I am trying to use nginx as a reverse proxy to web logic with two way SSL/mutual SSL.
Client <= Two way SSL => NGINX <= Two Way SSL => WebLogic server
Client to NGINX two way SSL works fine but getting below errors on upstream connecting to web logic.
nginx debug log:
2014/08/16 22:40:53 [debug] 33741#0: *9 SSL handshake handler: 0 2014/08/16 22:40:53 [debug] 33741#0: *9 SSL_do_handshake: -1 2014/08/16 22:40:53 [debug] 33741#0: *9 SSL_get_error: 2 2014/08/16 22:40:53 [debug] 33741#0: timer delta: 5 2014/08/16 22:40:53 [debug] 33741#0: posted events 0000000000000000 2014/08/16 22:40:53 [debug] 33741#0: worker cycle 2014/08/16 22:40:53 [debug] 33741#0: kevent timer: 59840, changes: 0 2014/08/16 22:40:53 [debug] 33741#0: kevent events: 2 2014/08/16 22:40:53 [debug] 33741#0: kevent: 7: ft:-2 fl:0025 ff:00000000 d:131520 ud:00007FF263805150 2014/08/16 22:40:53 [debug] 33741#0: *9 kevent: 7: ft:-2 fl:0025 ff:00000000 d:131520 ud:00007FF263805150 2014/08/16 22:40:53 [debug] 33741#0: *9 SSL handshake handler: 1 2014/08/16 22:40:53 [debug] 33741#0: *9 SSL_do_handshake: 0 2014/08/16 22:40:53 [debug] 33741#0: *9 SSL_get_error: 1 SSL_do_handshake() failed (SSL: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:SSL alert number 40) while SSL handshaking to upstream client: localhost, server: localhost, request: "GET /customers/~/xxxx/~/xxx/health HTTP/1.1", upstream: "https://xx.xx.xx.xxx:11211/customer-upstream/~/xxx/~/xxx/health/", host: "localhost:12121"
Here is my nginx configuration for upstream:
proxy_cache_path /opt/openresty/nginx/cache levels=1:2 keys_zone=data-cache:8m max_size=1000m inactive=600m; proxy_temp_path /opt/openresty/nginx/cache/tmp; upstream rs_backend { server xx.xx.xx.xxx:11211; } server { server_name localhost; listen 12121 ssl; ssl on; ssl_verify_client on; ssl_session_cache shared:SSL:1m; ssl_session_timeout 10m; ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2; #ssl_protocols TLSv1; #ssl_ciphers SSL_RSA_WITH_RC4_128_MD5:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES128-SHA:AES128-GCM-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH:!CAMELLIA; #ssl_ciphers HIGH:!MD5:!aNULL:!EDH:!CAMELLIA; ssl_prefer_server_ciphers on; proxy_ssl_session_reuse off; large_client_header_buffers 4 32K; ssl_certificate /etc/ssl/api-cert.pem; ssl_certificate_key /etc/ssl/api-cert.key; ssl_client_certificate /etc/ssl/api-cert.pem; location /customers/ { rewrite ^/customers/(.*) /customer-upstream/$1/ break; proxy_redirect off; proxy_ssl_verify on; proxy_ssl_verify_depth 4; proxy_ssl_trusted_certificate /etc/ssl/api-cert-nopass.pem; proxy_pass_header Server; proxy_http_version 1.1; proxy_set_header Connection Keep-Alive; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Host localhost:11211; proxy_set_header Accept 'application/json;v=3'; proxy_pass https://xx.xx.xx.xxx:11211/; #proxy_pass https://rs_backend; }
I tried various options including commenting out below configs.
proxy_ssl_verify on; proxy_ssl_verify_depth 4;
If I try using openssl c_client command line, I am able to connect and get 2xx response for HTTP GET request.
openssl c_client -connect xx.xx.xx.xxx:11211 -cert api-qaid-nopass.pem
Any help would be appreciated.
I have added support for two way/mutual authentication using certificate and key.
See the pull request:
https://github.com/nginx/nginx/pull/7
http://mailman.nginx.org/pipermail/nginx-devel/2014-August/005817.html
It is been validated against WebLogic 11g server which is configured for two way SSL.
proxy_ssl_trusted_certificate is used to verify the certificate of the upstream server, not to specify the client certificate which should be used when connecting to the upstream server. As far as I know there is currently now way to make ngnix use a client certificate in the upstream connection.