openssl 1.1.1e 14095126:SSL routines:ssl3_read_n

Maxim Dounin mdounin at mdounin.ru
Fri Mar 20 12:59:37 UTC 2020


Hello!

On Fri, Mar 20, 2020 at 10:41:32AM +0300, Sergey Kandaurov wrote:

> 
> > On 18 Mar 2020, at 14:17, itpp2012 <nginx-forum at forum.nginx.org> wrote:
> > 
> > Logging getting swamped with:
> > 
> > [crit] 1808#2740: *20747 SSL_read() failed (SSL: error:14095126:SSL
> > routines:ssl3_read_n:unexpected eof while reading) while keepalive
> > 
> > Related to: https://github.com/openssl/openssl/issues/10880
> > and this commit:
> > https://github.com/openssl/openssl/commit/db943f43a60d1b5b1277e4b5317e8f288e7a0a3a
> > 
> > Question: does this need to resolved in openssl or nginx ?
> 
> So, they deliberately changed existing behaviour, known since
> at least OpenSSL 0.9.7, in the stable branch which should not
> be targeted (per their words) for introducing behaviour changes.
> That is unfortunate and beyond explanation.
> 
> To simply shut up the crit, this would require such an ugly hack.
> 
> diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
> --- a/src/event/ngx_event_openssl.c
> +++ b/src/event/ngx_event_openssl.c
> @@ -2301,7 +2301,13 @@ ngx_ssl_handle_recv(ngx_connection_t *c,
>      c->ssl->no_wait_shutdown = 1;
>      c->ssl->no_send_shutdown = 1;
>  
> -    if (sslerr == SSL_ERROR_ZERO_RETURN || ERR_peek_error() == 0) {
> +    if (sslerr == SSL_ERROR_ZERO_RETURN || ERR_peek_error() == 0
> +#ifdef SSL_R_UNEXPECTED_EOF_WHILE_READING
> +        || (sslerr == SSL_ERROR_SSL && ERR_GET_REASON(ERR_peek_error())
> +                                       == SSL_R_UNEXPECTED_EOF_WHILE_READING)
> +#endif
> +       )
> +    {
>          ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0,
>                         "peer shutdown SSL cleanly");
>          return NGX_DONE;

I think a separate condition in an #ifdef might be preferred here, 
probably with better debug logging as well.

-- 
Maxim Dounin
http://mdounin.ru/


More information about the nginx mailing list