openssl 1.1.1e 14095126:SSL routines:ssl3_read_n
Maxim Dounin
mdounin at mdounin.ru
Fri Mar 20 12:59:37 UTC 2020
Hello!
On Fri, Mar 20, 2020 at 10:41:32AM +0300, Sergey Kandaurov wrote:
>
> > On 18 Mar 2020, at 14:17, itpp2012 <nginx-forum at forum.nginx.org> wrote:
> >
> > Logging getting swamped with:
> >
> > [crit] 1808#2740: *20747 SSL_read() failed (SSL: error:14095126:SSL
> > routines:ssl3_read_n:unexpected eof while reading) while keepalive
> >
> > Related to: https://github.com/openssl/openssl/issues/10880
> > and this commit:
> > https://github.com/openssl/openssl/commit/db943f43a60d1b5b1277e4b5317e8f288e7a0a3a
> >
> > Question: does this need to resolved in openssl or nginx ?
>
> So, they deliberately changed existing behaviour, known since
> at least OpenSSL 0.9.7, in the stable branch which should not
> be targeted (per their words) for introducing behaviour changes.
> That is unfortunate and beyond explanation.
>
> To simply shut up the crit, this would require such an ugly hack.
>
> diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
> --- a/src/event/ngx_event_openssl.c
> +++ b/src/event/ngx_event_openssl.c
> @@ -2301,7 +2301,13 @@ ngx_ssl_handle_recv(ngx_connection_t *c,
> c->ssl->no_wait_shutdown = 1;
> c->ssl->no_send_shutdown = 1;
>
> - if (sslerr == SSL_ERROR_ZERO_RETURN || ERR_peek_error() == 0) {
> + if (sslerr == SSL_ERROR_ZERO_RETURN || ERR_peek_error() == 0
> +#ifdef SSL_R_UNEXPECTED_EOF_WHILE_READING
> + || (sslerr == SSL_ERROR_SSL && ERR_GET_REASON(ERR_peek_error())
> + == SSL_R_UNEXPECTED_EOF_WHILE_READING)
> +#endif
> + )
> + {
> ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0,
> "peer shutdown SSL cleanly");
> return NGX_DONE;
I think a separate condition in an #ifdef might be preferred here,
probably with better debug logging as well.
--
Maxim Dounin
http://mdounin.ru/
More information about the nginx
mailing list