3

I'm trying to setup an Nginx server to reverse proxy a tomcat web service (which I don't have access to). This is essentially because the Tomcat server is running TLSv1.0 so I'm trying to bump up the version.

However, when I try to access the proxy I'm getting a 502 error. The Ngnix logs are showing - SSL_do_handshake() failed (SSL: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol) while SSL handshaking to upstream.

Here's my Nginx configuration -

ssl_certificate  /etc/nginx/certs/public.pem;
ssl_certificate_key  /etc/nginx/certs/private.key;
ssl_session_timeout  5m;
ssl_prefer_server_ciphers  on;
ssl_protocols  TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers  AES256+EECDH:AES256+EDH:!aNULL;

server {
    listen 6003;
    server_name example.com;
    ssl on;
    location / {
        proxy_pass https://example.com:6003;
    }
}

I've tried the same thing with Apache but see exactly the same error. Does anyone have any ideas?

Chris Edgington
  • 225
  • 2
  • 3
  • 11

1 Answers1

1

This is a similar answer to nginx as reverse proxy with upstream SSL. There are separate ssl settings to set the acceptable protocols for your upstream proxy

...

server {

    listen 6003;
    server_name example.com;
    ssl on;
    ssl_certificate  /etc/nginx/certs/example.pem;
    ssl_certificate_key  /etc/nginx/certs/private.key;
    ... other settings

    location / {
        proxy_pass https://example.com:6003;
        proxy_ssl_trusted_certificate /etc/nginx/certs/example.pem;
        proxy_ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    }
}

The three listed values for proxy_ssl_protocols are the current default set but they could conceivably change in future releases to remove TLSv1 and TLSv1.1.

shonky linux user
  • 1,163
  • 10
  • 15
  • Thanks! I actually managed to get it working by using `proxy_ssl_protocols TLSv1` only. Having the other two version in there gave me the same error, but removing them solved the problem, – Chris Edgington Feb 21 '18 at 09:51