I checked, but no, there is no return or rewrite in the NGINX configuration.
Sorry, but I used http instead of https, so the last test was useless.
Another go ... now the curl picture is as follows: the tracefiles of
CURL doing ...
curl https://my-server.my-domain:55094/beehive/redirect/secure-mx --tlsv1.0 --stderr curl-err.txt --output curl-out.txt --trace curl-trace.txt
... look quite similar (we know that Oracle 10.1.3 will only speak
TLSV1.0), and I don't see any TLS negotiation issues ... strange!
I must be the special combination:
curl <-> nginx <-> OHS
appears to work (although fetching the single page via curl is a very
limited test), and
OBEO <-> nginx <-> OHS
will fail (OBEO are the Outlook extensions to work with the beehive
server).
I can see that OBEO sends a quite restricted choice of Cipher Suites
when doing the "Client hello":
Cipher Suite: TLS_RSA_WITH_RC4_128_MD5 (0x0004)
Cipher Suite: TLS_RSA_WITH_RC4_128_SHA (0x0005)
Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)
Cipher Suite: TLS_RSA_WITH_DES_CBC_SHA (0x0009)
Cipher Suite: TLS_RSA_EXPORT1024_WITH_RC4_56_SHA (0x0064)
Cipher Suite: TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA (0x0062)
Cipher Suite: TLS_RSA_EXPORT_WITH_RC4_40_MD5 (0x0003)
Cipher Suite: TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 (0x0006)
Cipher Suite: TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA (0x0013)
Cipher Suite: TLS_DHE_DSS_WITH_DES_CBC_SHA (0x0012)
Cipher Suite: TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA (0x0063)
without NGINX, OHS will, according to Server hello, choose
Cipher Suite: TLS_RSA_WITH_RC4_128_SHA (0x0005)
with NGINX, the Server hello of NGINX indicates
Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)
and further on, the OHS communication with NGINX will settle on
Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
It is still my suspect that the handover to the abovementioned ombd
incurs the failing when NGINX is in the chain, resulting in the debug
message ...
SSL: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number
... that I cited above.
Sorry, but I used http instead of https, so the last test was useless.
Another go ... now the curl picture is as follows: the tracefiles of
CURL doing ...
curl https://my-server.my-domain:55094/beehive/redirect/secure-mx --tlsv1.0 --stderr curl-err.txt --output curl-out.txt --trace curl-trace.txt
... look quite similar (we know that Oracle 10.1.3 will only speak
TLSV1.0), and I don't see any TLS negotiation issues ... strange!
I must be the special combination:
curl <-> nginx <-> OHS
appears to work (although fetching the single page via curl is a very
limited test), and
OBEO <-> nginx <-> OHS
will fail (OBEO are the Outlook extensions to work with the beehive
server).
I can see that OBEO sends a quite restricted choice of Cipher Suites
when doing the "Client hello":
Cipher Suite: TLS_RSA_WITH_RC4_128_MD5 (0x0004)
Cipher Suite: TLS_RSA_WITH_RC4_128_SHA (0x0005)
Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)
Cipher Suite: TLS_RSA_WITH_DES_CBC_SHA (0x0009)
Cipher Suite: TLS_RSA_EXPORT1024_WITH_RC4_56_SHA (0x0064)
Cipher Suite: TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA (0x0062)
Cipher Suite: TLS_RSA_EXPORT_WITH_RC4_40_MD5 (0x0003)
Cipher Suite: TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 (0x0006)
Cipher Suite: TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA (0x0013)
Cipher Suite: TLS_DHE_DSS_WITH_DES_CBC_SHA (0x0012)
Cipher Suite: TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA (0x0063)
without NGINX, OHS will, according to Server hello, choose
Cipher Suite: TLS_RSA_WITH_RC4_128_SHA (0x0005)
with NGINX, the Server hello of NGINX indicates
Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)
and further on, the OHS communication with NGINX will settle on
Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
It is still my suspect that the handover to the abovementioned ombd
incurs the failing when NGINX is in the chain, resulting in the debug
message ...
SSL: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number
... that I cited above.