nginx-0.7.46

Michael Shadle mike503 at gmail.com
Wed Apr 1 14:15:21 MSD 2009 

2009/4/1 Igor Sysoev <is at rambler-co.ru>:

> Thank you, beecrypt looks intresting, although its interface is different
> from OpenSSL/libmd's one.

I don't know if it would be a good thing for nginx to require
something additional like it.

I'd rather see it leverage the standard openssl :)

BTW, did you take a look at my SSL error? I cannot determine what the
problem is. The only idea that I seem to have at the moment is during
peak usage periods, the issue comes up.

I get this:

2009/03/26 01:11:00 [info] 6523#0: *665 SSL_do_handshake() failed
(SSL: error:140943FC SL routines SL3_READ_BYTES slv3 alert bad record
mac) while SSL handshaking, client: 22.11.8.27, server:
bugzilla.foo.org
2009/03/26 01:11:00 [debug] 6523#0: *664 SSL handshake handler: 0
2009/03/26 01:11:00 [debug] 6523#0: *664 SSL_do_handshake: -1
2009/03/26 01:11:00 [info] 6523#0: *664 peer closed connection in SSL
handshake (104: Connection reset by peer) while SSL handshaking,
client: 22.11.8.27, server: bugzilla.foo.org

I can't find any workarounds on the net, it seems to be only with Firefox 3.x.

Is there a tuneable or anything that would increase SSL performance or
available resources (the server is not highly utilized which is what
is weird...) that nginx can do, or could this be an openssl bug? It
seems like I found in nginx you recently had added those return values
of the "bad record mac" to the code, but I don't know -why- that is
happening, and only during specific periods of time, which is why I
think it is load related...

I've already done the ssl_protocols SSLv3 TLSv1; and that's fixed my
other servers and even other sites on the same server. It's this one
specific site and I've regenerated the SSL cert/etc...

It does proxy to apache, that's the only difference...

        server {
                listen 1.2.3.4:443;
                server_name bugzilla.foo.org;
                ssl on;
                ssl_certificate /etc/nginx/certs/bugzilla.foo.org.pem;
                ssl_certificate_key /etc/nginx/certs/bugzilla.foo.org.key;
                ssl_protocols SSLv3 TLSv1;
                location / {
                        proxy_pass http://127.0.0.1:81/;
                        proxy_set_header Host $host;
                        proxy_set_header X-Forwarded-For $remote_addr;
                        proxy_pass_header Expires;
                        proxy_pass_header Server;
                        proxy_buffering off;
                }
        }

Any help is appreciated.

More information about the nginx mailing list