Cloudfare and NGINX [error] 1226#1226: *14 SSL_do_handshake() failed (SSL: error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:SSL alert number 40)

Hello,

i’ve checked all the similar posts without results.

I have this situation:

  • Ubuntu 18.04 server with nginx 1.14.0 set up as a reverse proxy that is under Cloudfare Proxy

  • Ubuntu 18.04 server with nging 1.19.2 set up as web server under Cloudfare Proxy.

  • both server have SSL onboard, with let’s enctrypt certificate, the dns is managed by Cloudfare.

I’m trying to let this work, but if i try to reach the reverse proxy url i get a 502 bad gateway.

Checking the logs of the reverse proxy i get this error:

[error] 1226#1226: *29 SSL_do_handshake() failed (SSL: error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:SSL alert number 40) while SSL handshaking to upstream, client: my_client_pc_ip, server: my_reverseproxy_url, request: "GET / HTTP/1.1", upstream: "https://104.31.95.67:443/", host: "my_reverseproxy_url"

Then i made some tests:

  • If i disable the Proxy Mode on both servers : works
  • If i disable the proxy mode only on the WebServer: works
  • If i disable the proxy mode only on the reverse proxy: do no works

The strange thing is that kind of error, none of the server is asking for SSLv3 protocol for the SSL.

This is the nginx configuration of the reverse proxy (maybe can be useful):

user www-data;
pid /run/nginx.pid;
worker_processes auto;
worker_rlimit_nofile 65535;

events {
	multi_accept on;
	worker_connections 65535;
}


http {
    sendfile           on;
    tcp_nopush         on;
    tcp_nodelay        on;

    keepalive_timeout 10;
    keepalive_requests 100000;
    types_hash_max_size 2048;
    server_tokens off;
    server_names_hash_bucket_size 128;
    server_name_in_redirect off;
    include /etc/nginx/mime.types;
    default_type application/octet-stream;
    gzip off;

	set_real_ip_from 103.21.244.0/22;
	set_real_ip_from 103.22.200.0/22;
	set_real_ip_from 103.31.4.0/22;
	set_real_ip_from 104.16.0.0/12;
	set_real_ip_from 108.162.192.0/18;
	set_real_ip_from 131.0.72.0/22;
	set_real_ip_from 141.101.64.0/18;
	set_real_ip_from 162.158.0.0/15;
	set_real_ip_from 172.64.0.0/13;
	set_real_ip_from 173.245.48.0/20;
	set_real_ip_from 188.114.96.0/20;
	set_real_ip_from 190.93.240.0/20;
	set_real_ip_from 197.234.240.0/22;
	set_real_ip_from 198.41.128.0/17;
	set_real_ip_from 2400:cb00::/32;
	set_real_ip_from 2606:4700::/32;
	set_real_ip_from 2803:f800::/32;
	set_real_ip_from 2405:b500::/32;
	set_real_ip_from 2405:8100::/32;
	set_real_ip_from 2c0f:f248::/32;
	set_real_ip_from 2a06:98c0::/29;

	real_ip_header CF-Connecting-IP;
    real_ip_recursive on;

    # proxy upstream 
	upstream admin {
		server myurl:443;
	}

	# logging
	access_log /var/log/nginx/access.log;
	error_log /var/log/nginx/error.log warn;

	# limits
	limit_req_log_level warn;
	limit_req_zone $binary_remote_addr zone=ip:10m rate=5r/s;

	# SSL
    ssl_session_timeout 1d;
    ssl_session_cache shared:MozSSL:10m;  # about 40000 sessions
    ssl_session_tickets off;

    # intermediate configuration
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
    ssl_prefer_server_ciphers off;
	# OCSP Stapling
	ssl_stapling on;
	ssl_stapling_verify on;
	resolver 1.1.1.1 1.0.0.1 valid=60s ipv6=off;
	resolver_timeout 2s;

        
        ssl_dhparam dhparam.pem;

	# load configs
	include /etc/nginx/conf.d/*.conf;


# admin interface
    server {
        listen 443 ssl http2;
        server_name myservername;

		# SSL
		ssl_certificate /etc/letsencrypt/live/myurl/fullchain.pem;
		ssl_certificate_key /etc/letsencrypt/live/myurl/privkey.pem;
		ssl_trusted_certificate /etc/letsencrypt/live/myurl/chain.pem;
                

        location / {
            proxy_pass https://admin;
            proxy_http_version 1.1;
            proxy_set_header Connection "";
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
			proxy_set_header X-Forwarded-Proto	$scheme;
			proxy_set_header X-Forwarded-Host	$host;
			proxy_set_header X-Forwarded-Port	$server_port;
            proxy_set_header X-Original-Scheme $scheme;
            proxy_cache_bypass $http_upgrade;
            proxy_redirect off;
            proxy_pass_request_headers on;
            proxy_max_temp_file_size 0;
            client_max_body_size 3m;
            client_body_buffer_size 128k;
            client_body_timeout 12;
            keepalive_timeout 15;
            send_timeout 10;
            proxy_connect_timeout 90;
            proxy_send_timeout 90;
            proxy_read_timeout 90;
        #some tries
	    proxy_ssl_server_name on;
	    proxy_ssl_ciphers DEFAULT;
	    proxy_ssl_session_reuse off;
        }   
    }
}

Could you please help me understand where i’m wrong?
Thank you very much.

Hey there,

Thanks for your question.

While your server is advertising TLS1.3 support, it does not support any of the TLS1.3 ciphers that Cloudflare Supports.

To confirm this I took a look at the 502 errors for your domain, and the requested cipher by the clients that triggered the 502 errors is AEAD-AES128-GCM-SHA256, which is not configured on your nginx conf.

Does this issue happen if you disable TLS1.3 support, or add the TLS1.3 supported ciphers from this list?

Cipher Suites | Cloudflare Developer Docs

I look forward to hearing back on the results!

-Gabe

2 Likes

Hello,

sorry for the late reply.

I’ve just tested with TLS 1.2 with no success, same think with 1.3 with the supported cyphers the error is the same.

the url of the proxy is name1.mydomain.it
the url of the origin is name2.mydomain.it

They are two lvl3 domain of the same lvl2 domain, both with lets encrypt ssl certificate.

I think that the error is given because the reverse proxy is not calling the hostname in the url but the Cloudfare IP, failing so the SSL certificate:

*46 SSL_do_handshake() failed (SSL: error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:SSL alert number 40) while SSL handshaking to upstream, client: myip, server: reversehostname, request: "GET / HTTP/1.1", upstream: "https://104.31.94.67:443/", host: "reversehostanme"