Nginx-ru mailing list archive (nginx-ru@sysoev.ru)
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Прокси HTTPS на nginx/1.5.4 собранный вручную vs nginx/1.5.7 из репозитория
- To: nginx-ru@xxxxxxxxx
- Subject: Re: Прокси HTTPS на nginx/1.5.4 собранный вручную vs nginx/1.5.7 из репозитория
- From: "mnsold" <nginx-forum@xxxxxxxx>
- Date: Mon, 09 Dec 2013 09:34:23 -0500
- Dkim-signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=helium.jlkhosting.com; s=x; h=Date:Sender:From:References:In-Reply-To:Message-ID:Content-Transfer-Encoding:Content-Type:Subject:To; bh=mdXN93672IKLOOmRJmwHu+5rKJ+zNAjkj3HsAlwKvlc=; b=zDZheYw3t3l1yeVBdwviRNHgq0xOwnFazPHSLIdvMuLASB1909+Nzrh4nv4kEyAe1ANRJvwz+IfMVEOC5rHsHbe7a/zibGN7xH+LGZREpkNLoVhIavc2Gh5JJ5bRfG1q6vuH+5qaBjUHTDBTTmVZUHyIdHR4OREYMwVaNb5/YcE=;
- In-reply-to: <A050128E-BB8C-4D67-9A27-723FFA1B9C96@nginx.com>
- References: <A050128E-BB8C-4D67-9A27-723FFA1B9C96@nginx.com>
> Попробуйте подключиться _штатным_ ( из пакетов ) s_client'ом к
glassfish'у:
> openssl s_client -debug -connect localhost:8002
Включил
> -Djavax.net.debug=ssl
На данный момент openssl
# openssl version
OpenSSL 1.0.1e 11 Feb 2013
# dpkg -l|grep openssl
ii openssl 1.0.1e-2
но nginx 1.5.7 использует все равно 0.9.8:
# ldd `which nginx`
linux-vdso.so.1 => (0x00007fffae33d000)
libpthread.so.0 => /lib/libpthread.so.0 (0x00007fdd24f6b000)
libcrypt.so.1 => /lib/libcrypt.so.1 (0x00007fdd24d34000)
libpcre.so.3 => /lib/libpcre.so.3 (0x00007fdd24b03000)
libssl.so.0.9.8 => /usr/lib/libssl.so.0.9.8 (0x00007fdd248ac000)
libcrypto.so.0.9.8 => /usr/lib/libcrypto.so.0.9.8 (0x00007fdd2450b000)
libz.so.1 => /usr/lib/libz.so.1 (0x00007fdd242f3000)
libc.so.6 => /lib/libc.so.6 (0x00007fdd23f91000)
/lib64/ld-linux-x86-64.so.2 (0x00007fdd25195000)
libdl.so.2 => /lib/libdl.so.2 (0x00007fdd23d8d000)
nginx 1.5.4:
# ldd `which /data/nginx-gost/sbin/nginx`
linux-vdso.so.1 => (0x00007fff695ff000)
libpthread.so.0 => /lib/libpthread.so.0 (0x00007ff4330f4000)
libcrypt.so.1 => /lib/libcrypt.so.1 (0x00007ff432ebd000)
libpcre.so.3 => /lib/libpcre.so.3 (0x00007ff432c8c000)
libssl.so.1.0.0 => /usr/lib/x86_64-linux-gnu/libssl.so.1.0.0
(0x00007ff432a2d000)
libcrypto.so.1.0.0 => /usr/lib/x86_64-linux-gnu/libcrypto.so.1.0.0
(0x00007ff432649000)
libdl.so.2 => /lib/libdl.so.2 (0x00007ff432444000)
libz.so.1 => /usr/lib/libz.so.1 (0x00007ff43222d000)
libc.so.6 => /lib/libc.so.6 (0x00007ff431ecb000)
/lib64/ld-linux-x86-64.so.2 (0x00007ff43331e000)
# openssl s_client -connect localhost:8002 -tlsextdebug
CONNECTED(00000003)
depth=0 C = US, ST = California, L = Santa Clara, O = Oracle Corporation, OU
= GlassFish, CN = myhost.domain.local
verify error:num=18:self signed certificate
verify return:1
depth=0 C = US, ST = California, L = Santa Clara, O = Oracle Corporation, OU
= GlassFish, CN = myhost.domain.local
verify return:1
---
Certificate chain
0 s:/C=US/ST=California/L=Santa Clara/O=Oracle
Corporation/OU=GlassFish/CN=myhost.domain.local
i:/C=US/ST=California/L=Santa Clara/O=Oracle
Corporation/OU=GlassFish/CN=myhost.domain.local
---
Server certificate
-----BEGIN CERTIFICATE-----
MIICsDCCAhmgAwIBAgIEUTCRSzANBgkqhkiG9w0BAQUFADCBijELMAkGA1UEBhMC
VVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFDASBgNVBAcTC1NhbnRhIENsYXJhMRsw
GQYDVQQKExJPcmFjbGUgQ29ycG9yYXRpb24xEjAQBgNVBAsTCUdsYXNzRmlzaDEf
MB0GA1UEAxMWb2N0b3B1cy5sYW4uaWFjLnNwYi5ydTAeFw0xMzAzMDExMTMwMTla
Fw0yMzAyMjcxMTMwMTlaMIGKMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZv
cm5pYTEUMBIGA1UEBxMLU2FudGEgQ2xhcmExGzAZBgNVBAoTEk9yYWNsZSBDb3Jw
b3JhdGlvbjESMBAGA1UECxMJR2xhc3NGaXNoMR8wHQYDVQQDExZvY3RvcHVzLmxh
bi5pYWMuc3BiLnJ1MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDHZ0/bGIlY
r12glRa0B8ykVXGuXtzbNr6cqOlQ5ELkyAlW1zwju/JSPxw00zy/elOep/VMFlAg
K7Sp+xQYqueWgF6u+05K1FTZeQSsgVO3fSkwbBiX4ObUVawuZoTW0tUs8t1RLUm6
widfiIsFrEjrbMWJ5xqxMwBzMdQnyggN3wIDAQABoyEwHzAdBgNVHQ4EFgQUPsyT
ixhlk4gfm5ripc8C1E+J8EwwDQYJKoZIhvcNAQEFBQADgYEAAuaaVnxJN4jsxqHT
AAwNyJl0493xApcKnWCFjdugNbCMvv0ez2tYJ4xuQsG0G4rL/zPLATJvQbJM36TO
JGXR4P3S/QIDFYDpy6cpCBqg/2P0c/vwh/mK5U10sWnrbfLUlh5sBCM1jza3/wtX
/Vqm9py36r3NhaX7hF2KKLG1s7A=
-----END CERTIFICATE-----
subject=/C=US/ST=California/L=Santa Clara/O=Oracle
Corporation/OU=GlassFish/CN=myhost.domain.local
issuer=/C=US/ST=California/L=Santa Clara/O=Oracle
Corporation/OU=GlassFish/CN=myhost.domain.local
---
No client certificate CA names sent
---
SSL handshake has read 1264 bytes and written 478 bytes
---
New, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA
Server public key is 1024 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : EDH-RSA-DES-CBC3-SHA
Session-ID:
52A5C7084B96822C644DA72CADECFADD2C8684AFE17E63158BD8EB90819682B1
Session-ID-ctx:
Master-Key:
ECB9F34696C2F27C330007773E9272D9FE539517AC74FD3E94F5CF105AA77BF2DFFEFEE93BE22066F68D42CB080F289F
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1386596104
Timeout : 300 (sec)
Verify return code: 18 (self signed certificate)
---
Если дедлаю запрос с nginx 1.5.7 (из репозитория), в логах glassfish'а:
[#|2013-12-09T18:27:35.338+0400|INFO|oracle-glassfish3.1.2|javax.enterprise.system.std.com.sun.enterprise.server.logging|_ThreadID=36;_ThreadName=Thread-2;|Using
SSLEngineImpl.|#]
[#|2013-12-09T18:27:35.338+0400|INFO|oracle-glassfish3.1.2|javax.enterprise.system.std.com.sun.enterprise.server.logging|_ThreadID=36;_ThreadName=Thread-2;|http-thread-pool-8002(5),
READ: TLSv1 Handshake, length = 89|#]
[#|2013-12-09T18:27:35.339+0400|INFO|oracle-glassfish3.1.2|javax.enterprise.system.std.com.sun.enterprise.server.logging|_ThreadID=36;_ThreadName=Thread-2;|http-thread-pool-8002(5),
fatal error: 80: problem unwrapping net record
javax.net.ssl.SSLException: Unexpected end of handshake data|#]
[#|2013-12-09T18:27:35.339+0400|INFO|oracle-glassfish3.1.2|javax.enterprise.system.std.com.sun.enterprise.server.logging|_ThreadID=36;_ThreadName=Thread-2;|http-thread-pool-8002(5)|#]
[#|2013-12-09T18:27:35.339+0400|INFO|oracle-glassfish3.1.2|javax.enterprise.system.std.com.sun.enterprise.server.logging|_ThreadID=36;_ThreadName=Thread-2;|,
SEND TLSv1 ALERT: |#]
[#|2013-12-09T18:27:35.339+0400|INFO|oracle-glassfish3.1.2|javax.enterprise.system.std.com.sun.enterprise.server.logging|_ThreadID=36;_ThreadName=Thread-2;|fatal,
|#]
[#|2013-12-09T18:27:35.340+0400|INFO|oracle-glassfish3.1.2|javax.enterprise.system.std.com.sun.enterprise.server.logging|_ThreadID=36;_ThreadName=Thread-2;|description
= internal_error|#]
[#|2013-12-09T18:27:35.340+0400|INFO|oracle-glassfish3.1.2|javax.enterprise.system.std.com.sun.enterprise.server.logging|_ThreadID=36;_ThreadName=Thread-2;|http-thread-pool-8002(5),
WRITE: TLSv1 Alert, length = 2|#]
Других записей нет в логе
Если дедлаю запрос с nginx 1.5.7 (сборка в ручную), в логах glassfish'а:
[#|2013-12-09T18:30:54.568+0400|INFO|oracle-glassfish3.1.2|javax.enterprise.system.std.com.sun.enterprise.server.logging|_ThreadID=35;_ThreadName=Thread-2;|Using
SSLEngineImpl.|#]
[#|2013-12-09T18:30:54.568+0400|INFO|oracle-glassfish3.1.2|javax.enterprise.system.std.com.sun.enterprise.server.logging|_ThreadID=35;_ThreadName=Thread-2;|http-thread-pool-8002(4),
READ: TLSv1 Handshake, length = 258|#]
[#|2013-12-09T18:30:54.569+0400|INFO|oracle-glassfish3.1.2|javax.enterprise.system.std.com.sun.enterprise.server.logging|_ThreadID=35;_ThreadName=Thread-2;|***
ClientHello, TLSv1|#]
[#|2013-12-09T18:30:54.569+0400|INFO|oracle-glassfish3.1.2|javax.enterprise.system.std.com.sun.enterprise.server.logging|_ThreadID=35;_ThreadName=Thread-2;|RandomCookie:
|#]
...
[#|2013-12-09T18:30:54.580+0400|INFO|oracle-glassfish3.1.2|javax.enterprise.system.std.com.sun.enterprise.server.logging|_ThreadID=35;_ThreadName=Thread-2;|Ciph
er Suites: [TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, Unknown 0xc0:0x22, Unknown 0xc0:0x21,
TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TL
S_DHE_DSS_WITH_AES_256_CBC_SHA, Unknown 0x0:0x88, Unknown 0x0:0x87, Unknown
0x0:0x81, Unknown 0x0:0x80, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,
TLS_ECDH_ECDSA_WITH_A
ES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, Unknown 0x0:0x84,
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,
Unknown 0xc0:0x1c, U
nknown 0xc0:0x1b, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,
TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, Unknown 0xc0:0x1f, Unknown 0xc0:0x1e,
TLS_DHE_RSA_WIT
H_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, Unknown 0x0:0x9a,
Unknown 0x0:0x99, Unknown 0x0:0x45, Unknown 0x0:0x44,
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, Unknown
0x0:0x96, Unknown 0x0:0x41, SSL_RSA_WITH_IDEA_CBC_SHA,
TLS_ECDHE_RSA_WITH_RC4_128_SHA
, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDH_RSA_WITH_RC4_128_SHA,
TLS_ECDH_ECDSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_SHA,
SSL_RSA_WITH_RC4_128_MD5, SSL_DHE_
RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA,
SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA,
SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA, SSL_
RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5,
SSL_RSA_EXPORT_WITH_RC4_40_MD5, Unknown 0x0:0xff]|#]
[#|2013-12-09T18:30:54.580+0400|INFO|oracle-glassfish3.1.2|javax.enterprise.system.std.com.sun.enterprise.server.logging|_ThreadID=35;_ThreadName=Thread-2;|Comp
ression Methods: { |#]
[#|2013-12-09T18:30:54.580+0400|INFO|oracle-glassfish3.1.2|javax.enterprise.system.std.com.sun.enterprise.server.logging|_ThreadID=35;_ThreadName=Thread-2;|0|#]
[#|2013-12-09T18:30:54.580+0400|INFO|oracle-glassfish3.1.2|javax.enterprise.system.std.com.sun.enterprise.server.logging|_ThreadID=35;_ThreadName=Thread-2;|
}|#
]
[#|2013-12-09T18:30:54.580+0400|INFO|oracle-glassfish3.1.2|javax.enterprise.system.std.com.sun.enterprise.server.logging|_ThreadID=35;_ThreadName=Thread-2;|Exte
nsion ec_point_formats, formats: [uncompressed, ansiX962_compressed_prime,
ansiX962_compressed_char2]|#]
[#|2013-12-09T18:30:54.580+0400|INFO|oracle-glassfish3.1.2|javax.enterprise.system.std.com.sun.enterprise.server.logging|_ThreadID=35;_ThreadName=Thread-2;|Exte
nsion elliptic_curves, curve names: {sect571r1, sect571k1, secp521r1,
sect409k1, sect409r1, secp384r1, sect283k1, sect283r1, secp256k1, secp256r1,
sect239k1, se
ct233k1, sect233r1, secp224k1, secp224r1, sect193r1, sect193r2, secp192k1,
secp192r1, sect163k1, sect163r1, sect163r2, secp160k1, secp160r1,
secp160r2}|#]
[#|2013-12-09T18:30:54.581+0400|INFO|oracle-glassfish3.1.2|javax.enterprise.system.std.com.sun.enterprise.server.logging|_ThreadID=35;_ThreadName=Thread-2;|Unsu
pported extension type_35, data: |#]
[#|2013-12-09T18:30:54.581+0400|INFO|oracle-glassfish3.1.2|javax.enterprise.system.std.com.sun.enterprise.server.logging|_ThreadID=35;_ThreadName=Thread-2;|Unsu
pported extension type_15, data: 01|#]
[#|2013-12-09T18:30:54.581+0400|INFO|oracle-glassfish3.1.2|javax.enterprise.system.std.com.sun.enterprise.server.logging|_ThreadID=35;_ThreadName=Thread-2;|***|
#]
[#|2013-12-09T18:30:54.582+0400|INFO|oracle-glassfish3.1.2|javax.enterprise.system.std.com.sun.enterprise.server.logging|_ThreadID=35;_ThreadName=Thread-2;|%%
R
esuming [Session-16, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA]|#]
...
Posted at Nginx Forum:
http://forum.nginx.org/read.php?21,245360,245366#msg-245366
_______________________________________________
nginx-ru mailing list
nginx-ru@xxxxxxxxx
http://mailman.nginx.org/mailman/listinfo/nginx-ru
|