Intermittent SSL Handshake issues on Ubuntu 12.04 and Nginx
mdounin at mdounin.ru
Mon Apr 20 17:43:36 UTC 2015
On Sun, Apr 19, 2015 at 06:08:35PM -0400, rPawel wrote:
> Hi Guys,
> I posted originally my issue on askubuntu but I think this will be a better
> Original post
> # In simple terms
> I am having issues with https handshakes. I am currently using nginx but it
> is most likely not an nginx issue.
> # Behaviour
> Web clients such as browsers will sometimes present "SSL connection error"
> Apache benchmark will spit out several error lines and will report around
> 1-10% failures. Errors below will appear in random order but the first one
> is more common.
> (1) Benchmarking mysite.net (be patient)...SSL read failed (1) - closing
> 128494120003296:error:1408F119:SSL routines:SSL3_GET_RECORD:decryption
> failed or bad record mac:s3_pkt.c:486:
> (2) SSL read failed (1) - closing connection
> 128494120003296:error:140943FC:SSL routines:SSL3_READ_BYTES:sslv3 alert bad
> record mac:s3_pkt.c:1262:SSL alert number 20
> # Server setup
> Ubuntu 12.04 64bit with all updates and patches installed, server
> nginx/1.6.3 - from nginx.org (deb http://nginx.org/packages/ubuntu/ precise
> OpenSSL dynamically linked:
> # ldd `which nginx` | grep ssl
> libssl.so.1.0.0 => /lib/x86_64-linux-gnu/libssl.so.1.0.0
> # strings /lib/x86_64-linux-gnu/libssl.so.1.0.0 | grep "^OpenSSL "
> OpenSSL 1.0.1 14 Mar 2012
> Nginx server config (with limited cyphers)
> 1.0.1 14 Mar 2012
> #dpkg -s libssl1.0.0
> Version: 1.0.1-4ubuntu5.25
This looks similar to this ticket (turned out to be a bug in
OpenSSL, see comments for details):
Try upgrading to OpenSSL 1.0.1h or newer to see if it helps.
Alternatively, make sure the OpenSSL package you are using
includes the fix in question.
More information about the nginx