Intermittent SSL Handshake issues on Ubuntu 12.04 and Nginx

Maxim Dounin mdounin at mdounin.ru
Mon Apr 20 17:43:36 UTC 2015


Hello!

On Sun, Apr 19, 2015 at 06:08:35PM -0400, rPawel wrote:

> Hi Guys,
> 
> I posted originally my issue on askubuntu but I think this will be a better
> place
> 
> http://askubuntu.com/questions/611418/intermittent-ssl-handshake-issues-on-ubuntu-12-04-and-nginx.
> 
> Original post
> --------------------------------
> 
> # In simple terms
> 
> I am having issues with https handshakes. I am currently using nginx but it
> is most likely not an nginx issue.
> 
> # Behaviour
> 
> Web clients such as browsers will sometimes present "SSL connection error"
> (Chrome)
> 
> Apache benchmark will spit out several error lines and will report around
> 1-10% failures. Errors below will appear in random order but the first one
> is more common.
> 
> (1) Benchmarking mysite.net (be patient)...SSL read failed (1) - closing
> connection
> 128494120003296:error:1408F119:SSL routines:SSL3_GET_RECORD:decryption
> failed or bad record mac:s3_pkt.c:486:
> 
> (2) SSL read failed (1) - closing connection
> 128494120003296:error:140943FC:SSL routines:SSL3_READ_BYTES:sslv3 alert bad
> record mac:s3_pkt.c:1262:SSL alert number 20
> 
> # Server setup
> Ubuntu:
> 
> Ubuntu 12.04 64bit with all updates and patches installed, server
> restarted.
> Nginx:
> 
> nginx/1.6.3 - from nginx.org (deb http://nginx.org/packages/ubuntu/ precise
> nginx)
> 
> OpenSSL dynamically linked:
> 
> # ldd `which nginx` | grep ssl
>     libssl.so.1.0.0 => /lib/x86_64-linux-gnu/libssl.so.1.0.0
> (0x00007f3065569000)
> 
> # strings /lib/x86_64-linux-gnu/libssl.so.1.0.0 | grep "^OpenSSL "
> OpenSSL 1.0.1 14 Mar 2012
> 
> Nginx server config (with limited cyphers)
> OpenSSL:
> 
> 1.0.1 14 Mar 2012
> 
> #dpkg -s libssl1.0.0
> Version: 1.0.1-4ubuntu5.25

This looks similar to this ticket (turned out to be a bug in 
OpenSSL, see comments for details):

http://trac.nginx.org/nginx/ticket/215

Try upgrading to OpenSSL 1.0.1h or newer to see if it helps.  
Alternatively, make sure the OpenSSL package you are using 
includes the fix in question.

[...]

-- 
Maxim Dounin
http://nginx.org/



More information about the nginx mailing list