Opened 13 years ago

Closed 13 years ago

Last modified 13 years ago

#39 closed defect (invalid)

SSL_do_handshake failed on verified certificate chain

Reported by: www.google.com/accounts/o8/id?id=AItOawm0It3Y0NZhBXtcIQKjVMUj-0FVkStKxMg Owned by: somebody
Priority: major Milestone:
Component: nginx-core Version: 1.1.x
Keywords: ssl certificate cipher mac Cc:
uname -a: OpenBSD www.example.com 5.0 GENERIC.MP#63 amd64
nginx -V: nginx: nginx version: nginx/1.1.4
nginx: TLS SNI support enabled
nginx: configure arguments: --prefix=/etc/nginx --conf-path=/etc/nginx/nginx.conf --sbin-path=/usr/local/sbin/nginx
--pid-path=/var/run/nginx.pid --lock-path=/var/nginx/tmp/nginx.lock
--http-client-body-temp-path=/var/nginx/tmp/client_body_temp --http-proxy-temp-path=/var/nginx/tmp/proxy_temp
--http-fastcgi-temp-path=/var/nginx/tmp/fastcgi_temp --http-scgi-temp-path=/var/nginx/tmp/scgi_temp
--http-uwsgi-temp-path=/var/nginx/tmp/uwsgi_temp --http-log-path=/var/log/nginx/access.log
--error-log-path=/var/log/nginx/error.log --user=_nginx --group=_nginx --with-http_gzip_static_module
--with-http_mp4_module --with-http_ssl_module --with-http_stub_status_module --with-mail --with-mail_ssl_module
--with-ipv6

Description

2011/10/21 00:39:14 [crit] 31592#0: *3 SSL_do_handshake() failed (SSL: error:260B9092:engine routines:ENGINE_get_cipher:unimplemented cipher error:0607B086:digital envelope routines:EVP_CipherInit_ex:initialization error error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac) while SSL handshaking, client: 192.168.0.1, server: www.example.com

This is a validated certificate chain from InCommon, validated with certtool -e and openssl verify. Same files work with Courier-IMAP, Postfix, stunnel and other SSL programs. The worker process exits with signal 10. So far I've not been able to get a coredump.

Full configuration file to reproduce:

error_log /tmp/error.log debug;
events { worker_connections 128; }
http {

server {

listen 127.0.0.1:9443;
ssl on;
ssl_certificate /etc/ssl/server.crt;
ssl_certificate_key /etc/ssl/private/server.key;

}

}

Thanks in advance.

Change History (3)

comment:1 by www.google.com/accounts/o8/id?id=AItOawm0It3Y0NZhBXtcIQKjVMUj-0FVkStKxMg, 13 years ago

I meant to say that is the minimum config file needed to reproduce the error; of course my config file has more in it normally. It works fine except for SSL. InCommon's CA is AddTrust. I just discovered the same thing happens even with only the server's certificate (no chain, just the one for the server).

Version 2, edited 13 years ago by www.google.com/accounts/o8/id?id=AItOawm0It3Y0NZhBXtcIQKjVMUj-0FVkStKxMg (previous) (next) (diff)

comment:2 by Maxim Dounin, 13 years ago

Resolution: invalid
Status: newclosed

This looks very similar to the problem discussed in this thread:

http://mailman.nginx.org/pipermail/nginx-devel/2011-September/001226.html

The problem is believed to be in OpenSSL version shipped with OpenBSD. Try using newer/vanilla one as available from www.openssl.org. Alternatively, try "ssl_engine aesni" in nginx config, it may resolve issue for you.

in reply to:  2 comment:3 by www.google.com/accounts/o8/id?id=AItOawm0It3Y0NZhBXtcIQKjVMUj-0FVkStKxMg, 13 years ago

Replying to mdounin:

This looks very similar to the problem discussed in this thread:

http://mailman.nginx.org/pipermail/nginx-devel/2011-September/001226.html

The problem is believed to be in OpenSSL version shipped with OpenBSD. Try using newer/vanilla one as available from www.openssl.org. Alternatively, try "ssl_engine aesni" in nginx config, it may resolve issue for you.

Indeed it does! Somehow I missed that thread... thanks very much!

Note: See TracTickets for help on using tickets.