openssl 1.1.1e 14095126:SSL routines:ssl3_read_n

Fri Mar 20 07:41:32 UTC 2020

> On 18 Mar 2020, at 14:17, itpp2012 <nginx-forum at forum.nginx.org> wrote:
> 
> Logging getting swamped with:
> 
> [crit] 1808#2740: *20747 SSL_read() failed (SSL: error:14095126:SSL
> routines:ssl3_read_n:unexpected eof while reading) while keepalive
> 
> Related to: https://github.com/openssl/openssl/issues/10880
> and this commit:
> https://github.com/openssl/openssl/commit/db943f43a60d1b5b1277e4b5317e8f288e7a0a3a
> 
> Question: does this need to resolved in openssl or nginx ?

So, they deliberately changed existing behaviour, known since
at least OpenSSL 0.9.7, in the stable branch which should not
be targeted (per their words) for introducing behaviour changes.
That is unfortunate and beyond explanation.

To simply shut up the crit, this would require such an ugly hack.

diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
--- a/src/event/ngx_event_openssl.c
+++ b/src/event/ngx_event_openssl.c
@@ -2301,7 +2301,13 @@ ngx_ssl_handle_recv(ngx_connection_t *c,
     c->ssl->no_wait_shutdown = 1;
     c->ssl->no_send_shutdown = 1;
 
-    if (sslerr == SSL_ERROR_ZERO_RETURN || ERR_peek_error() == 0) {
+    if (sslerr == SSL_ERROR_ZERO_RETURN || ERR_peek_error() == 0
+#ifdef SSL_R_UNEXPECTED_EOF_WHILE_READING
+        || (sslerr == SSL_ERROR_SSL && ERR_GET_REASON(ERR_peek_error())
+                                       == SSL_R_UNEXPECTED_EOF_WHILE_READING)
+#endif
+       )
+    {
         ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0,
                        "peer shutdown SSL cleanly");
         return NGX_DONE;


-- 
Sergey Kandaurov

