libressl: nginx (client)->java (server) fails with SSL internal error

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view

libressl: nginx (client)->java (server) fails with SSL internal error

Stuart Henderson
I have nginx reverse-proxy to Unifi's java https server and started
running into problems after an update to base a little while ago,
I finally got round to bisecting to this commit:

PatchSet 3569
Date: 2020/07/07 19:24:23
Author: jsing
Branch: HEAD
Tag: (none)
Enable TLSv1.3 for the generic TLS_method().

This can be done now that we have both TLSv1.3 client and server.

ok beck@ inoguchi@ tb@


With that enabled, nginx (as *client*) is unable to connect to the Java
https server, from nginx's log:

2020/09/10 16:08:31 [error] 57039#0: *1 SSL_read() failed (SSL: error:14FFF438:SSL routines:(UNKNOWN)SSL_internal:tlsv1 alert internal error:SSL alert number 80) while reading response header from upstream, client: XXX, server: XXX, request: "GET /manage/account/login?redirect=%2Fmanage HTTP/2.0", upstream: "XXX", host: "XXX"

Other clients (at least ftp, curl, wget, nc) have no problem connecting
to this server - connects with TLSv1.2/ECDHE-RSA-AES128-GCM-SHA256.

Packages are not available for Unifi so to reproduce both sides you'll
need a ports tree on your system, then

pkg_add nginx mongodb javaPathHelper jdk%1.8
cd /usr/ports/net/unifi/stable
make install
cp /etc/nginx/nginx.conf /etc/nginx/nginx.conf.bak
cat << EOF > /etc/nginx/nginx.conf
events {
  worker_connections 800;
http {
  server {
    server_name localhost;
    listen 80;
    location / {
      proxy_pass <a href=";">;
      proxy_set_header Host $host;
      proxy_redirect default;
      proxy_http_version 1.1;
      proxy_set_header Upgrade $http_upgrade;
      proxy_set_header Connection "upgrade";
rcctl start unifi nginx

startup will take a little while; wait until "ftp -o- -Sdont" (i.e. connect direct to the java server)
returns html, then try fetching via nginx (ftp -o-
and observe the 502 Bad gateway.

Any ideas?