3

I'm trying to setup an Nginx server to reverse proxy a tomcat web service (which I don't have access to). This is essentially because the Tomcat server is running TLSv1.0 so I'm trying to bump up the version.

However, when I try to access the proxy I'm getting a 502 error. The Ngnix logs are showing - SSL_do_handshake() failed (SSL: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol) while SSL handshaking to upstream.

Here's my Nginx configuration -

ssl_certificate /etc/nginx/certs/public.pem; ssl_certificate_key /etc/nginx/certs/private.key; ssl_session_timeout 5m; ssl_prefer_server_ciphers on; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers AES256+EECDH:AES256+EDH:!aNULL; server { listen 6003; server_name example.com; ssl on; location / { proxy_pass https://example.com:6003; } }

I've tried the same thing with Apache but see exactly the same error. Does anyone have any ideas?

Improve this question
0

1 Answer 1

Reset to default
1

This is a similar answer to nginx as reverse proxy with upstream SSL. There are separate ssl settings to set the acceptable protocols for your upstream proxy

... server { listen 6003; server_name example.com; ssl on; ssl_certificate /etc/nginx/certs/example.pem; ssl_certificate_key /etc/nginx/certs/private.key; ... other settings location / { proxy_pass https://example.com:6003; proxy_ssl_trusted_certificate /etc/nginx/certs/example.pem; proxy_ssl_protocols TLSv1 TLSv1.1 TLSv1.2; } }

The three listed values for proxy_ssl_protocols are the current default set but they could conceivably change in future releases to remove TLSv1 and TLSv1.1.

Improve this answer
1
  • Thanks! I actually managed to get it working by using proxy_ssl_protocols TLSv1 only. Having the other two version in there gave me the same error, but removing them solved the problem, Commented Feb 21, 2018 at 9:51

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.