Monday, September 14, 2020

[stu@spacehopper.org: libressl: nginx (client)->java (server) fails with SSL internal error]

I've included a hackish diff to work around this problem below, in case
anyone else needs it. Not clean as it will force TLSv1.2 and disallow
earlier versions.

----- Forwarded message from Stuart Henderson <stu@spacehopper.org> -----

From: Stuart Henderson <stu@spacehopper.org>
Date: Thu, 10 Sep 2020 16:30:49 +0100
To: bugs@openbsd.org
Subject: libressl: nginx (client)->java (server) fails with SSL internal error
Mail-Followup-To: bugs@openbsd.org

I have nginx reverse-proxy to Unifi's java https server and started
running into problems after an update to base a little while ago,
I finally got round to bisecting to this commit:

---------------------
PatchSet 3569
Date: 2020/07/07 19:24:23
Author: jsing
Branch: HEAD
Tag: (none)
Log:
Enable TLSv1.3 for the generic TLS_method().

This can be done now that we have both TLSv1.3 client and server.

ok beck@ inoguchi@ tb@

Members:
ssl_locl.h:1.280->1.281
ssl_methods.c:1.12->1.13
---------------------

With that enabled, nginx (as *client*) is unable to connect to the Java
https server, from nginx's log:

2020/09/10 16:08:31 [error] 57039#0: *1 SSL_read() failed (SSL: error:14FFF438:SSL routines:(UNKNOWN)SSL_internal:tlsv1 alert internal error:SSL alert number 80) while reading response header from upstream, client: XXX, server: XXX, request: "GET /manage/account/login?redirect=%2Fmanage HTTP/2.0", upstream: "XXX", host: "XXX"

Other clients (at least ftp, curl, wget, nc) have no problem connecting
to this server - connects with TLSv1.2/ECDHE-RSA-AES128-GCM-SHA256.

Packages are not available for Unifi so to reproduce both sides you'll
need a ports tree on your system, then

pkg_add nginx mongodb javaPathHelper jdk%1.8
cd /usr/ports/net/unifi/stable
make install
cp /etc/nginx/nginx.conf /etc/nginx/nginx.conf.bak
cat << EOF > /etc/nginx/nginx.conf
events {
worker_connections 800;
}
http {
server {
server_name localhost;
listen 80;
location / {
proxy_pass https://127.0.0.1:8443;
proxy_set_header Host $host;
proxy_redirect default;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
}
}
EOF
rcctl start unifi nginx

startup will take a little while; wait until "ftp -o- -Sdont
https://127.0.0.1:8443/" (i.e. connect direct to the java server)
returns html, then try fetching via nginx (ftp -o- http://127.0.0.1/)
and observe the 502 Bad gateway.

Any ideas?


----- End forwarded message -----



Index: patches/patch-src_event_ngx_event_openssl_c
===================================================================
RCS file: patches/patch-src_event_ngx_event_openssl_c
diff -N patches/patch-src_event_ngx_event_openssl_c
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ patches/patch-src_event_ngx_event_openssl_c 14 Sep 2020 16:29:40 -0000
@@ -0,0 +1,14 @@
+$OpenBSD$
+
+Index: src/event/ngx_event_openssl.c
+--- src/event/ngx_event_openssl.c.orig
++++ src/event/ngx_event_openssl.c
+@@ -250,7 +250,7 @@ ngx_ssl_init(ngx_log_t *log)
+ ngx_int_t
+ ngx_ssl_create(ngx_ssl_t *ssl, ngx_uint_t protocols, void *data)
+ {
+- ssl->ctx = SSL_CTX_new(SSLv23_method());
++ ssl->ctx = SSL_CTX_new(TLSv1_2_method());
+
+ if (ssl->ctx == NULL) {
+ ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, "SSL_CTX_new() failed");

No comments:

Post a Comment