SSL_shutdown() return value <0

Jan Prachař jan.prachar at
Wed Jan 2 19:17:46 UTC 2019

Hello! Thanks for the detailed explanation of ignoring

On Tue, 2018-12-11 at 16:33 +0300, Maxim Dounin wrote:
> Hello!
> On Mon, Dec 10, 2018 at 09:46:28PM +0100, Jan Prachař wrote:
> > I have also tried to change the condition to just n < 0, and came
> > to
> > antoher issue. If client closes connection prematurely, there is
> > usually SSL_write, that has failed with error WANT_WRITE. If then
> > the
> > SSL_shutdown is called repeatedly, it causes OpenSSL error (SSL:
> > error:1409F07F:SSL routines:ssl3_write_pending:bad write retry),
> > because pending SSL_write should have been called first.
> In many places we try to avoid doing actual SSL shutdown if we 
> know there was an error and/or we know the connection was already 
> closed, by using c->ssl->no_send_shutdown flag.  Existing cases 
> might not be enough though.

I have given some time to debug the issue and I have found that in this
case nginx closes the connection inside read event handler
ngx_http_test_reading(). As you adviced, I added

+ #if (NGX_HTTP_SSL)
+         if (c->ssl) {
+             c->ssl->no_send_shutdown = 1;
+         }
+ #endif
    ngx_http_finalize_request(r, NGX_HTTP_CLIENT_CLOSED_REQUEST);

just before the last line in the function, and then all errors

SSL: error:1409F07F:SSL routines:ssl3_write_pending:bad write retry


-- Jan Prachař

More information about the nginx-devel mailing list