id summary reporter owner description type status priority milestone component version resolution keywords cc uname nginx_version
2205 SSL_do_handshake() failed (SSL: error:1408F10B:SSL routines:ssl3_get_record:wrong version number) while SSL handshaking to upstream arrcher@… "Hello,
nginx fails to proxy service6.arcgis.com:443 service.
{{{
worker_processes 2;
events { worker_connections 1024; }
http {
server {
listen 80;
error_log /var/log/nginx/error.log debug;
location ~ ^/(.+)/arcgis/rest/services/(.+)$ {
proxy_redirect off;
proxy_pass_request_headers on;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $server_name;
proxy_ssl_protocols TLSv1.2;
proxy_ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256;
proxy_ssl_verify off;
resolver 10.248.205.1;
set $gisAddress ""services6.arcgis.com:443"";
set $originAddress https://$gisAddress/$1/arcgis/rest/services/$2$is_args$args;
proxy_pass $originAddress;
}
}
}
}}}
{{{
2021/06/17 17:48:19 [debug] 34#34: *1 http upstream request: ""/ssFJjBXIUyZDrSYZ/arcgis/rest/services/Digital_Obstacle_File/FeatureServer/0/query/?geometry={""xmin"":-10204649.024184171,""ymin\
"":5097432.542281834,""xmax"":-10194865.084563669,""ymax"":5107216.481902337,""spatialReference"":{""wkid"": 3857}}&geometryType=esriGeometryEnvelope&outFields=*&f=json&callback=ng_jsonp_callback_1\
54""
2021/06/17 17:48:19 [debug] 34#34: *1 http upstream send request handler
2021/06/17 17:48:19 [debug] 34#34: *1 malloc: 0000559279504AD0:96
2021/06/17 17:48:19 [debug] 34#34: *1 tcp_nodelay
2021/06/17 17:48:19 [debug] 34#34: *1 SSL_do_handshake: -1
2021/06/17 17:48:19 [debug] 34#34: *1 SSL_get_error: 2
2021/06/17 17:48:19 [debug] 34#34: *1 SSL handshake handler: 0
2021/06/17 17:48:19 [debug] 34#34: *1 SSL_do_handshake: -1
2021/06/17 17:48:19 [debug] 34#34: *1 SSL_get_error: 1
2021/06/17 17:48:19 [error] 34#34: *1 SSL_do_handshake() failed (SSL: error:1408F10B:SSL routines:ssl3_get_record:wrong version number) while SSL handshaking to upstream, client: 10.248.20\
5.130, server: , request: ""GET /ssFJjBXIUyZDrSYZ/arcgis/rest/services/Digital_Obstacle_File/FeatureServer/0/query/?geometry={""xmin"":-10204649.024184171,""ymin"":5097432.542281834,""xmax"":-101\
94865.084563669,""ymax"":5107216.481902337,""spatialReference"":{""wkid"": 3857}}&geometryType=esriGeometryEnvelope&outFields=*&f=json&callback=ng_jsonp_callback_154 HTTP/1.1"", upstream: ""https:\
//13.32.199.107:443/ssFJjBXIUyZDrSYZ/arcgis/rest/services/Digital_Obstacle_File/FeatureServer/0/query/?geometry={""xmin"":-10204649.024184171,""ymin"":5097432.542281834,""xmax"":-10194865.084563\
669,""ymax"":5107216.481902337,""spatialReference"":{""wkid"": 3857}}&geometryType=esriGeometryEnvelope&outFields=*&f=json&callback=ng_jsonp_callback_154"", host: ""10.248.205.132:8888""
2021/06/17 17:48:19 [debug] 34#34: *1 http upstream ssl handshake: ""/ssFJjBXIUyZDrSYZ/arcgis/rest/services/Digital_Obstacle_File/FeatureServer/0/query/?geometry={""xmin"":-10204649.024184171\
,""ymin"":5097432.542281834,""xmax"":-10194865.084563669,""ymax"":5107216.481902337,""spatialReference"":{""wkid"": 3857}}&geometryType=esriGeometryEnvelope&outFields=*&f=json&callback=ng_jsonp_call\
back_154""
...
}}}
Another interesting fact that OpenSSL works on the same box
{{{
# openssl s_client -tls1_2 -cipher ECDHE-RSA-AES128-GCM-SHA256 -connect services6.arcgis.com:443 -servername services6.arcgis.com
}}}
{{{
...
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 3472 bytes and written 258 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES128-GCM-SHA256
Session-ID: 768C6EA4A2E209F7655D6F77BC10E66EF73D03139D064525F7A1ED35ACD86D9B
...
}}}
Adding a cert (generated by openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout client.key -out client.pem) as
proxy_ssl_certificate /etc/nginx/client.pem;
proxy_ssl_certificate_key /etc/nginx/client.key;
does not help as well.
" defect closed major nginx-module invalid http ssl proxy Linux eb8995b1adb1 4.4.0-174-generic #204-Ubuntu SMP Wed Jan 29 06:41:01 UTC 2020 x86_64 GNU/Linux "nginx version: nginx/1.21.0
built by gcc 8.3.0 (Debian 8.3.0-6)
built with OpenSSL 1.1.1d 10 Sep 2019
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-cc-opt='-g -O2 -fdebug-prefix-map=/data/builder/debuild/nginx-1.21.0/debian/debuild-base/nginx-1.21.0=. -fstack-protector-strong -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fPIC' --with-ld-opt='-Wl,-z,relro -Wl,-z,now -Wl,--as-needed -pie'"