SSL_read error on multiple simultaneous upstream SSL downloads

Maxim Dounin mdounin at mdounin.ru
Wed Oct 23 21:46:06 UTC 2013


Hello!

On Wed, Oct 23, 2013 at 02:26:41PM -0700, Piotr Sikora wrote:

> Hey Maxim,
> 
> > While I tend to think that the problem is indeed related to
> > SSL_MODE_RELEASE_BUFFERS I don't see any reasons why the server
> > side shouldn't be affected.  Could you please point out why you
> > think so?
> 
> Well, I don't see this from the code, so it's just a hunch, but:
> - I wasn't able to reproduce it on the server side with big uploads,
> - I wasn't able to reproduce it on the client side with buffering on,
> - I was able to consistently reproduce it on the client side with buffering off,
> - I did a fast scan on some of our production logs and I see those
> errors only for content that would be transferred with proxy buffering
> off,
> - I think that we would see much more complains if this was happening
> on the server side or on the client side with default settings
> (buffering on).
> 
> I know this isn't very scientific, but those are the facts.
> 
> Note: I didn't play around with WebSockets... They are effectively
> unbuffered, so they might be triggering this issue on the server side.

As far as I understand, the problem happens if for some reason 
nginx isn't able to read all the data OpenSSL read from a socket, 
i.e. if some data are left in the OpenSSL read buffers.  (And of 
course it only happens if OpenSSL uses the same buffers for 
multiple connections.)

This is not something impossible on the server side - but likely 
much less common than with proxy_buffering set to off.  It can 
happen e.g. with pipelined requests, or if a request with a body 
is delayed with limit_req.

-- 
Maxim Dounin
http://nginx.org/en/donation.html



More information about the nginx-devel mailing list