SSL_shutdown() return value <0
Jan Prachař
jan.prachar at gmail.com
Wed Jan 2 19:17:46 UTC 2019
Hello! Thanks for the detailed explanation of ignoring
SSL_ERROR_WANT_READ and SSL_ERROR_WANT_WRITE in ngx_ssl_shutdown.
On Tue, 2018-12-11 at 16:33 +0300, Maxim Dounin wrote:
> Hello!
>
> On Mon, Dec 10, 2018 at 09:46:28PM +0100, Jan Prachař wrote:
> > I have also tried to change the condition to just n < 0, and came
> > to
> > antoher issue. If client closes connection prematurely, there is
> > usually SSL_write, that has failed with error WANT_WRITE. If then
> > the
> > SSL_shutdown is called repeatedly, it causes OpenSSL error (SSL:
> > error:1409F07F:SSL routines:ssl3_write_pending:bad write retry),
> > because pending SSL_write should have been called first.
>
> In many places we try to avoid doing actual SSL shutdown if we
> know there was an error and/or we know the connection was already
> closed, by using c->ssl->no_send_shutdown flag. Existing cases
> might not be enough though.
I have given some time to debug the issue and I have found that in this
case nginx closes the connection inside read event handler
ngx_http_test_reading(). As you adviced, I added
+ #if (NGX_HTTP_SSL)
+ if (c->ssl) {
+ c->ssl->no_send_shutdown = 1;
+ }
+ #endif
+
ngx_http_finalize_request(r, NGX_HTTP_CLIENT_CLOSED_REQUEST);
}
just before the last line in the function, and then all errors
SSL: error:1409F07F:SSL routines:ssl3_write_pending:bad write retry
dissapear.
-- Jan Prachař
More information about the nginx-devel
mailing list