SSL_shutdown() failed (SSL:) while proxying

Igor Sysoev is at rambler-co.ru
Tue Jan 22 19:00:31 MSK 2008 

On Thu, Jan 17, 2008 at 07:41:49PM -0500, John Capo wrote:

> I am testing 0.5.35 as a replacement for my perdition IMAP/POP3
> proxies.  I fed a bit of real traffic to nginx today and within a
> few seconds I see SSL_shutdown errors in the logs.  Nothing in
> testing produced that error but it is 100% repeatable.  It looks
> to me to be a bogus error message.
> 
> FreeBSD 4.11 and openssl 0.9.8g.
> 
> openssl s_client -connect localhost:995
> <SSL stuff snipped>
> +OK POP3 ready
> quit
> +OK
> closed
> 
> 2008/01/17 19:08:51 [debug] 75716#0: *1 malloc: 080D4F00:256
> 2008/01/17 19:08:51 [debug] 75716#0: *1 pop3 auth state
> 2008/01/17 19:08:51 [debug] 75716#0: *1 SSL_read: 5
> 2008/01/17 19:08:51 [debug] 75716#0: *1 SSL_read: -1
> 2008/01/17 19:08:51 [debug] 75716#0: *1 SSL_get_error: 2
> 2008/01/17 19:08:51 [debug] 75716#0: *1 SSL to write: 5
> 2008/01/17 19:08:51 [debug] 75716#0: *1 SSL_write: 5
> 2008/01/17 19:08:51 [debug] 75716#0: *1 close mail connection: 12
> 2008/01/17 19:08:51 [debug] 75716#0: *1 SSL_shutdown: 0
> 2008/01/17 19:08:51 [debug] 75716#0: *1 SSL_get_error: 5
> 2008/01/17 19:08:51 [crit] 75716#0: *1 SSL_shutdown() failed (SSL:) while in auth state, client: 127.0.0.1, server: 127.0.0.1:995
> 
> SSL_set_shutdown() is called with mode == 0. n == 5 after SSL_get_error()
> as is sslerr logged above. ngx_errno (errno) == 0.
> 
> It seems like this is a non error condition.  I'm silencing the
> message with this bit of code in ngx_ssl_shutdown():1039
> 
>     err = (sslerr == SSL_ERROR_SYSCALL) ? ngx_errno : 0;
> 
>     if (err == 0)
>     {
>         SSL_free(c->ssl->connection);
>         c->ssl = NULL;
> 
>         return NGX_OK;
>     }
> 
> IMAP/POP3 starttls and pure SSL sessions work just fine.  That's
> what makes me think this is a bogus message.  Could this error be
> the symptom of a problem elsewhere?

The attached patch should fix the message.


-- 
Igor Sysoev
http://sysoev.ru/en/
-------------- next part --------------
Index: src/event/ngx_event_openssl.c
===================================================================
--- src/event/ngx_event_openssl.c	(revision 1184)
+++ src/event/ngx_event_openssl.c	(working copy)
@@ -1037,17 +1037,14 @@
 
     /* SSL_shutdown() never returns -1, on error it returns 0 */
 
-    if (n != 1) {
+    if (n != 1 && ERR_peek_error()) {
         sslerr = SSL_get_error(c->ssl->connection, n);
 
         ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0,
                        "SSL_get_error: %d", sslerr);
     }
 
-    if (n == 1
-        || sslerr == SSL_ERROR_ZERO_RETURN
-        || (sslerr == 0 && c->timedout))
-    {
+    if (n == 1 || sslerr == 0 || sslerr == SSL_ERROR_ZERO_RETURN) {
         SSL_free(c->ssl->connection);
         c->ssl = NULL;

More information about the nginx mailing list