TCP SSL termination issue on Nginx - for JDBC client

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

TCP SSL termination issue on Nginx - for JDBC client

vergil
Hi there,

I am exploring the features of Nginx features and doing a POC with all the
possible use cases. If all goes well, probably there would be a huge
investment on the Nginx to use it our cloud based architecture.

Currently exploring an option on TCP SSL termination on Nginx for a SSL
connection from Java JDBC client. Facing issues, any guidance would be speed
up my POC and complete it.

I'm using nginx on Windows 10 and using the opensource version.

Error.log:
###################
2020/06/19 11:51:51 [debug] 12568#16420: timer delta: 17
2020/06/19 11:51:51 [debug] 12568#16420: posted event 03004310
2020/06/19 11:51:51 [debug] 12568#16420: *1 delete posted event 03004310
2020/06/19 11:51:51 [debug] 12568#16420: *1 SSL handshake handler: 0
2020/06/19 11:51:51 [debug] 12568#16420: *1 SSL_do_handshake: -1
2020/06/19 11:51:51 [debug] 12568#16420: *1 SSL_get_error: 5
2020/06/19 11:51:51 [info] 12568#16420: *1 peer closed connection in SSL
handshake while SSL handshaking, client: 127.0.0.1, server: 0.0.0.0:1592
2020/06/19 11:51:51 [debug] 12568#16420: *1 finalize stream session: 500
2020/06/19 11:51:51 [debug] 12568#16420: *1 stream log handler
2020/06/19 11:51:51 [debug] 12568#16420: *1 close stream connection: 368
2020/06/19 11:51:51 [debug] 12568#16420: *1 event timer del: 368:
3409871779
2020/06/19 11:51:51 [debug] 12568#16420: *1 select del event fd:368 ev:768

Error from JDBC Client:
###################
.....
.....
trigger seeding of SecureRandom
done seeding SecureRandom
Using SSLEngineImpl.
SQL State: 08006
IO Error: The Network Adapter could not establish the connection

Java code:
###################
....
....
                String url =
"jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS=(PROTOCOL=tcps)(HOST=localhost)(PORT=1592))(CONNECT_DATA=(SERVICE_NAME=xe)))";

                String user="sys as sysdba";
                String pwd="1234";
               
                Properties props = new Properties();
                props.setProperty("url", url);
                props.setProperty("user", user);
                props.setProperty("password", pwd);
                props.setProperty("oracle.net.ssl_cipher_suites",
"(TLS_DH_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256)");
.....
.....
           try (Connection conn=DriverManager.getConnection(url,props)) {
//failing on this line of code
....
....

Nginx.conf:
###################

    upstream db_backend {
        server localhost:1521; #Local database server which is not SSL enabled.
    }

    server {
        listen        1592 ssl;
        listen [::]:1592 ssl;
        proxy_pass    db_backend;

        ssl_certificate      
C:/Users/SivaPannier/Documents/Siva/IBM/Software/openSSL/ssl/certs/nginx-selfsigned.crt;
        ssl_certificate_key  
C:/Users/SivaPannier/Documents/Siva/IBM/Software/openSSL/ssl/nginx-selfsigned.key;
        ssl_protocols         SSLv3 TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers           HIGH:!aNULL:!MD5;
        ssl_session_cache     shared:SSL:20m;
        ssl_session_timeout   4h;
        ssl_handshake_timeout 30s;
    }



Thanks,
Siva P

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,288400,288400#msg-288400

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: TCP SSL termination issue on Nginx - for JDBC client

vergil
Hi..
Can someone pls guideme on this?

Thanks..

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,288400,288425#msg-288425

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

RE: TCP SSL termination issue on Nginx - for JDBC client

Reinis Rozitis
In reply to this post by vergil
I'm not very into Java but you might get more details if you add  -Djavax.net.debug=SSL,handshake or -Djavax.net.debug=all

The current error is not very explanatory (at least to me) and from nginx side the client just closes connection.

You could test the nginx side with cipherscan https://github.com/mozilla/cipherscan (not sure if there is an alternative for windows, but maybe it's possible to run it in WSL) to see if the problem is with nginx or jdbc client.

Also I would try without the DHE ciphers (and widen available like add TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA)

rr

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: RE: TCP SSL termination issue on Nginx - for JDBC client

vergil
Thanks a lot rr! for your suggestions.. my problem was solved..

I added the cipher suites as the one you gave..

props.setProperty("oracle.net.ssl_cipher_suites",
"(TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA)");


Also imported the server certificate to 'cacerts' with the below command and
it worked after that.. :)

keytool -import -alias localhost -file
C:/Users//openSSL/ssl/certs/nginx-selfsigned.crt -storetype JKS -keystore
cacerts

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,288400,288437#msg-288437

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx