Socket leaks., pread and [crit] SSL_Write() in 1.0.14

Floren Munteanu nginx at yqed.com
Sat Mar 31 22:39:37 UTC 2012 

Hi Maxim,

On 3/26/2012 12:47 PM, Maxim Dounin wrote:
> As already suggested - you may build nginx with any particular
> openssl version statically, by using --with-openssl= configure
> argument.

I followed your advice and built a backlevel RPM for libcripto.so6 and 
libssl.so6 so none of the deps are broken in CentOS 5. Then, I built the 
OpenSSL 1.0.1 RPM's and rebuilt Nginx against the latest libs:
# yum list openssl* nginx
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
  * base: mirrors.manchester.icecolo.com
  * extras: mirrors.manchester.icecolo.com
  * updates: mirrors.manchester.icecolo.com
Installed Packages
nginx.x86_64		1.0.14-1.el5	installed
openssl.x86_64		1.0.1-1.el5	installed
openssl-libs.x86_64	1.0.1-1.el5	installed
openssl098e.x86_64	0.9.8e-1.el5	installed

# nginx -V
nginx version: nginx/1.0.14
built by gcc 4.1.2 20080704 (Red Hat 4.1.2-52)
TLS SNI support enabled
configure arguments: --user=nginx --group=nginx 
--prefix=/usr/share/nginx --sbin-path=/usr/sbin/nginx 
--conf-path=/etc/nginx/nginx.conf --pid-path=/var/run/nginx.pid 
--error-log-path=/var/log/nginx/error.log 
--http-log-path=/var/log/nginx/access.log 
--http-client-body-temp-path=/var/lib/nginx/client 
--http-fastcgi-temp-path=/var/lib/nginx/fastcgi 
--http-proxy-temp-path=/var/lib/nginx/proxy 
--http-scgi-temp-path=/var/lib/nginx/scgi 
--http-uwsgi-temp-path=/var/lib/nginx/uwsgi 
--lock-path=/var/lock/subsys/nginx --with-cc-opt='-O3 -g -m64 
-mtune=nocona -m128bit-long-double -mmmx -msse3 -mfpmath=sse' 
--with-file-aio --with-http_addition_module --with-http_dav_module 
--with-http_degradation_module --with-http_flv_module 
--with-http_geoip_module --with-http_gzip_static_module 
--with-http_image_filter_module --with-http_mp4_module 
--with-http_perl_module --with-http_random_index_module 
--with-http_realip_module --with-http_secure_link_module 
--with-http_ssl_module --with-http_stub_status_module 
--with-http_sub_module --with-http_xslt_module --with-mail 
--with-mail_ssl_module --with-poll_module --with-rtsig_module 
--with-select_module

http {
	...
	ssl_prefer_server_ciphers	on;
	ssl_ciphers			RC4:HIGH:!aNULL:!MD5;
	ssl_protocols			SSLv3 TLSv1 TLSv1.1 TLSv1.2;
	ssl_session_cache		shared:SSL:5m;
	ssl_session_timeout		10m;
	...

	server {
		listen			192.168.1.3:443 ssl default_server;
		server_name		www.domain.com;
		access_log		off;
		error_log		/var/log/nginx/localhost.error.log      error;
		root			/var/www/domain.com;
		index			index.php index.html;
		ssl_certificate		domain.com.crt;
		ssl_certificate_key	domain.com.key;
		...
	}
}

Even if I eliminated the OpenSSL version issues, I still have random 
[crit] SSL_write() failures at the same frequency as before. They are 
also accompanied by open socket alerts, of this format:
[alert] 2380#0: open socket #34 left in connection 12

I'm looking forward to your suggestions.

Regards,

Floren

More information about the nginx mailing list