Help needed: Getting SSL23_GET_SERVER_HELLO:tlsv1 alert internal error while connecting to cloudflare

[RJoshi]

I am getting SSL connection error while connecting to  upstream mockbin.org (cloudflare).  Issue seem to be with passing ssl server_name

2016/03/06 14:32:26 [debug] 74489#0: *2 SSL handshake handler: 0

 2016/03/06 14:32:26 [debug] 74489#0: *2 SSL_do_handshake: -1

 2016/03/06 14:32:26 [debug] 74489#0: *2 SSL_get_error: 1

 2016/03/06 14:32:26 [error] 74489#0: *2 SSL_do_handshake() failed (SSL: error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert internal error) while SSL handshaking to upstream, client:    127.0.0.1, server: mockbin.org, request: "POST /callback/enterpriseapi-23bRBQvg9XMO0dt2xLp0J5v3 HTTP/1.1", upstream: "https://104.28.23.173:443/callback/xxxx",    host: "127.0.0.1:22222"

 2016/03/06 14:32:26 [debug] 74489#0: *2 http next upstream, 2

 2016/03/06 14:32:26 [debug] 74489#0: *2 free rr peer 1 4

 2016/03/06 14:32:26 [warn] 74489#0: *2 upstream server temporarily disabled while SSL handshaking to upstream, client: 127.0.0.1, server: mockbin.org, request: "POST /callback/xxxx HTTP/1.1", upstream: "https://104.28.23.173:443/callback/xxxx", host: "127.0.0.1:22222"

 2016/03/06 14:32:26 [debug] 74489#0: *2 free rr peer failed: 00007FF10C8154D0 0

 2016/03/06 14:32:26 [debug] 74489#0: *2 finalize http upstream request: 502

 2016/03/06 14:32:26 [debug] 74489#0: *2 finalize http proxy request

 2016/03/06 14:32:26 [debug] 74489#0: *2 SSL_shutdown: -1

 2016/03/06 14:32:26 [debug] 74489#0: *2 SSL_get_error: 1

 2016/03/06 14:32:26 [crit] 74489#0: *2 SSL_shutdown() failed (SSL: error:140E0197:SSL routines:SSL_shutdown:shutdown while in init) while SSL handshaking to upstream, client: 127.0.0.1, server:    mockbin.org, request: "POST /callback/xxxx HTTP/1.1", upstream: "https://104.28.23.173:443/callback/xxx", host: "127.0.0.1:     22222"

Server name:

server_name 127.0.0.1;  # I tried using mockbin.org as well

My proxy pass configs are:

proxy_ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;

proxy_ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

proxy_set_header Connection "";

proxy_http_version 1.1; 

proxy_set_header X-Real-IP $remote_addr;

proxy_ssl_name "mockbin.org"; #--I tried removing this as well

proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

proxy_set_header X-Forwarded-Proto $scheme;

proxy_redirect off;

My openresty version:

nginx version: openresty/1.9.7.3

built by clang 7.0.2 (clang-700.1.81)

built with OpenSSL 1.0.2g  1 Mar 2016

TLS SNI support enabled

configure arguments: --prefix=/opt/openresty/nginx --with-debug --with-cc-opt='-DNGX_LUA_USE_ASSERT -DNGX_LUA_ABORT_AT_PANIC -O2 -I/usr/local/include -I/usr/local/ssl/include' --add-module=../ngx_devel_kit-0.2.19 --add-module=../echo-nginx-module-0.58 --add-module=../xss-nginx-module-0.05 --add-module=../ngx_coolkit-0.2rc3 --add-module=../set-misc-nginx-module-0.29 --add-module=../form-input-nginx-module-0.11 --add-module=../encrypted-session-nginx-module-0.04 --add-module=../srcache-nginx-module-0.30 --add-module=../ngx_lua-0.10.0 --add-module=../ngx_lua_upstream-0.04 --add-module=../headers-more-nginx-module-0.29 --add-module=../array-var-nginx-module-0.04 --add-module=../memc-nginx-module-0.16 --add-module=../redis2-nginx-module-0.12 --add-module=../redis-nginx-module-0.3.7 --add-module=../rds-json-nginx-module-0.14 --add-module=../rds-csv-nginx-module-0.07 --with-ld-opt='-Wl,-rpath,/opt/openresty/luajit/lib -L/usr/local/ssl/lib -L/usr/local/lib' --with-pcre-jit --with-http_realip_module --with-http_ssl_module

[RJoshi]

Found the issue.  I did not have proxy_ssl_server_name on;  config.  Earlier version of openresty/nginx, it was working fine.  Not sure which version changed this.

[Robert Paprocki]

This recent discussion on the nginx mailing list is relevant: http://mailman.nginx.org/pipermail/nginx/2016-February/049872.html

--
You received this message because you are subscribed to the Google Groups "openresty-en" group.
To unsubscribe from this group and stop receiving emails from it, send an email to openresty-en...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.