Forcing a particular SSL protocol for an nginx proxying server

Question

I am developing an application against a remote https web service. While developing I need to proxy requests from my local development server (running nginx on ubuntu) to the remote https web server. Here is the relevant nginx config:

server {
    server_name project.dev;
    listen 443;
    ssl on;
    ssl_certificate /etc/nginx/ssl/server.crt;
    ssl_certificate_key /etc/nginx/ssl/server.key;

    location / {

        proxy_pass      https://remote.server.com;
        proxy_set_header Host remote.server.com;
        proxy_redirect off;
    }
}

The problem is that the remote HTTPS server can only accept connections over SSLv3 as can be seen from the following openssl calls.

Not working:

$ openssl s_client -connect remote.server.com:443                 
CONNECTED(00000003)
139849073899168:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:177:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 226 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---

Working:

$ openssl s_client -connect remote.server.com:443 -ssl3
CONNECTED(00000003)
<snip>
---
SSL handshake has read 1562 bytes and written 359 bytes
---
New, TLSv1/SSLv3, Cipher is RC4-SHA
Server public key is 1024 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : SSLv3
    Cipher    : RC4-SHA
<snip>

With the current setup my nginx proxy gives a 502 Bad Gateway when I connect to it in a browser. Enabling debug in the error log I can see the message: [info] 1451#0: *16 peer closed connection in SSL handshake while SSL handshaking to upstream.

I tried adding ssl_protocols SSLv3; to the nginx configuration but that didn't help.

Does anyone know how I can set this up to work correctly?

Edit - additional requested info added:

Running on Ubuntu 12.04 with OpenSSL version:

$ openssl version
OpenSSL 1.0.1 14 Mar 2012

---

The solution

The solution, as provided by @Christopher Perrin below is to downgrade openssl to 1.0.0. Here is the commands that successfully did this for me (on ubuntu 12.04 running on AMD64):

wget http://launchpadlibrarian.net/81976289/openssl_1.0.0e-2ubuntu4_amd64.deb
sudo dpkg -i openssl_1.0.0e-2ubuntu4_amd64.deb
wget http://launchpadlibrarian.net/81976290/libssl1.0.0_1.0.0e-2ubuntu4_amd64.deb
sudo dpkg -i libssl1.0.0_1.0.0e-2ubuntu4_amd64.deb

Answer 1

This is due to the fact that when you try to Nginx compiled with Openssl version 1.0.1 in which they have introduced TLSv1.1 and TLSv1.2 whenever Nginx is trying to connect to backend server it will reset connect with peer closed connection in SSL handshake (54: Connection reset by peer) while SSL handshaking to upstream in Nginx Debug Logs which means backend does not have TLSv1.1 and TLSv1.2 support.

If Load Balancer is being used then you/client need to upgrade their Load Balancer Frimware.

Answer 2

The possible solution to your Problem is decribed here

You have to downgrade to OpenSSL 1.0.0 in the Nginx system because of a bug.

Answer 3

I ran into a similar issue reverse proxying Nginx to IIS 6 on Windows 2003 after a recent update which upgraded the openssl libraries on the Nginx box. What worked for me is to change the Nginx directive:

ssl_protocols  TLSv1 TLSv1.1 TLSv1.2;

to

proxy_ssl_protocols   TLSv1;

Answer 4

Try to force a ssl version being announced by the server

ssl_prefer_server_ciphers on;
ssl_protocols SSLv3 TLSv1;
# Set the ciphers to use. You may have to fix formatting. 
ssl_ciphers DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:\
            EDH-RSA-DES-CBC3-SHA:AES256-SHA:DES-CBC3-SHA:\
            AES128-SHA:RC4-SHA:RC4-MD5;