19 messages in ru.sysoev.nginxRe: SSL with client certificate errors| From | Sent On | Attachments |
|---|---|---|
| Slawek Zak | Feb 8, 2010 9:10 am | |
| Zev Blut | Feb 22, 2010 11:52 pm | |
| Igor Sysoev | Feb 23, 2010 1:21 am | |
| Igor Sysoev | Feb 23, 2010 1:23 am | |
| Zev Blut | Feb 23, 2010 1:35 am | |
| Igor Sysoev | Feb 23, 2010 1:47 am |  .Other |
| Zev Blut | Feb 25, 2010 1:19 am | |
| Zev Blut | Mar 1, 2010 10:48 pm | |
| Anna Malova | Apr 5, 2010 11:50 pm | |
| Igor Sysoev | Apr 6, 2010 1:15 am | |
| Anna Malova | Apr 6, 2010 2:46 am | |
| Maxim Dounin | Apr 6, 2010 3:16 am | |
| Anna Malova | Apr 6, 2010 3:23 am | |
| Igor Sysoev | Apr 6, 2010 3:32 am | |
| Anna Malova | Apr 6, 2010 3:34 am | |
| Igor Sysoev | Apr 6, 2010 3:36 am | |
| Anna Malova | Apr 6, 2010 3:40 am | |
| Anna Malova | Apr 6, 2010 3:42 am | |
| Maxim Dounin | Apr 6, 2010 4:03 am |
| Subject: | Re: SSL with client certificate errors | |
|---|---|---|
| From: | Igor Sysoev (ig...@sysoev.ru) | |
| Date: | Feb 23, 2010 1:47:22 am | |
| List: | ru.sysoev.nginx | |
| Attachments: | patch.ssl.0 - 0.7k | |
On Tue, Feb 23, 2010 at 06:35:54PM +0900, Zev Blut wrote:
Hello,
On 02/23/2010 06:24 PM, Igor Sysoev wrote:
On Tue, Feb 23, 2010 at 04:52:29PM +0900, Zev Blut wrote:
On 02/09/2010 02:11 AM, Slawek Zak wrote:
Hi,
I use nginx 0.7.62 to proxy a web application and secure it with client certificates. Quite often NGINX just responds with connection reset to Firefox and generates this error:
2010/02/08 18:04:49 [crit] 8248#0: *41 SSL_do_handshake() failed (SSL: error:140D9115:SSL routines:SSL_GET_PREV_SESSION:session id context uninitialized) while SSL handshaking, client: 77.x.x.x, server 89.x.x.x
Any ideas?
I too am getting similar errors with 0.7.65:
2010/02/23 16:02:19 [crit] 7224#0: *46254 SSL_do_handshake() failed (SSL: error:140D9115:SSL routines:SSL_GET_PREV_SESSION:session id context uninitialized) while SSL handshaking, client: 192.x.x.x, server: example.com
What is your ssl_session_cache settings ?
At the moment it is not set, so it is using whatever the default is. Here is a short example of what I am using:
server { listen 443;
ssl on; ssl_certificate /etc/nginx/ssl/data.crt; ssl_certificate_key /etc/nginx/ssl/data.key; ssl_protocols SSLv3 TLSv1;
# Make sure we verify client side SSL ssl_verify_client on; ssl_client_certificate /etc/nginx/ssl/data.pem; }
Could you try the attached patch ?
-- Igor Sysoev http://sysoev.ru/en/
Index: src/event/ngx_event_openssl.c =================================================================== --- src/event/ngx_event_openssl.c (revision 2775) +++ src/event/ngx_event_openssl.c (working copy) @@ -1428,6 +1428,8 @@ return NGX_OK; }
+ SSL_CTX_set_session_id_context(ssl->ctx, sess_ctx->data, sess_ctx->len); + if (builtin_session_cache == NGX_SSL_NONE_SCACHE) {
/* @@ -1459,8 +1461,6 @@
SSL_CTX_set_session_cache_mode(ssl->ctx, cache_mode);
- SSL_CTX_set_session_id_context(ssl->ctx, sess_ctx->data, sess_ctx->len); - if (builtin_session_cache != NGX_SSL_NO_BUILTIN_SCACHE) {
if (builtin_session_cache != NGX_SSL_DFLT_BUILTIN_SCACHE) {
_______________________________________________ nginx mailing list ngi...@nginx.org http://nginx.org/mailman/listinfo/nginx