<div dir="ltr"><div class="gmail_default" style="font-family:trebuchet ms,sans-serif">Hi,</div><div class="gmail_default" style="font-family:trebuchet ms,sans-serif"><br></div><div class="gmail_default" style="font-family:trebuchet ms,sans-serif">After working a bit more on the issue, I also found that:</div><div class="gmail_default" style="font-family:trebuchet ms,sans-serif"><ul><li>Using a new pair of key/certificate makes the problem not to show anymore. So, some files will make it fail, some files make it work. The files are of different length, so it seems to be correlated to that.<br></li><li>Using LD_PRELOAD with an "empty" (as in no C code) so file makes the problem disappear. I discover this while trying to hook the calls to OpenSSL, just to discover that even if I removed all my code, the problem will go away.<br></li></ul></div><div class="gmail_default" style="font-family:trebuchet ms,sans-serif"><br></div><div class="gmail_default" style="font-family:trebuchet ms,sans-serif">As there are at least 3 different ways to make it disappear, looks to me that is not directly related to SSL session, but to something completely different. I cannot run valgrind on the MIPS hardware (no enough RAM), and I've been trying to reproduce it on QEMU, to no avail.</div><div class="gmail_default" style="font-family:trebuchet ms,sans-serif"><br></div><div class="gmail_default" style="font-family:trebuchet ms,sans-serif">Any ideas on how to proceed? Do you think Valgrind will help at all? Any other insights?</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Mar 8, 2018 at 12:16 PM, Abilio Marques <span dir="ltr"><<a href="mailto:abiliojr@gmail.com" target="_blank">abiliojr@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div class="gmail_default"><font face="trebuchet ms, sans-serif">Using NGINX 1.12.2 on MIPS (haven't tested on x86), i</font><span style="font-family:"trebuchet ms",sans-serif">f I set:</span></div><blockquote style="margin:0 0 0 40px;border:none;padding:0px"><div class="gmail_default"><font face="monospace, monospace">ssl_session_cache shared:SSL:1m; # it also fails with 10m</font></div></blockquote><div class="gmail_default" style="font-family:"trebuchet ms",sans-serif"><br></div><div class="gmail_default" style="font-family:"trebuchet ms",sans-serif">And the client reestablishes the connection, it gets: net::ERR_SSL_BAD_RECORD_<wbr>MAC_ALERT when trying to reuse SSL session.<br><br></div><div class="gmail_default" style="font-family:"trebuchet ms",sans-serif">Has anyone seen anything like this?</div><div class="gmail_default" style="font-family:"trebuchet ms",sans-serif"><br></div><div class="gmail_default" style="font-family:"trebuchet ms",sans-serif"><br></div><div class="gmail_default" style="font-family:"trebuchet ms",sans-serif">More detail:</div><div class="gmail_default" style="font-family:"trebuchet ms",sans-serif"><br></div><div class="gmail_default" style="font-family:"trebuchet ms",sans-serif"><span style="color:rgb(34,34,34);font-family:"trebuchet ms",sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline">This was tested on 1.12.2, on a MIPS CPU, using OpenSSL 1.0.2j, and </span><span style="color:rgb(34,34,34);font-family:"trebuchet ms",sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration-style:initial;text-decoration-color:initial;background-color:rgb(255,255,255);float:none;display:inline">built by gcc 4.8.3 (OpenWrt/Linaro GCC 4.8-2014.04 r47070).</span><br></div><div class="gmail_default" style="font-family:"trebuchet ms",sans-serif"><br></div><div class="gmail_default" style="font-family:"trebuchet ms",sans-serif">Interesting portion of my configuration file:</div><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"><div class="gmail_default"><div class="gmail_default"><div class="gmail_default"><font face="monospace, monospace">server {</font></div></div></div><div class="gmail_default"><div class="gmail_default"><div class="gmail_default"><font face="monospace, monospace"> listen 443 ssl;</font></div></div></div><div class="gmail_default"><div class="gmail_default"><div class="gmail_default"><font face="monospace, monospace"><br></font></div></div></div><div class="gmail_default"><div class="gmail_default"><div class="gmail_default"><font face="monospace, monospace"> ssl_certificate /etc/ssl/certs/bridge.cert.<wbr>pem;</font></div></div></div><div class="gmail_default"><div class="gmail_default"><div class="gmail_default"><font face="monospace, monospace"> ssl_certificate_key /etc/ssl/private/bridge.key.<wbr>pem;</font></div></div></div><div class="gmail_default"><div class="gmail_default"><div class="gmail_default"><font face="monospace, monospace"><br></font></div></div></div><div class="gmail_default"><div class="gmail_default"><div class="gmail_default"><font face="monospace, monospace"> ssl_protocols TLSv1.2;</font></div></div></div><div class="gmail_default"><div class="gmail_default"><div class="gmail_default"><font face="monospace, monospace"> ssl_prefer_server_ciphers on;</font></div></div></div><div class="gmail_default"><div class="gmail_default"><div class="gmail_default"><font face="monospace, monospace"> ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256;</font></div></div></div><div class="gmail_default"><div class="gmail_default"><div class="gmail_default"><font face="monospace, monospace"> ssl_ecdh_curve prime256v1;</font></div></div></div><div class="gmail_default"><div class="gmail_default"><div class="gmail_default"><font face="monospace, monospace"><br></font></div></div></div><div class="gmail_default"><div class="gmail_default"><div class="gmail_default"><font face="monospace, monospace"> ssl_session_timeout 24h;</font></div></div></div><div class="gmail_default"><div class="gmail_default"><div class="gmail_default"><font face="monospace, monospace"> ssl_session_tickets on;</font></div></div></div><div class="gmail_default"><div class="gmail_default"><div class="gmail_default"><font face="monospace, monospace"> ssl_session_cache shared:SSL:1m; # set to 10m, still fails, remove, the problem seems to disappear</font></div></div></div><div class="gmail_default"><div class="gmail_default"><div class="gmail_default"><font face="monospace, monospace"><br></font></div></div></div><div class="gmail_default"><div class="gmail_default"><div class="gmail_default"><font face="monospace, monospace"> keepalive_timeout 1s; # reduced during troubleshooting to make it trigger easily</font></div></div></div><div class="gmail_default"><div class="gmail_default"><div class="gmail_default"><font face="monospace, monospace"> keepalive_requests 1; # reduced during troubleshooting to make it trigger easily</font></div><div class="gmail_default"><font face="monospace, monospace"><br></font></div><div class="gmail_default"><font face="monospace, monospace"> include apiv1.conf; # where all the location rules are</font></div></div></div><div class="gmail_default"><div class="gmail_default"><div class="gmail_default"><font face="monospace, monospace">}</font></div></div></div></blockquote><div class="gmail_default"><div class="gmail_default" style="font-family:"trebuchet ms",sans-serif"> </div><div style="font-family:"trebuchet ms",sans-serif"><br></div></div><div class="gmail_default" style="font-family:"trebuchet ms",sans-serif"><br></div></div>
</blockquote></div><br></div>