SSL_shutdown() return value <0

Jan Prachař jan.prachar at gmail.com
Wed Jan 2 19:17:46 UTC 2019


Hello! Thanks for the detailed explanation of ignoring
SSL_ERROR_WANT_READ and SSL_ERROR_WANT_WRITE in ngx_ssl_shutdown.

On Tue, 2018-12-11 at 16:33 +0300, Maxim Dounin wrote:
> Hello!
> 
> On Mon, Dec 10, 2018 at 09:46:28PM +0100, Jan Prachař wrote:
> > I have also tried to change the condition to just n < 0, and came
> > to
> > antoher issue. If client closes connection prematurely, there is
> > usually SSL_write, that has failed with error WANT_WRITE. If then
> > the
> > SSL_shutdown is called repeatedly, it causes OpenSSL error (SSL:
> > error:1409F07F:SSL routines:ssl3_write_pending:bad write retry),
> > because pending SSL_write should have been called first.
> 
> In many places we try to avoid doing actual SSL shutdown if we 
> know there was an error and/or we know the connection was already 
> closed, by using c->ssl->no_send_shutdown flag.  Existing cases 
> might not be enough though.

I have given some time to debug the issue and I have found that in this
case nginx closes the connection inside read event handler
ngx_http_test_reading(). As you adviced, I added

+ #if (NGX_HTTP_SSL)
+         if (c->ssl) {
+             c->ssl->no_send_shutdown = 1;
+         }
+ #endif
+
    ngx_http_finalize_request(r, NGX_HTTP_CLIENT_CLOSED_REQUEST);
}

just before the last line in the function, and then all errors

SSL: error:1409F07F:SSL routines:ssl3_write_pending:bad write retry

dissapear.

-- Jan Prachař



More information about the nginx-devel mailing list