Socket leaks., pread and [crit] SSL_Write() in 1.0.14

Maxim Dounin mdounin at mdounin.ru
Mon Apr 2 11:17:54 UTC 2012 

Hello!

On Sat, Mar 31, 2012 at 06:39:37PM -0400, Floren Munteanu wrote:

> Hi Maxim,
> 
> On 3/26/2012 12:47 PM, Maxim Dounin wrote:
> >As already suggested - you may build nginx with any particular
> >openssl version statically, by using --with-openssl= configure
> >argument.
> 
> I followed your advice and built a backlevel RPM for libcripto.so6
> and libssl.so6 so none of the deps are broken in CentOS 5. Then, I
> built the OpenSSL 1.0.1 RPM's and rebuilt Nginx against the latest
> libs:
> # yum list openssl* nginx
> Loaded plugins: fastestmirror
> Loading mirror speeds from cached hostfile
>  * base: mirrors.manchester.icecolo.com
>  * extras: mirrors.manchester.icecolo.com
>  * updates: mirrors.manchester.icecolo.com
> Installed Packages
> nginx.x86_64		1.0.14-1.el5	installed
> openssl.x86_64		1.0.1-1.el5	installed
> openssl-libs.x86_64	1.0.1-1.el5	installed
> openssl098e.x86_64	0.9.8e-1.el5	installed
> 
> # nginx -V
> nginx version: nginx/1.0.14
> built by gcc 4.1.2 20080704 (Red Hat 4.1.2-52)
> TLS SNI support enabled
> configure arguments: --user=nginx --group=nginx
> --prefix=/usr/share/nginx --sbin-path=/usr/sbin/nginx
> --conf-path=/etc/nginx/nginx.conf --pid-path=/var/run/nginx.pid
> --error-log-path=/var/log/nginx/error.log
> --http-log-path=/var/log/nginx/access.log
> --http-client-body-temp-path=/var/lib/nginx/client
> --http-fastcgi-temp-path=/var/lib/nginx/fastcgi
> --http-proxy-temp-path=/var/lib/nginx/proxy
> --http-scgi-temp-path=/var/lib/nginx/scgi
> --http-uwsgi-temp-path=/var/lib/nginx/uwsgi
> --lock-path=/var/lock/subsys/nginx --with-cc-opt='-O3 -g -m64
> -mtune=nocona -m128bit-long-double -mmmx -msse3 -mfpmath=sse'
> --with-file-aio --with-http_addition_module --with-http_dav_module
> --with-http_degradation_module --with-http_flv_module
> --with-http_geoip_module --with-http_gzip_static_module
> --with-http_image_filter_module --with-http_mp4_module
> --with-http_perl_module --with-http_random_index_module
> --with-http_realip_module --with-http_secure_link_module
> --with-http_ssl_module --with-http_stub_status_module
> --with-http_sub_module --with-http_xslt_module --with-mail
> --with-mail_ssl_module --with-poll_module --with-rtsig_module
> --with-select_module

Please also check if nginx actually uses new openssl library, ldd 
should be helpful here.

> 
> http {
> 	...
> 	ssl_prefer_server_ciphers	on;
> 	ssl_ciphers			RC4:HIGH:!aNULL:!MD5;
> 	ssl_protocols			SSLv3 TLSv1 TLSv1.1 TLSv1.2;
> 	ssl_session_cache		shared:SSL:5m;
> 	ssl_session_timeout		10m;
> 	...
> 
> 	server {
> 		listen			192.168.1.3:443 ssl default_server;
> 		server_name		www.domain.com;
> 		access_log		off;
> 		error_log		/var/log/nginx/localhost.error.log      error;
> 		root			/var/www/domain.com;
> 		index			index.php index.html;
> 		ssl_certificate		domain.com.crt;
> 		ssl_certificate_key	domain.com.key;
> 		...
> 	}
> }
> 
> Even if I eliminated the OpenSSL version issues, I still have random
> [crit] SSL_write() failures at the same frequency as before. They
> are also accompanied by open socket alerts, of this format:
> [alert] 2380#0: open socket #34 left in connection 12
> 
> I'm looking forward to your suggestions.

As already suggested, it whould be cool to check if you see the 
same problem in 1.1.x.

And to proceed further we need debug log, see here:

http://wiki.nginx.org/Debugging

Note you'll need to recompile nginx with "--with-debug" configure 
argument to obtain one.

Maxim Dounin

More information about the nginx mailing list