#39 closed defect (invalid)
SSL_do_handshake failed on verified certificate chain
| Reported by: | www.google.com/accounts/o8/id?id=AItOawm0It3Y0NZhBXtcIQKjVMUj-0FVkStKxMg | Owned by: | somebody |
|---|---|---|---|
| Priority: | major | Milestone: | |
| Component: | nginx-core | Version: | 1.1.x |
| Keywords: | ssl certificate cipher mac | Cc: | |
| uname -a: | OpenBSD www.example.com 5.0 GENERIC.MP#63 amd64 | ||
| nginx -V: |
nginx: nginx version: nginx/1.1.4
nginx: TLS SNI support enabled nginx: configure arguments: --prefix=/etc/nginx --conf-path=/etc/nginx/nginx.conf --sbin-path=/usr/local/sbin/nginx --pid-path=/var/run/nginx.pid --lock-path=/var/nginx/tmp/nginx.lock --http-client-body-temp-path=/var/nginx/tmp/client_body_temp --http-proxy-temp-path=/var/nginx/tmp/proxy_temp --http-fastcgi-temp-path=/var/nginx/tmp/fastcgi_temp --http-scgi-temp-path=/var/nginx/tmp/scgi_temp --http-uwsgi-temp-path=/var/nginx/tmp/uwsgi_temp --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --user=_nginx --group=_nginx --with-http_gzip_static_module --with-http_mp4_module --with-http_ssl_module --with-http_stub_status_module --with-mail --with-mail_ssl_module --with-ipv6 |
||
Description
2011/10/21 00:39:14 [crit] 31592#0: *3 SSL_do_handshake() failed (SSL: error:260B9092:engine routines:ENGINE_get_cipher:unimplemented cipher error:0607B086:digital envelope routines:EVP_CipherInit_ex:initialization error error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac) while SSL handshaking, client: 192.168.0.1, server: www.example.com
This is a validated certificate chain from InCommon, validated with certtool -e and openssl verify. Same files work with Courier-IMAP, Postfix, stunnel and other SSL programs. The worker process exits with signal 10. So far I've not been able to get a coredump.
Full configuration file to reproduce:
error_log /tmp/error.log debug;
events { worker_connections 128; }
http {
server {
listen 127.0.0.1:9443;
ssl on;
ssl_certificate /etc/ssl/server.crt;
ssl_certificate_key /etc/ssl/private/server.key;
}
}
Thanks in advance.
Change History (3)
follow-up: 3 comment:2 by , 13 years ago
| Resolution: | → invalid |
|---|---|
| Status: | new → closed |
This looks very similar to the problem discussed in this thread:
http://mailman.nginx.org/pipermail/nginx-devel/2011-September/001226.html
The problem is believed to be in OpenSSL version shipped with OpenBSD. Try using newer/vanilla one as available from www.openssl.org. Alternatively, try "ssl_engine aesni" in nginx config, it may resolve issue for you.
comment:3 by , 13 years ago
Replying to mdounin:
This looks very similar to the problem discussed in this thread:
http://mailman.nginx.org/pipermail/nginx-devel/2011-September/001226.html
The problem is believed to be in OpenSSL version shipped with OpenBSD. Try using newer/vanilla one as available from www.openssl.org. Alternatively, try "ssl_engine aesni" in nginx config, it may resolve issue for you.
Indeed it does! Somehow I missed that thread... thanks very much!
I meant to say that is the minimum config file needed to reproduce the error; of course my config file has more in it normally. It works fine except for SSL. InCommon's CA is AddTrust (Comodo). I just discovered the same thing happens even with only the server's certificate (no chain, just the one for the server).