hi all,
最近遇到个问题,nginx+ssl服务,用的是春哥的lua-nginx-module-ssl-cert-by-lua模块,证书和私钥均通过json文件定时保存,并动态更新至nginx的share dict中。
在我的沙盒以及测试平台上没什么问题,但是当移到生产环境时,我用openssl s_client -host 127.0.0.1 -port 7443 -servername www.myserver.com -status连接服务器时,总是出现如下alert:
loggingHost:my-test-host 2016/02/17 15:33:40 [alert] 17012#0: *1295279058 ignoring stale global SSL error (SSL: error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt error:06065064:digital envelope ro:: ) while SSL handshaking, client: 127.0.0.1, server: 0.0.0.0:7443
loggingHost:my-test-host 2016/02/17 15:34:08 [alert] 17012#0: *1295279058 ignoring stale global SSL error (SSL: error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt) while waiting for request, client: 127.0.0.1, server: 0.0.0.0:7443
虽然出现这样的警告,但是openssl s_client还是能正确返回,即握手成功。用浏览器访问也能正确返回。这两天用google搜了下,论坛上更多的是怀疑私钥文件和证书文件不匹配,但是这点我通过openssl已经验证排除这种情况了。还有就是openssl库在读取私钥文件会习惯性的去解密私钥文件(私钥文件一般会加密存放),若无加密则会出现这种警告?这个我不是很理解。
问下group里的人,有谁遇到过类似的问题没?这样的alert警告严重么,会有重大隐患么?谢谢