
<div dir="ltr"><div><div><div>I am able to reproduce the following error when I have nginx configured with an upstream https connection.  I have tweaked various settings all to no avail (proxy_buffer_size, proxy_buffers, proxy_ssl_session_reuse).<br>

<br>2013/10/18 17:17:31 [debug] 15644#0: *39 SSL_read: -1, SSL_pending: 16384<br>2013/10/18 17:17:31 [debug] 15644#0: *39 SSL_get_error: 1<br>2013/10/18 17:17:31 [error] 15644#0: *39 SSL_read() failed (SSL: error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac) while sending to client, client: 127.0.0.1, server: -, request: "GET /test-1 HTTP/1.1", upstream: "<a href="https://x.x.x.x:443/test-1">https://x.x.x.x:443/test-1</a>", host: "localhost:1182"<br>

<br></div>I've applied the following patch to log the SSL_pending bytes after an SSL_read.<br><br>--- dist/nginx-1.4.3/src/event/ngx_event_openssl.c      2013-10-08 12:07:14.000000000 +0000<br>+++ new/nginx-1.4.3/src/event/ngx_event_openssl.c       2013-10-18 17:37:15.059940303 +0000<br>

@@ -952,7 +952,9 @@ ngx_ssl_recv(ngx_connection_t *c, u_char<br> <br>         n = SSL_read(c->ssl->connection, buf, size);<br> <br>-        ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_read: %d", n);<br>

+        ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0,<br>+                       "SSL_read: %d, SSL_pending: %d",<br>+                       n, SSL_pending(c->ssl->connection));<br> <br>         if (n > 0) {<br>

             bytes += n;<br><br></div><div>I've seen a bug report on this too (<a href="http://trac.nginx.org/nginx/ticket/215">http://trac.nginx.org/nginx/ticket/215</a>), so thought i would send this here to see if anyone else is actively working on the issue.<br>

<br></div><div>Here are my configure settings:<br><br>./configure --prefix=/var/nginx --with-debug --with-http_ssl_module --without-http_auth_basic_module --without-http_autoindex_module --without-http_browser_module --without-http-cache --without-http_charset_module --without-http_empty_gif_module --without-http_fastcgi_module --without-http_geo_module --without-http_gzip_module --without-http_limit_conn_module --without-http_map_module --without-http_memcached_module --without-http_referer_module --without-http_rewrite_module --without-http_scgi_module --without-http_split_clients_module --without-http_ssi_module --without-http_upstream_ip_hash_module --without-http_userid_module --without-http_uwsgi_module --without-mail_imap_module --without-mail_pop3_module --without-mail_smtp_module<br>

<br></div><div>Here is my configuration:<br><p>

### Begin nginx.conf ###<br>

</p>

<p>

worker_processes  1;<br>

</p>

<p>

error_log  logs/error.log debug;<br>

</p>

<p>

pid        logs/nginx.pid;<br>

</p>

<p>

events {<br>

</p>

<blockquote>

<p>

worker_connections  1024;<br>

</p>

</blockquote>

<p>

}<br>

</p>

<p>

http {<br>

</p>

<blockquote>

<p>

include       mime.types;<br>

default_type  application/octet-stream;<br>

</p>

</blockquote>

<blockquote>

<p>

access_log  logs/access.log;<br>

</p>

</blockquote>

<blockquote>

<p>

keepalive_timeout  60;<br>

</p>

</blockquote>

<blockquote>

<p>

upstream http {<br>

</p>

<blockquote>

<p>

server upstream.srv:443;<br>

keepalive 512;<br>

</p>

</blockquote>

<p>

}<br>

</p>

</blockquote>

<blockquote>

<p>

server {<br>

</p>

<blockquote>

<p>

listen       1182 default_server;<br>

</p>

</blockquote>

</blockquote>

<blockquote>

<blockquote>

<p>

server_name  -;<br>

</p>

</blockquote>

</blockquote>

<blockquote>

<blockquote>

<p>

ssl_protocols SSLv3 TLSv1;<br>

ssl_ciphers RC4:HIGH:!aNULL:!MD5;<br>

ssl_prefer_server_ciphers on;<br>

</p>

</blockquote>

</blockquote>

<blockquote>

<blockquote>

<p>

location / {<br>

</p>

<blockquote>

<p>

proxy_pass <a class="" href="https://http"><span class=""></span>https://http</a>;<br>

</p>

</blockquote>

</blockquote>

</blockquote>

<blockquote>

<blockquote>

<blockquote>

<p>

proxy_redirect      off;<br>

proxy_read_timeout  10s;<br>

proxy_connect_timeout 6s;<br>

</p>

</blockquote>

</blockquote>

</blockquote>

<p>

           <br>

</p>

<blockquote>

<blockquote>

<blockquote>

<p>

proxy_buffering     off;<br>

proxy_buffer_size   64k;<br>

proxy_buffers       6 16k;<br>

proxy_busy_buffers_size 80k;<br>

</p>

</blockquote>

</blockquote>

</blockquote>

<blockquote>

<blockquote>

<blockquote>

<p>

proxy_pass_header   Server;<br>

proxy_pass_header   Date;<br>

proxy_pass_header   X-Pad;<br>

</p>

</blockquote>

</blockquote>

</blockquote>

<blockquote>

<blockquote>

<blockquote>

<p>

proxy_set_header    Connection "Keep-Alive";<br>

proxy_set_header    Host "upstream.srv";<br>

</p>

</blockquote>

<p>

}<br>

</p>

</blockquote>

<p>

}<br>

</p>

</blockquote>

<p>

}<br>

</p>


### End nginx.conf ###<br></div></div></div>