SSL_shutdown() failed (SSL:) while proxying

John Capo support at tuffmail.net
Wed Jan 23 01:41:20 MSK 2008 

Quoting Igor Sysoev (is at rambler-co.ru):
> On Thu, Jan 17, 2008 at 07:41:49PM -0500, John Capo wrote:
> 
> > I am testing 0.5.35 as a replacement for my perdition IMAP/POP3
> > proxies.  I fed a bit of real traffic to nginx today and within a
> > few seconds I see SSL_shutdown errors in the logs.  Nothing in
> > testing produced that error but it is 100% repeatable.  It looks
> > to me to be a bogus error message.
> > 
> > FreeBSD 4.11 and openssl 0.9.8g.
> > 
> > openssl s_client -connect localhost:995
> > <SSL stuff snipped>
> > +OK POP3 ready
> > quit
> > +OK
> > closed
> > 
> > 2008/01/17 19:08:51 [debug] 75716#0: *1 malloc: 080D4F00:256
> > 2008/01/17 19:08:51 [debug] 75716#0: *1 pop3 auth state
> > 2008/01/17 19:08:51 [debug] 75716#0: *1 SSL_read: 5
> > 2008/01/17 19:08:51 [debug] 75716#0: *1 SSL_read: -1
> > 2008/01/17 19:08:51 [debug] 75716#0: *1 SSL_get_error: 2
> > 2008/01/17 19:08:51 [debug] 75716#0: *1 SSL to write: 5
> > 2008/01/17 19:08:51 [debug] 75716#0: *1 SSL_write: 5
> > 2008/01/17 19:08:51 [debug] 75716#0: *1 close mail connection: 12
> > 2008/01/17 19:08:51 [debug] 75716#0: *1 SSL_shutdown: 0
> > 2008/01/17 19:08:51 [debug] 75716#0: *1 SSL_get_error: 5
> > 2008/01/17 19:08:51 [crit] 75716#0: *1 SSL_shutdown() failed (SSL:) while in auth state, client: 127.0.0.1, server: 127.0.0.1:995
> > 
> > SSL_set_shutdown() is called with mode == 0. n == 5 after SSL_get_error()
> > as is sslerr logged above. ngx_errno (errno) == 0.
> > 
> > It seems like this is a non error condition.  I'm silencing the
> > message with this bit of code in ngx_ssl_shutdown():1039
> > 
> >     err = (sslerr == SSL_ERROR_SYSCALL) ? ngx_errno : 0;
> > 
> >     if (err == 0)
> >     {
> >         SSL_free(c->ssl->connection);
> >         c->ssl = NULL;
> > 
> >         return NGX_OK;
> >     }
> > 
> > IMAP/POP3 starttls and pure SSL sessions work just fine.  That's
> > what makes me think this is a bogus message.  Could this error be
> > the symptom of a problem elsewhere?
> 
> The attached patch should fix the message.

I'll send this again with the correct sender address :-(

The patch does silence the message.

John Capo
Tuffmail.com

> 
> 
> -- 
> Igor Sysoev
> http://sysoev.ru/en/

> Index: src/event/ngx_event_openssl.c
> ===================================================================
> --- src/event/ngx_event_openssl.c	(revision 1184)
> +++ src/event/ngx_event_openssl.c	(working copy)
> @@ -1037,17 +1037,14 @@
>  
>      /* SSL_shutdown() never returns -1, on error it returns 0 */
>  
> -    if (n != 1) {
> +    if (n != 1 && ERR_peek_error()) {
>          sslerr = SSL_get_error(c->ssl->connection, n);
>  
>          ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0,
>                         "SSL_get_error: %d", sslerr);
>      }
>  
> -    if (n == 1
> -        || sslerr == SSL_ERROR_ZERO_RETURN
> -        || (sslerr == 0 && c->timedout))
> -    {
> +    if (n == 1 || sslerr == 0 || sslerr == SSL_ERROR_ZERO_RETURN) {
>          SSL_free(c->ssl->connection);
>          c->ssl = NULL;
>

More information about the nginx mailing list