2

Nginx is configured as load balancer and has a server certificate installed to terminater TLS handshake for MQTT connections. It works when TLS extensions are included in clientHello during the handshake but there are other clients running old code who don't send any TLS extensions in clientHello. In that case I found Nginx will throw errors as in

SSL_do_handshake() failed (SSL: error:14201044:SSL routines:tls_choose_sigalg:internal error) while SSL handshaking, client: x.x.x.107, server: 0.0.0.0:8883

Here is Wireshark capturing

clientHello without extensions

It looks to me Nginx is expecting at least the signature alorightms extension. My question is if possible Nginx can be configured to accept TLS handshake when client is not using extensions?

Nginx stream config is here (only show TLS related):

upstream brokers{
    server 127.0.0.1:18831;
    server 127.0.0.1:18832;
    server 127.0.0.1:18833;

    zone tcp_mem 64k;
    hash $mqtt_client_id consistent; 
}
server {
    listen 8883 ssl;  
    preread_buffer_size 1k;

    ssl_certificate /etc/nginx/certs/server.pem;
    ssl_certificate_key /etc/nginx/certs/server.key;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers HIGH:!aNULL:!MD5;
    ssl_session_cache shared:SSL:128m;  
    ssl_session_tickets on;
    ssl_session_timeout 8h;
    ssl_verify_client off;
    ssl_prefer_server_ciphers off;    
 
    proxy_pass  brokers;
    proxy_connect_timeout 5s;
    access_log /var/log/nginx/mqtt_access.log mqtt;
    error_log /var/log/nginx/mqtt_error.log debug;  
}

Here is the wireshark captureing when clients send extensions in clientHello:

clienHello include extensions

Paul
  • 2,755
  • 6
  • 24
  • 35
Z Wang
  • 21
  • 1
  • 2
  • It turned out the openssl default security level prohibits RSA keys less 2048 bits in the ciphers. After adjusting the security level, the problem is resolved. – Z Wang Jan 23 '22 at 05:45

0 Answers0