Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

NGINX caching proxy fails with SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure

NGINX acting as a caching proxy encounters problems when fetching content from CloudFront server over HTTPS:

This is the extract from the NGINX's error log:

2014/08/14 16:08:26 [error] 27534#0: *11560993 SSL_do_handshake() failed (SSL: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure) while SSL handshaking to upstream, client: 82.33.49.135, server: localhost, request: "GET /static/images/media-logos/best.png HTTP/1.1", upstream: "https://x.x.x.x:443/static/images/media-logos/best.png",

I tried different proxy setting like proxy_ssl_protocols and proxy_ssl_ciphers but no combination worked.

Any ideas?

like image 864
Mohammad Haque Avatar asked Aug 15 '14 16:08

Mohammad Haque


1 Answers

I had the exactly same problem and spent a couple of hours... I guess you are using older version of nginx (lower than 1.7)? In nginx 1.7 you can use this directive:

proxy_ssl_server_name on; 

This will force nginx to use SNI Also, you should set the SSL protocols:

proxy_ssl_protocols TLSv1 TLSv1.1 TLSv1.2; 

For earlier versions you may be able to use this patch (but I can't verify that that is working):

http://trac.nginx.org/nginx/ticket/229

2019 Update: You should avoid TLSv1 and TLSv1.1 and disable them if possible. I'll leave them in the answer as they are still valid for SNI.

like image 178
Nikolay Dimitrov Avatar answered Oct 08 '22 13:10

Nikolay Dimitrov