Opened 8 months ago
Closed 7 months ago
#2545 closed defect (worksforme)
TLS "Close Notify" warning
| Reported by: | Owned by: | ||
|---|---|---|---|
| Priority: | minor | Milestone: | |
| Component: | other | Version: | 1.24.x |
| Keywords: | tls close notify | Cc: | |
| uname -a: |
Windows 10 22H2
Linux neutrino 6.1.51-v8+ #1678 SMP PREEMPT Tue Sep 5 15:05:12 BST 2023 aarch64 GNU/Linux |
||
| nginx -V: |
nginx version: nginx/1.24.0
built by cl 16.00.30319.01 for 80x86 built with OpenSSL 1.1.1t 7 Feb 2023 TLS SNI support enabled configure arguments: --with-cc=cl --builddir=objs.msvc8 --with-debug --prefix= --conf-path=conf/nginx.conf --pid-path=logs/nginx.pid --http-log-path=logs/access.log --error-log-path=logs/error.log --sbin-path=nginx.exe --http-client-body-temp-path=temp/client_body_temp --http-proxy-temp-path=temp/proxy_temp --http-fastcgi-temp-path=temp/fastcgi_temp --http-scgi-temp-path=temp/scgi_temp --http-uwsgi-temp-path=temp/uwsgi_temp --with-cc-opt=-DFD_SETSIZE=1024 --with-pcre=objs.msvc8/lib/pcre2-10.39 --with-zlib=objs.msvc8/lib/zlib-1.2.13 --with-http_v2_module --with-http_realip_module --with-http_addition_module --with-http_sub_module --with-http_dav_module --with-http_stub_status_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_auth_request_module --with-http_random_index_module --with-http_secure_link_module --with-http_slice_module --with-mail --with-stream --with-openssl=objs.msvc8/lib/openssl-1.1.1t --with-openssl-opt='no-asm no-tests -D_WIN32_WINNT=0x0501' --with-http_ssl_module --with-mail_ssl_module --with-stream_ssl_module nginx version: nginx/1.18.0 built with OpenSSL 1.1.1n 15 Mar 2022 TLS SNI support enabled configure arguments: --with-cc-opt='-g -O2 -ffile-prefix-map=/build/nginx-I6LWFq/nginx-1.18.0=. -fstack-protector-strong -Wformat -Werror=format-security -fPIC -Wdate-time -D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-z,relro -Wl,-z,now -fPIC' --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --modules-path=/usr/lib/nginx/modules --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-compat --with-debug --with-pcre-jit --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_v2_module --with-http_dav_module --with-http_slice_module --with-threads --with-http_addition_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_sub_module |
||
Description
I have an old application that uses TLS 1.0 that I was attempting to proxy to a web app via NGINX. Unfortunately, NGINX seems to be causing a "short read", according to the app, and wireshark shows the app sending a "close notify" warning. Doing a janky setup without NGINX does not cause these warnings to show. I have tried switching web frameworks, and even languages entirely (twisted python -> rust actix -> rust rocket) but the same warning persists. The warning also shows when running NGINX on a raspberry pi. The configuration is listed below.
server {
listen 9000 ssl;
server_name (server name here);
ssl_certificate (cert here);
ssl_certificate_key (key here);
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m;
ssl_session_tickets off;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
ssl_ciphers "ALL:@SECLEVEL=0";
ssl_prefer_server_ciphers off;
location / {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass_request_headers on;
proxy_pass http://127.0.0.1:80/;
}
}
Note:
See TracTickets
for help on using tickets.
The "close notify" alert is a part of TLS protocol, and means that the sending party is closing the connection, nothing more. Why the app is not happy when talking to nginx and decides to close the connection is the real question here. Unfortunately, there is no easy answer.
To find out, consider trying the following:
Hope this helps.