Search code examples
nginxsslopenssl

nginx fail forwarding with SSL: error:0A000152:SSL routines::unsafe legacy renegotiation disabled)

I am trying to proxy-pass traffic, over HTTP, from nginx to an old web server in my lab. The old web server have an old self-signed certificate using TLSv1 and cipher RSA-PSK-AES128-CBC-SHA.

This is my current nginx config:

server {
    listen 80;
    server_name _;
    access_log /var/log/nginx/access.log;
    error_log /var/log/nginx/error.log;
    location ~ ^/(.*)$ {
        proxy_pass https://my-server:443/$1;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_ssl_verify off;
    }
}

Sendig requests to the server I get status error 502, and in the nginx error.log, I see the following error:

2024/02/13 13:53:18 [error] 12#12: *1 SSL_do_handshake() failed (SSL: error:0A000152:SSL routines::unsafe legacy renegotiation disabled) while SSL handshaking to upstream, client: 192.168,1,122, server: _, request: "GET / HTTP/1.1", upstream: "https://my-server:443/", host: "192.168,1.25:80"

Updating the old self signed certificate is not an option.

I tried updating multipe nginx directives with no success.

Any suggestions on how to proceed?

Solution

  • The solution was to add the following nginx directive:

    proxy_ssl_conf_command Options UnsafeLegacyRenegotiation;

    So this is my new config:

    server {
    listen 80;
    server_name _;
    access_log /var/log/nginx/access.log;
    error_log /var/log/nginx/error.log;
    location ~ ^/(.*)$ {
        proxy_pass https://my-server:443/$1;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_ssl_verify off;
        proxy_ssl_conf_command Options UnsafeLegacyRenegotiation;
    }
}

    Seems like UnsafeLegacyRenegotiation is disabled by default on openssl conf on most newer systems, and using the proxy_ssl_conf_command it's possible to update the configuration for nginx easily.