Welcome! Log In Create A New Profile

Advanced

SSL Handshake Failure with error:1407609B:SSL in error logs

Posted by shivramg94 
Hi,

We are trying to configure TCP load balancing with TLS termination. But when
we try to access the URL, we could see the below error in the nginx error
and access logs

Nginx Error Log:

2018/07/04 07:16:45 [crit] 7944#0: *61 SSL_do_handshake() failed (SSL:
error:1407609B:SSL routines:SSL23_GET_CLIENT_HELLO:https proxy request)
while SSL handshaking, client: XX.XXX.XX.XX, server: 0.0.0.0:443

Nginx Access Log:

10.90.241.125 - - [04/Jul/2018:07:24:55 +0000] TCP 500 0 0 0.000 "-"

The nginx.conf file looks like this

stream {
log_format sample '$remote_addr - - [$time_local] $protocol $status
$bytes_sent $bytes_received $session_time "$upstream_addr"';
upstream backends {
server sample-domain-name.com:443;
}
server {
listen 443 ssl;
access_log /etc/access_logs/tcp_access_log sample;
ssl_certificate Certificate_PATH;
ssl_certificate_key Private_Key_Path;
proxy_ssl off;
proxy_pass backends;
}
}

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,280396,280396#msg-280396

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Hello!

On Wed, Jul 04, 2018 at 03:31:59AM -0400, shivramg94 wrote:

> We are trying to configure TCP load balancing with TLS termination. But when
> we try to access the URL, we could see the below error in the nginx error
> and access logs
>
> Nginx Error Log:
>
> 2018/07/04 07:16:45 [crit] 7944#0: *61 SSL_do_handshake() failed (SSL:
> error:1407609B:SSL routines:SSL23_GET_CLIENT_HELLO:https proxy request)
> while SSL handshaking, client: XX.XXX.XX.XX, server: 0.0.0.0:443
>
> Nginx Access Log:
>
> 10.90.241.125 - - [04/Jul/2018:07:24:55 +0000] TCP 500 0 0 0.000 "-"
>
> The nginx.conf file looks like this
>
> stream {
> log_format sample '$remote_addr - - [$time_local] $protocol $status
> $bytes_sent $bytes_received $session_time "$upstream_addr"';
> upstream backends {
> server sample-domain-name.com:443;
> }
> server {
> listen 443 ssl;
> access_log /etc/access_logs/tcp_access_log sample;
> ssl_certificate Certificate_PATH;
> ssl_certificate_key Private_Key_Path;
> proxy_ssl off;
> proxy_pass backends;
> }
> }

The error in question means that OpenSSL encountered "CONNE..."
string instead of an SSL ClientHello message. That is, it looks
like you are trying to talk to nginx without SSL, while you've
configured it to expect SSL on the socket in question.

--
Maxim Dounin
http://mdounin.ru/
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Since your backend is already doing ssl, you should remove ssl from the
listen, so that nginx will just do a simple TCP pass through:

Change
listen 443 ssl;
to
listen 443;


On Wed, Jul 4, 2018 at 12:31 AM, shivramg94 <[email protected]>
wrote:

> Hi,
>
> We are trying to configure TCP load balancing with TLS termination. But
> when
> we try to access the URL, we could see the below error in the nginx error
> and access logs
>
> Nginx Error Log:
>
> 2018/07/04 07:16:45 [crit] 7944#0: *61 SSL_do_handshake() failed (SSL:
> error:1407609B:SSL routines:SSL23_GET_CLIENT_HELLO:https proxy request)
> while SSL handshaking, client: XX.XXX.XX.XX, server: 0.0.0.0:443
>
> Nginx Access Log:
>
> 10.90.241.125 - - [04/Jul/2018:07:24:55 +0000] TCP 500 0 0 0.000 "-"
>
> The nginx.conf file looks like this
>
> stream {
> log_format sample '$remote_addr - - [$time_local] $protocol $status
> $bytes_sent $bytes_received $session_time "$upstream_addr"';
> upstream backends {
> server sample-domain-name.com:443;
> }
> server {
> listen 443 ssl;
> access_log /etc/access_logs/tcp_access_log sample;
> ssl_certificate Certificate_PATH;
> ssl_certificate_key Private_Key_Path;
> proxy_ssl off;
> proxy_pass backends;
> }
> }
>
> Posted at Nginx Forum: https://forum.nginx.org/read.
> php?2,280396,280396#msg-280396
>
> _______________________________________________
> nginx mailing list
> nginx@nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Sorry, only registered users may post in this forum.

Click here to login