Opened 7 months ago

Closed 7 months ago

#2545 closed defect (worksforme)

TLS "Close Notify" warning

Reported by: Hay1tsme@… Owned by:
Priority: minor Milestone:
Component: other Version: 1.24.x
Keywords: tls close notify Cc:
uname -a: Windows 10 22H2

Linux neutrino 6.1.51-v8+ #1678 SMP PREEMPT Tue Sep 5 15:05:12 BST 2023 aarch64 GNU/Linux
nginx -V: nginx version: nginx/1.24.0
built by cl 16.00.30319.01 for 80x86
built with OpenSSL 1.1.1t 7 Feb 2023
TLS SNI support enabled
configure arguments: --with-cc=cl --builddir=objs.msvc8 --with-debug --prefix= --conf-path=conf/nginx.conf --pid-path=logs/nginx.pid --http-log-path=logs/access.log --error-log-path=logs/error.log --sbin-path=nginx.exe --http-client-body-temp-path=temp/client_body_temp --http-proxy-temp-path=temp/proxy_temp --http-fastcgi-temp-path=temp/fastcgi_temp --http-scgi-temp-path=temp/scgi_temp --http-uwsgi-temp-path=temp/uwsgi_temp --with-cc-opt=-DFD_SETSIZE=1024 --with-pcre=objs.msvc8/lib/pcre2-10.39 --with-zlib=objs.msvc8/lib/zlib-1.2.13 --with-http_v2_module --with-http_realip_module --with-http_addition_module --with-http_sub_module --with-http_dav_module --with-http_stub_status_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_auth_request_module --with-http_random_index_module --with-http_secure_link_module --with-http_slice_module --with-mail --with-stream --with-openssl=objs.msvc8/lib/openssl-1.1.1t --with-openssl-opt='no-asm no-tests -D_WIN32_WINNT=0x0501' --with-http_ssl_module --with-mail_ssl_module --with-stream_ssl_module

nginx version: nginx/1.18.0
built with OpenSSL 1.1.1n 15 Mar 2022
TLS SNI support enabled
configure arguments: --with-cc-opt='-g -O2 -ffile-prefix-map=/build/nginx-I6LWFq/nginx-1.18.0=. -fstack-protector-strong -Wformat -Werror=format-security -fPIC -Wdate-time -D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-z,relro -Wl,-z,now -fPIC' --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --modules-path=/usr/lib/nginx/modules --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-compat --with-debug --with-pcre-jit --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_v2_module --with-http_dav_module --with-http_slice_module --with-threads --with-http_addition_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_sub_module

Description

I have an old application that uses TLS 1.0 that I was attempting to proxy to a web app via NGINX. Unfortunately, NGINX seems to be causing a "short read", according to the app, and wireshark shows the app sending a "close notify" warning. Doing a janky setup without NGINX does not cause these warnings to show. I have tried switching web frameworks, and even languages entirely (twisted python -> rust actix -> rust rocket) but the same warning persists. The warning also shows when running NGINX on a raspberry pi. The configuration is listed below.

server {
	listen       9000 ssl;
	server_name  (server name here);

	ssl_certificate      (cert here);
	ssl_certificate_key  (key here);
	ssl_session_timeout 1d;
	ssl_session_cache shared:MozSSL:10m;
	ssl_session_tickets off;

	ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
	ssl_ciphers "ALL:@SECLEVEL=0";
	ssl_prefer_server_ciphers off;
	location / {
		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
		proxy_pass_request_headers on;
		proxy_pass http://127.0.0.1:80/;
	}
}

Change History (2)

comment:1 by Maxim Dounin, 7 months ago

The "close notify" alert is a part of TLS protocol, and means that the sending party is closing the connection, nothing more. Why the app is not happy when talking to nginx and decides to close the connection is the real question here. Unfortunately, there is no easy answer.

To find out, consider trying the following:

  • Check nginx access and error logs, and make sure there is nothing suspicious. Make sure to configure error logs at least at the info level.
  • Configure debugging log, it should show low-level details about connections and requests being processed, including all the headers, and should help to understand what goes on.
  • Use Wireshark with appropriate keys to decrypt TLS traffic and look into it, and compare with direct connection which works for you.

Hope this helps.

comment:2 by Maxim Dounin, 7 months ago

Resolution: worksforme
Status: newclosed

Feedback timeout.

Note: See TracTickets for help on using tickets.