Nginx - SSL handshake error when connecting to upstream with self signed certificate

Question

I am trying to proxy a old server running with self signed certificate.

Simple nginx conf:

server {
  listen 8009;
   location / {
     proxy_ssl_verify off;
     proxy_ssl_session_reuse off;
     proxy_pass https://192.168.10.20:8009/;
  }
}

I get SSL Handshake error in nginx log.

2018/05/02 11:31:39 [crit] 3500#2284: *1 SSL_do_handshake() failed (SSL: error:14082174:SSL routines:ssl3_check_cert_and_algorithm:dh key too small) while SSL handshaking to upstream, client: 127.0.0.1, server: , request: "GET /ping HTTP/1.1", upstream: "https://192.168.10.20:8009/ping", host: "localhost:8009"

I was hoping that adding the "proxy_ssl_verify off;" will ignore all the SSL errors but does not seem to .

Answer 1

ssl3_check_cert_and_algorithm:dh key too small

The problem is that the old server is providing a DH key which is considered insecure (logjam attack). This has nothing to do with certificate validation and thus trying to disable certificate validation will not help - and is a bad idea anyway.

Instead this problem need to be fixed at the server side to provide stronger DH parameters. Alternatively one might try to enforce nginx to not use DH ciphers in the first place by using the proxy_ssl_ciphers parameter. Which ciphers can be chosen there depends on what the old server supports but you might try something like HIGH:!DH as argument which allows nginx to offer all strong ciphers except the DH ciphers.