#476 closed defect (invalid)
ignoring stale global SSL error
Reported by: | devrandom.pip.verisignlabs.com | Owned by: | |
---|---|---|---|
Priority: | minor | Milestone: | |
Component: | nginx-core | Version: | 1.3.x |
Keywords: | Cc: | ||
uname -a: | Linux 3.8.0-34-generic #49~precise1-Ubuntu SMP Wed Nov 13 18:05:00 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux | ||
nginx -V: |
nginx version: nginx/1.4.4
TLS SNI support enabled configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-http_ssl_module --with-http_realip_module --with-http_addition_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_stub_status_module --with-mail --with-mail_ssl_module --with-file-aio --with-http_spdy_module --with-cc-opt='-g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-Bsymbolic-functions -Wl,-z,relro -Wl,--as-needed' --with-ipv6 |
Description
(uname -a , nginx -V and conf at the bottom ...debug log will be attached)
Hi,
I've been seeing the below when browsing via Firefox 26.0 on OS X 10.9 (Maverick), via Safari (7.0.1 (9537.73.11)) I can see the page fine.
2013/12/28 18:57:33 [alert] 3727#0: *1 ignoring stale global SSL error (SSL: error:0B07C065:x509 certificate routines:X509_STORE_add_cert:cert already in hash table) while SSL handshaking, client: 192.168.29.1, server: 0.0.0.0:443
$ uname -a
Linux 3.8.0-34-generic #49~precise1-Ubuntu SMP Wed Nov 13 18:05:00 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux
$ nginx -V
nginx version: nginx/1.4.4
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-http_ssl_module --with-http_realip_module --with-http_addition_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_stub_status_module --with-mail --with-mail_ssl_module --with-file-aio --with-http_spdy_module --with-cc-opt='-g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-Bsymbolic-functions -Wl,-z,relro -Wl,--as-needed' --with-ipv6 --with-debug
The same also occurs with the non-debug build....
$ /usr/sbin/nginx.standard -V
nginx version: nginx/1.4.4
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-http_ssl_module --with-http_realip_module --with-http_addition_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_stub_status_module --with-mail --with-mail_ssl_module --with-file-aio --with-http_spdy_module --with-cc-opt='-g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-Bsymbolic-functions -Wl,-z,relro -Wl,--as-needed' --with-ipv6
$ cat /etc/nginx/conf.d/ssl_auth.conf
# HTTPS server
#
server {
listen 443 ssl;
server_name localhost;
root /usr/share/nginx/html;
# error_log /var/log/nginx/error.log debug;
ssl_certificate /etc/nginx/certs/webDemoSVR.crt;
ssl_certificate_key /etc/nginx/certs/webDemoSVR.key;
ssl_trusted_certificate /etc/nginx/certs/ca.crt;
ssl_client_certificate /etc/nginx/certs/ca.crt;
ssl_session_cache off;
ssl_protocols TLSv1.2;
ssl_dhparam /etc/nginx/certs/dhparam_4096.pem;
ssl_verify_client on;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDH-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES128-SHA256:AES128-SHA256:DHE-DSS-AES256-SHA256:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:AES256-SHA256;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
location / {
index index.html index.htm;
}
location ~ (.+\.php)(.*)$ {
fastcgi_split_path_info (.+\.php)(.*)$;
fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_param VERIFIED $ssl_client_verify;
fastcgi_param DN $ssl_client_s_dn;
include fastcgi_params;
}
}
Attachments (2)
Change History (5)
by , 11 years ago
Attachment: | safariDebug_WORKSOK.txt added |
---|
by , 11 years ago
Attachment: | firefoxDebug_BROKEN.txt added |
---|
Debug from Firefox sesssion (i.e. broken)
follow-up: 2 comment:1 by , 11 years ago
Resolution: | → invalid |
---|---|
Status: | new → closed |
Errors you see are caused by duplicate certificates loaded as trusted - you load the same ca.crt file in ssl_client_certificate and ssl_trusted_certificate.
As such configuration errors are harmless, these messages were already silenced by 6c35a1f428f2, as available in nginx 1.5.5+.
comment:2 by , 11 years ago
Replying to Maxim Dounin:
I've gone back to my nginx.conf, commented out ssl_trusted_certificate .... same behavior..... uncommented ssl_trusted_certificate and commented ssl_client_certificate ... same behavior.
So no, I don't accept your explanation at the moment.
comment:3 by , 11 years ago
By "same behavior" you mean the alert logged? Please show one.
If you are talking about Firefox 26 not being able to talk via TLS 1.2, then the problem is likely that you haven't enabled TLS 1.2 support in Firefox, see http://en.wikipedia.org/wiki/Transport_Layer_Security#Web_browsers.
Debug from Safari session (i.e. works ok)