<div dir="ltr"><div><div><div>I am able to reproduce the following error when I have nginx configured with an upstream https connection. I have tweaked various settings all to no avail (proxy_buffer_size, proxy_buffers, proxy_ssl_session_reuse).<br>
<br>2013/10/18 17:17:31 [debug] 15644#0: *39 SSL_read: -1, SSL_pending: 16384<br>2013/10/18 17:17:31 [debug] 15644#0: *39 SSL_get_error: 1<br>2013/10/18 17:17:31 [error] 15644#0: *39 SSL_read() failed (SSL: error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac) while sending to client, client: 127.0.0.1, server: -, request: "GET /test-1 HTTP/1.1", upstream: "<a href="https://x.x.x.x:443/test-1">https://x.x.x.x:443/test-1</a>", host: "localhost:1182"<br>
<br></div>I've applied the following patch to log the SSL_pending bytes after an SSL_read.<br><br>--- dist/nginx-1.4.3/src/event/ngx_event_openssl.c 2013-10-08 12:07:14.000000000 +0000<br>+++ new/nginx-1.4.3/src/event/ngx_event_openssl.c 2013-10-18 17:37:15.059940303 +0000<br>
@@ -952,7 +952,9 @@ ngx_ssl_recv(ngx_connection_t *c, u_char<br> <br> n = SSL_read(c->ssl->connection, buf, size);<br> <br>- ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_read: %d", n);<br>
+ ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0,<br>+ "SSL_read: %d, SSL_pending: %d",<br>+ n, SSL_pending(c->ssl->connection));<br> <br> if (n > 0) {<br>
bytes += n;<br><br></div><div>I've seen a bug report on this too (<a href="http://trac.nginx.org/nginx/ticket/215">http://trac.nginx.org/nginx/ticket/215</a>), so thought i would send this here to see if anyone else is actively working on the issue.<br>
<br></div><div>Here are my configure settings:<br><br>./configure --prefix=/var/nginx --with-debug --with-http_ssl_module --without-http_auth_basic_module --without-http_autoindex_module --without-http_browser_module --without-http-cache --without-http_charset_module --without-http_empty_gif_module --without-http_fastcgi_module --without-http_geo_module --without-http_gzip_module --without-http_limit_conn_module --without-http_map_module --without-http_memcached_module --without-http_referer_module --without-http_rewrite_module --without-http_scgi_module --without-http_split_clients_module --without-http_ssi_module --without-http_upstream_ip_hash_module --without-http_userid_module --without-http_uwsgi_module --without-mail_imap_module --without-mail_pop3_module --without-mail_smtp_module<br>
<br></div><div>Here is my configuration:<br><p>
### Begin nginx.conf ###<br>
</p>
<p>
worker_processes 1;<br>
</p>
<p>
error_log logs/error.log debug;<br>
</p>
<p>
pid logs/nginx.pid;<br>
</p>
<p>
events {<br>
</p>
<blockquote>
<p>
worker_connections 1024;<br>
</p>
</blockquote>
<p>
}<br>
</p>
<p>
http {<br>
</p>
<blockquote>
<p>
include mime.types;<br>
default_type application/octet-stream;<br>
</p>
</blockquote>
<blockquote>
<p>
access_log logs/access.log;<br>
</p>
</blockquote>
<blockquote>
<p>
keepalive_timeout 60;<br>
</p>
</blockquote>
<blockquote>
<p>
upstream http {<br>
</p>
<blockquote>
<p>
server upstream.srv:443;<br>
keepalive 512;<br>
</p>
</blockquote>
<p>
}<br>
</p>
</blockquote>
<blockquote>
<p>
server {<br>
</p>
<blockquote>
<p>
listen 1182 default_server;<br>
</p>
</blockquote>
</blockquote>
<blockquote>
<blockquote>
<p>
server_name -;<br>
</p>
</blockquote>
</blockquote>
<blockquote>
<blockquote>
<p>
ssl_protocols SSLv3 TLSv1;<br>
ssl_ciphers RC4:HIGH:!aNULL:!MD5;<br>
ssl_prefer_server_ciphers on;<br>
</p>
</blockquote>
</blockquote>
<blockquote>
<blockquote>
<p>
location / {<br>
</p>
<blockquote>
<p>
proxy_pass <a class="" href="https://http"><span class=""></span>https://http</a>;<br>
</p>
</blockquote>
</blockquote>
</blockquote>
<blockquote>
<blockquote>
<blockquote>
<p>
proxy_redirect off;<br>
proxy_read_timeout 10s;<br>
proxy_connect_timeout 6s;<br>
</p>
</blockquote>
</blockquote>
</blockquote>
<p>
<br>
</p>
<blockquote>
<blockquote>
<blockquote>
<p>
proxy_buffering off;<br>
proxy_buffer_size 64k;<br>
proxy_buffers 6 16k;<br>
proxy_busy_buffers_size 80k;<br>
</p>
</blockquote>
</blockquote>
</blockquote>
<blockquote>
<blockquote>
<blockquote>
<p>
proxy_pass_header Server;<br>
proxy_pass_header Date;<br>
proxy_pass_header X-Pad;<br>
</p>
</blockquote>
</blockquote>
</blockquote>
<blockquote>
<blockquote>
<blockquote>
<p>
proxy_set_header Connection "Keep-Alive";<br>
proxy_set_header Host "upstream.srv";<br>
</p>
</blockquote>
<p>
}<br>
</p>
</blockquote>
<p>
}<br>
</p>
</blockquote>
<p>
}<br>
</p>
### End nginx.conf ###<br></div></div></div>