Opened 7 years ago

Closed 7 years ago

Last modified 7 years ago

#476 closed defect (invalid)

ignoring stale global SSL error

Reported by: devrandom.pip.verisignlabs.com Owned by:
Priority: minor Milestone:
Component: nginx-core Version: 1.3.x
Keywords: Cc:
uname -a: Linux 3.8.0-34-generic #49~precise1-Ubuntu SMP Wed Nov 13 18:05:00 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux
nginx -V: nginx version: nginx/1.4.4
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-http_ssl_module --with-http_realip_module --with-http_addition_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_stub_status_module --with-mail --with-mail_ssl_module --with-file-aio --with-http_spdy_module --with-cc-opt='-g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-Bsymbolic-functions -Wl,-z,relro -Wl,--as-needed' --with-ipv6

Description

(uname -a , nginx -V and conf at the bottom ...debug log will be attached)

Hi,

I've been seeing the below when browsing via Firefox 26.0 on OS X 10.9 (Maverick), via Safari (7.0.1 (9537.73.11)) I can see the page fine.

2013/12/28 18:57:33 [alert] 3727#0: *1 ignoring stale global SSL error (SSL: error:0B07C065:x509 certificate routines:X509_STORE_add_cert:cert already in hash table) while SSL handshaking, client: 192.168.29.1, server: 0.0.0.0:443

$ uname -a
Linux 3.8.0-34-generic #49~precise1-Ubuntu SMP Wed Nov 13 18:05:00 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux

$ nginx -V
nginx version: nginx/1.4.4
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-http_ssl_module --with-http_realip_module --with-http_addition_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_stub_status_module --with-mail --with-mail_ssl_module --with-file-aio --with-http_spdy_module --with-cc-opt='-g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-Bsymbolic-functions -Wl,-z,relro -Wl,--as-needed' --with-ipv6 --with-debug

The same also occurs with the non-debug build....

$ /usr/sbin/nginx.standard -V
nginx version: nginx/1.4.4
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-http_ssl_module --with-http_realip_module --with-http_addition_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_stub_status_module --with-mail --with-mail_ssl_module --with-file-aio --with-http_spdy_module --with-cc-opt='-g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-Bsymbolic-functions -Wl,-z,relro -Wl,--as-needed' --with-ipv6

$ cat /etc/nginx/conf.d/ssl_auth.conf
# HTTPS server
#
server {

listen 443 ssl;
server_name localhost;
root /usr/share/nginx/html;

# error_log /var/log/nginx/error.log debug;

ssl_certificate /etc/nginx/certs/webDemoSVR.crt;
ssl_certificate_key /etc/nginx/certs/webDemoSVR.key;
ssl_trusted_certificate /etc/nginx/certs/ca.crt;
ssl_client_certificate /etc/nginx/certs/ca.crt;
ssl_session_cache off;
ssl_protocols TLSv1.2;
ssl_dhparam /etc/nginx/certs/dhparam_4096.pem;
ssl_verify_client on;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDH-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES128-SHA256:AES128-SHA256:DHE-DSS-AES256-SHA256:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:AES256-SHA256;
ssl_prefer_server_ciphers on;

ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;

location / {

index index.html index.htm;

}

location ~ (.+\.php)(.*)$ {

fastcgi_split_path_info (.+\.php)(.*)$;
fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_param VERIFIED $ssl_client_verify;
fastcgi_param DN $ssl_client_s_dn;
include fastcgi_params;

}

}

Attachments (2)

safariDebug_WORKSOK.txt (10.1 KB ) - added by devrandom.pip.verisignlabs.com 7 years ago.
Debug from Safari session (i.e. works ok)
firefoxDebug_BROKEN.txt (19.8 KB ) - added by devrandom.pip.verisignlabs.com 7 years ago.
Debug from Firefox sesssion (i.e. broken)

Download all attachments as: .zip

Change History (5)

by devrandom.pip.verisignlabs.com, 7 years ago

Attachment: safariDebug_WORKSOK.txt added

Debug from Safari session (i.e. works ok)

by devrandom.pip.verisignlabs.com, 7 years ago

Attachment: firefoxDebug_BROKEN.txt added

Debug from Firefox sesssion (i.e. broken)

comment:1 by Maxim Dounin, 7 years ago

Resolution: invalid
Status: newclosed

Errors you see are caused by duplicate certificates loaded as trusted - you load the same ca.crt file in ssl_client_certificate and ssl_trusted_certificate.

As such configuration errors are harmless, these messages were already silenced by 6c35a1f428f2, as available in nginx 1.5.5+.

in reply to:  1 comment:2 by devrandom.pip.verisignlabs.com, 7 years ago

Replying to Maxim Dounin:

I've gone back to my nginx.conf, commented out ​ssl_trusted_certificate .... same behavior..... uncommented ssl_trusted_certificate and commented ssl_client_certificate ... same behavior.

So no, I don't accept your explanation at the moment.

comment:3 by Maxim Dounin, 7 years ago

By "same behavior" you mean the alert logged? Please show one.

If you are talking about Firefox 26 not being able to talk via TLS 1.2, then the problem is likely that you haven't enabled TLS 1.2 support in Firefox, see http://en.wikipedia.org/wiki/Transport_Layer_Security#Web_browsers.

Note: See TracTickets for help on using tickets.