021/06/17 17:48:19 [debug] 34#34: *1 http upstream send request handler
2021/06/17 17:48:19 [debug] 34#34: *1 malloc: 0000559279504AD0:96
2021/06/17 17:48:19 [debug] 34#34: *1 tcp_nodelay
2021/06/17 17:48:19 [debug] 34#34: *1 SSL_do_handshake: -1
2021/06/17 17:48:19 [debug] 34#34: *1 SSL_get_error: 2
2021/06/17 17:48:19 [debug] 34#34: *1 SSL handshake handler: 0
2021/06/17 17:48:19 [debug] 34#34: *1 SSL_do_handshake: -1
2021/06/17 17:48:19 [debug] 34#34: *1 SSL_get_error: 1
2021/06/17 17:48:19 [error] 34#34: *1 SSL_do_handshake() failed (SSL: error:1408F10B:SSL routines:ssl3_get_record:wrong version number) while SSL handshaking to upstream, client: 10.248.20\
5.130, server: , request: "GET /ssFJjBXIUyZDrSYZ/arcgis/rest/services/Digital_Obstacle_File/FeatureServer/0/query/?geometry={"xmin":-10204649.024184171,"ymin":5097432.542281834,"xmax":-101\
94865.084563669,"ymax":5107216.481902337,"spatialReference":{"wkid": 3857}}&geometryType=esriGeometryEnvelope&outFields=*&f=json&callback=ng_jsonp_callback_154 HTTP/1.1", upstream: "https:\
//13.32.199.107:443/ssFJjBXIUyZDrSYZ/arcgis/rest/services/Digital_Obstacle_File/FeatureServer/0/query/?geometry={"xmin":-10204649.024184171,"ymin":5097432.542281834,"xmax":-10194865.084563\
669,"ymax":5107216.481902337,"spatialReference":{"wkid": 3857}}&geometryType=esriGeometryEnvelope&outFields=*&f=json&callback=ng_jsonp_callback_154", host: "10.248.205.132:8888"
2021/06/17 17:48:19 [debug] 34#34: *1 http upstream ssl handshake: "/ssFJjBXIUyZDrSYZ/arcgis/rest/services/Digital_Obstacle_File/FeatureServer/0/query/?geometry={"xmin":-10204649.024184171\
,"ymin":5097432.542281834,"xmax":-10194865.084563669,"ymax":5107216.481902337,"spatialReference":{"wkid": 3857}}&geometryType=esriGeometryEnvelope&outFields=*&f=json&callback=ng_jsonp_call\
back_154"
...
</error>

Another interesting fact that OpenSSL works on the same box

# openssl s_client -tls1_2 -cipher ECDHE-RSA-AES128-GCM-SHA256 -connect services6.arcgis.com:443 -servername services6.arcgis.com
<openssl response>
...
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 3472 bytes and written 258 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-GCM-SHA256
    Session-ID: 768C6EA4A2E209F7655D6F77BC10E66EF73D03139D064525F7A1ED35ACD86D9B
...
</openssl response>

Adding a cert (generated by openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout client.key -out client.pem) as

proxy_ssl_certificate /etc/nginx/client.pem;
proxy_ssl_certificate_key /etc/nginx/client.key;

does not help as well.

Change History (1)

comment:1 by Maxim Dounin, 4 months ago

Resolution: invalid
Status: newclosed

Without -servername services6.arcgis.com, openssl fails with exactly the same error:

$ openssl s_client -tls1_2 -cipher ECDHE-RSA-AES128-GCM-SHA256 -connect services6.arcgis.com:443 
CONNECTED(00000003)
675854824:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:/usr/src/crypto/openssl/ssl/s3_pkt.c:365:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 5 bytes and written 7 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID: 
    Session-ID-ctx: 
    Master-Key: 
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1623966056
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
---

Clearly this is not an nginx issue, but rather backend server behaviour. Consider using proxy_ssl_server_name on; if your backend requires SNI.

Note: See TracTickets for help on using tickets.