SSL_do_handshake errors with nginx and haproxy

Posted on 26 September 2012

A short post about a problem we were having.

If you are load balancing https traffic with haproxy in tcp mode, and you are fronting this with nginx, and you get 502 errors accompanied by these SSL errors in nginx’s error log:

SSL_do_handshake() failed (SSL: error:1408C095:SSL routines:SSL3_GET_FINISHED:digest check failed)

then you need to turn off the proxy_ssl_session_reuse option:

proxy_ssl_session_reuse off;

By default, nginx tries to reuse ssl sessions for an https upstream; but when HAProxy is round-robining the tcp connections between different backends, the ssl session will not be valid from one tcp connection to the next.

UPDATE: @zaargy points out that the development branch of haproxy has https support. Awesome!