SSL_read error on multiple simultaneous upstream SSL downloads

Maxim Dounin mdounin at mdounin.ru
Fri Oct 18 19:06:05 UTC 2013


Hello!

On Fri, Oct 18, 2013 at 06:01:14PM +0000, Agent Coulson wrote:

> I am able to reproduce the following error when I have nginx configured
> with an upstream https connection.  I have tweaked various settings all to
> no avail (proxy_buffer_size, proxy_buffers, proxy_ssl_session_reuse).
> 
> 2013/10/18 17:17:31 [debug] 15644#0: *39 SSL_read: -1, SSL_pending: 16384
> 2013/10/18 17:17:31 [debug] 15644#0: *39 SSL_get_error: 1
> 2013/10/18 17:17:31 [error] 15644#0: *39 SSL_read() failed (SSL:
> error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record
> mac) while sending to client, client: 127.0.0.1, server: -, request: "GET
> /test-1 HTTP/1.1", upstream: "https://x.x.x.x:443/test-1", host:
> "localhost:1182"

I tend to think it's highly unlikely it's a problem in nginx.  
Most likely, it's a problem either in OpenSSL library used on 
nginx side, or in SSL implementation used on a backend.

First thing I would recommend to test is to make sure you are able 
to reporoduce the problem:

1. Using nginx statically compiled with a known version of the 
OpenSSL library (--with-openssl=..., with sources from 
openssl.org).

2. Using the same nginx as a backend.

[...]

> I've seen a bug report on this too (http://trac.nginx.org/nginx/ticket/215),
> so thought i would send this here to see if anyone else is actively working
> on the issue.

As of now, no one provided enough steps to reproduce the problem.  
And, see above, most likely the problem is not in nginx.

-- 
Maxim Dounin
http://nginx.org/en/donation.html



More information about the nginx-devel mailing list