SSL_read error on multiple simultaneous upstream SSL downloads
Agent Coulson
shield1182 at gmail.com
Fri Oct 18 19:59:40 UTC 2013
Yes, I am able to reproduce this talking to the same nginx as an upstream,
here is my new config. To reproduce, create a file in the root which is
several Mb, i used 20Mb, and issus multiple simultaneous curl's to the
object, i found rate-limiting my curl is the best way to repro. This
suggests there is some problem when we have to buffer. I'm skeptical that
this is an openssl issue as I have used multiple different openssl versions
and still run into this. However for completeness, I've reprod with
openssl sources from openssl.org (openssl-1.0.1e) as you suggested.
Updated conf:
### Begin ngxin.conf ###
worker_processes 1;
error_log logs/error.log debug;
pid logs/nginx.pid;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
access_log logs/access.log;
keepalive_timeout 60;
upstream http {
server 127.0.0.1:1183;
keepalive 512;
}
server {
listen 1182 default_server;
server_name -;
ssl_protocols SSLv3 TLSv1;
ssl_ciphers RC4:HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location / {
proxy_pass https://http;
proxy_redirect off;
proxy_read_timeout 10s;
proxy_connect_timeout 6s;
proxy_buffering off;
proxy_buffer_size 64k;
proxy_buffers 6 16k;
proxy_busy_buffers_size 80k;
proxy_pass_header Server;
proxy_pass_header Date;
proxy_pass_header X-Pad;
proxy_set_header Connection "Keep-Alive";
proxy_set_header Host "upstream.srv";
}
}
server {
listen 1183 ssl;
server_name upstream.srv;
ssl_certificate /var/nginx/conf/upstream.srv.pem;
ssl_certificate_key /var/nginx/conf/upstream.srv.key;
ssl_protocols SSLv3 TLSv1;
ssl_ciphers RC4:HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location / {
root /var/nginx/html;
}
}
}
### End ngxin.conf ###
configure flags for nginx 1.4.3:
./configure --prefix=/var/nginx --with-debug --with-http_ssl_module
--without-http_auth_basic_module --without-http_autoindex_module
--without-http_browser_module --without-http-cache
--without-http_charset_module --without-http_empty_gif_module
--without-http_fastcgi_module --without-http_geo_module
--without-http_gzip_module --without-http_limit_conn_module
--without-http_map_module --without-http_memcached_module
--without-http_referer_module --without-http_rewrite_module
--without-http_scgi_module --without-http_split_clients_module
--without-http_ssi_module --without-http_upstream_ip_hash_module
--without-http_userid_module --without-http_uwsgi_module
--without-mail_imap_module --without-mail_pop3_module
--without-mail_smtp_module --with-openssl=/tmp/openssl-1.0.1e
I start nginx and then issue 3 simultaneous curl's from the local box,
rate-limited. This should be sufficient for anyone else to repro the issue.
curl --limit-rate 800k -v -o /dev/null http://localhost:1182/20m.txt&
curl --limit-rate 800k -v -o /dev/null http://localhost:1182/20m.txt&
curl --limit-rate 800k -v -o /dev/null http://localhost:1182/20m.txt&
At least one will fail with bytes remaining, and you will see the error in
the error.log.
2013/10/18 19:56:50 [error] 14667#0: *4 SSL_read() failed (SSL:
error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record
mac) while sending to client, client: 127.0.0.1, server: -, request: "GET
/20m.bin HTTP/1.1", upstream: "https://127.0.0.1:1183/20m.bin", host:
"localhost:1182"
thanks for your attention.
On Fri, Oct 18, 2013 at 7:06 PM, Maxim Dounin <mdounin at mdounin.ru> wrote:
> Hello!
>
> On Fri, Oct 18, 2013 at 06:01:14PM +0000, Agent Coulson wrote:
>
> > I am able to reproduce the following error when I have nginx configured
> > with an upstream https connection. I have tweaked various settings all
> to
> > no avail (proxy_buffer_size, proxy_buffers, proxy_ssl_session_reuse).
> >
> > 2013/10/18 17:17:31 [debug] 15644#0: *39 SSL_read: -1, SSL_pending: 16384
> > 2013/10/18 17:17:31 [debug] 15644#0: *39 SSL_get_error: 1
> > 2013/10/18 17:17:31 [error] 15644#0: *39 SSL_read() failed (SSL:
> > error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad
> record
> > mac) while sending to client, client: 127.0.0.1, server: -, request: "GET
> > /test-1 HTTP/1.1", upstream: "https://x.x.x.x:443/test-1", host:
> > "localhost:1182"
>
> I tend to think it's highly unlikely it's a problem in nginx.
> Most likely, it's a problem either in OpenSSL library used on
> nginx side, or in SSL implementation used on a backend.
>
> First thing I would recommend to test is to make sure you are able
> to reporoduce the problem:
>
> 1. Using nginx statically compiled with a known version of the
> OpenSSL library (--with-openssl=..., with sources from
> openssl.org).
>
> 2. Using the same nginx as a backend.
>
> [...]
>
> > I've seen a bug report on this too (
> http://trac.nginx.org/nginx/ticket/215),
> > so thought i would send this here to see if anyone else is actively
> working
> > on the issue.
>
> As of now, no one provided enough steps to reproduce the problem.
> And, see above, most likely the problem is not in nginx.
>
> --
> Maxim Dounin
> http://nginx.org/en/donation.html
>
> _______________________________________________
> nginx-devel mailing list
> nginx-devel at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx-devel
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx-devel/attachments/20131018/58a6a3e5/attachment-0001.html>
More information about the nginx-devel
mailing list