SSL_read error on multiple simultaneous upstream SSL downloads
Maxim Dounin
mdounin at mdounin.ru
Mon Oct 21 20:00:36 UTC 2013
Hello!
On Mon, Oct 21, 2013 at 11:57:34AM -0700, Piotr Sikora wrote:
> Hey,
>
> > Looks like a regression in OpenSSL 1.0.0+. I'm able to reporduce
> > the problem with OpenSSL 1.0.0 and more recent versions, including
> > recent git snapshot, but everything is fine with OpenSSL 0.9.8y
> > and previous versions.
> >
> > Bisection on OpenSSL 1.0.0 branch may be a helpful to trace the
> > exact cause.
>
> I've looked a bit into this over the weekend and it seems that it's
> being triggered by use of both: reading ahead and releasing buffers
> (introduced in OpenSSL-1.0.0, hence the regression) on the client side
> with upstream buffering off (I wasn't able to reproduce it with
> upstream buffering on, but that might be just because it's harder to
> trigger, as OpenSSL code path is effectively the same in both cases).
>
> I don't think that we're affected on the server side (which would
> actually suggest nginx bug), so the work-around for the issue (at
> least for the time being) is to stop releasing buffers when nginx acts
> as a client. I'm a bit tempted to do it only for the case with
> buffering turned off, but from looking at the code I can't tell why it
> would make a difference.
While I tend to think that the problem is indeed related to
SSL_MODE_RELEASE_BUFFERS I don't see any reasons why the server
side shouldn't be affected. Could you please point out why you
think so?
In any case I don't think we should commit any workarounds before
the problem is at least understood. Trivial mitigation for the
errors observed so far would be to switch proxy_buffering back to
on, as by default, and/or use larger buffers.
--
Maxim Dounin
http://nginx.org/en/donation.html
More information about the nginx-devel
mailing list