ignoring stale global SSL error

[devrandom.pip.verisignlabs.com]

(uname -a , nginx -V and conf at the bottom ...debug log will be attached)

Hi,

I've been seeing the below when browsing via Firefox 26.0 on OS X 10.9 (Maverick), via Safari (7.0.1 (9537.73.11)) I can see the page fine.

2013/12/28 18:57:33 [alert] 3727#0: *1 ignoring stale global SSL error (SSL: error:0B07C065:x509 certificate routines:X509_STORE_add_cert:cert already in hash table) while SSL handshaking, client: 192.168.29.1, server: 0.0.0.0:443

$ uname -a
Linux 3.8.0-34-generic #49~precise1-Ubuntu SMP Wed Nov 13 18:05:00 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux

$ nginx -V
nginx version: nginx/1.4.4
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-http_ssl_module --with-http_realip_module --with-http_addition_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_stub_status_module --with-mail --with-mail_ssl_module --with-file-aio --with-http_spdy_module --with-cc-opt='-g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-Bsymbolic-functions -Wl,-z,relro -Wl,--as-needed' --with-ipv6 --with-debug

The same also occurs with the non-debug build....

$ /usr/sbin/nginx.standard -V
nginx version: nginx/1.4.4
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-http_ssl_module --with-http_realip_module --with-http_addition_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_stub_status_module --with-mail --with-mail_ssl_module --with-file-aio --with-http_spdy_module --with-cc-opt='-g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-Bsymbolic-functions -Wl,-z,relro -Wl,--as-needed' --with-ipv6

$ cat /etc/nginx/conf.d/ssl_auth.conf
# HTTPS server
#
server {

listen 443 ssl;
server_name localhost;
root /usr/share/nginx/html;

# error_log /var/log/nginx/error.log debug;

ssl_certificate /etc/nginx/certs/webDemoSVR.crt;
ssl_certificate_key /etc/nginx/certs/webDemoSVR.key;
ssl_trusted_certificate /etc/nginx/certs/ca.crt;
ssl_client_certificate /etc/nginx/certs/ca.crt;
ssl_session_cache off;
ssl_protocols TLSv1.2;
ssl_dhparam /etc/nginx/certs/dhparam_4096.pem;
ssl_verify_client on;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDH-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES128-SHA256:AES128-SHA256:DHE-DSS-AES256-SHA256:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:AES256-SHA256;
ssl_prefer_server_ciphers on;

ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;

location / {

index index.html index.htm;

}

location ~ ^{(.+\.php)(.*)$ {}

fastcgi_split_path_info ^{(.+\.php)(.*)$;
fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_param VERIFIED $ssl_client_verify;
fastcgi_param DN $ssl_client_s_dn;
include fastcgi_params;}

}

}

[devrandom.pip.verisignlabs.com]

Debug from Safari session (i.e. works ok)

[devrandom.pip.verisignlabs.com]

Debug from Firefox sesssion (i.e. broken)

[Maxim Dounin]

Errors you see are caused by duplicate certificates loaded as trusted - you load the same ca.crt file in ​ssl_client_certificate and ​ssl_trusted_certificate.

As such configuration errors are harmless, these messages were already silenced by 6c35a1f428f2, as available in nginx 1.5.5+.

[devrandom.pip.verisignlabs.com]

Replying to Maxim Dounin:

I've gone back to my nginx.conf, commented out ​ssl_trusted_certificate .... same behavior..... uncommented ssl_trusted_certificate and commented ssl_client_certificate ... same behavior.

So no, I don't accept your explanation at the moment.

[Maxim Dounin]

By "same behavior" you mean the alert logged? Please show one.

If you are talking about Firefox 26 not being able to talk via TLS 1.2, then the problem is likely that you haven't enabled TLS 1.2 support in Firefox, see ​http://en.wikipedia.org/wiki/Transport_Layer_Security#Web_browsers.