[openssl-dev] [openssl.org #4658] bug: Abort() in 1.0.2h parsing server cert in ASN.1 routine
Quanah Gibson-Mount
quanah at zimbra.com
Thu Sep 1 20:58:00 UTC 2016
--On Wednesday, August 24, 2016 5:47 PM -0700 Quanah Gibson-Mount
<quanah at zimbra.com> wrote:
>> this is clearly a TLS client-side stack trace. Why is nginx acting
>> as an SSL/TLS client?
>
> It's a proxy server... so it's proxying between the client connecting to
> nginx on the IMAPS port and the jetty server on the other side.
>
> so:
>
> end user <-> nginx:143 <-> jetty:7143
>
> The issue only happens when proxying IMAP on port 143 with startTLS or
> 993 (IMAPS). It does not occur on POP w/ starttls or web traffic (443).
> It also is only happening with this one particular client, as we have
> numerous customers (and our own setup) not experiencing this issue.
>
> I'll have them supply what's in their keystore that Jetty's using as well.
Note, when this happens, the nginx log shows:
2016/08/22 03:12:10 [info] 530#0: *3326370 SSL_do_handshake() failed (SSL:
error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate
unknown:SSL alert number 46) w
*** Error in `nginx: worker process': free(): invalid size:
0x00000000010cf560 ***
The CA certs in play are the same for both the jetty process being proxied
to, and what nginx is using. I see nothing unusual about the server cert
on the jetty side.
Is there any more info I can provide?
--Quanah
--
Quanah Gibson-Mount
More information about the openssl-dev
mailing list