vit*_*tch 5 ssl nginx proxy https
我正在针对远程 https Web 服务开发应用程序。在开发时,我需要将来自本地开发服务器(在 ubuntu 上运行 nginx)的请求代理到远程 https Web 服务器。这是相关的 nginx 配置:
server {
server_name project.dev;
listen 443;
ssl on;
ssl_certificate /etc/nginx/ssl/server.crt;
ssl_certificate_key /etc/nginx/ssl/server.key;
location / {
proxy_pass https://remote.server.com;
proxy_set_header Host remote.server.com;
proxy_redirect off;
}
}
问题是远程 HTTPS 服务器只能接受通过 SSLv3 的连接,从以下openssl调用可以看出。
不工作:
$ openssl s_client -connect remote.server.com:443
CONNECTED(00000003)
139849073899168:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:177:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 226 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---
在职的:
$ openssl s_client -connect remote.server.com:443 -ssl3
CONNECTED(00000003)
<snip>
---
SSL handshake has read 1562 bytes and written 359 bytes
---
New, TLSv1/SSLv3, Cipher is RC4-SHA
Server public key is 1024 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : SSLv3
Cipher : RC4-SHA
<snip>
使用当前设置,502 Bad Gateway当我在浏览器中连接到它时,我的 nginx 代理会给出一个。debug在错误日志中启用我可以看到消息:[info] 1451#0: *16 peer closed connection in SSL handshake while SSL handshaking to upstream。
我尝试添加ssl_protocols SSLv3;到 nginx 配置,但这没有帮助。
有谁知道我如何设置它才能正常工作?
编辑- 添加了额外的请求信息:
在带有 OpenSSL 版本的 Ubuntu 12.04 上运行:
$ openssl version
OpenSSL 1.0.1 14 Mar 2012
下面@Christopher Perrin 提供的解决方案是将 openssl 降级到 1.0.0。这是为我成功执行此操作的命令(在 AMD64 上运行的 ubuntu 12.04 上):
wget http://launchpadlibrarian.net/81976289/openssl_1.0.0e-2ubuntu4_amd64.deb
sudo dpkg -i openssl_1.0.0e-2ubuntu4_amd64.deb
wget http://launchpadlibrarian.net/81976290/libssl1.0.0_1.0.0e-2ubuntu4_amd64.deb
sudo dpkg -i libssl1.0.0_1.0.0e-2ubuntu4_amd64.deb
| 归档时间: |
|
| 查看次数: |
15497 次 |
| 最近记录: |