SSL_read() failed on Nginx built with new OpenSSL 1.1.1e
pdh0710
nginx-forum at forum.nginx.org
Thu Mar 26 03:36:58 UTC 2020
(Please excuse my English)
I built Nginx 1.16.1 (current stable version) with OpenSSL 1.1.1e(newly
released), PCRE 8.44 and Zlib 1.2.11.
However, sometimes(not always) the below error logs are generated.
2020/03/26 09:53:19 [crit] 24020#24020: *6 SSL_read() failed (SSL:
error:14095126:SSL routines:ssl3_read_n:unexpected eof while reading) while
keepalive, client: 68.183.***.***, server: 0.0.0.0:443
The Nginx built with OpenSSL 1.1.1d does not generate the error logs. I
don't know how I can fix this problem.
Belows are my Nginx build configuration and nginx.conf.
--*--*--*--*--*--
./configure --with-cc-opt='-g -O2 -fPIE -fstack-protector-strong -Wformat
-Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2' \
--with-ld-opt='-Wl,-Bsymbolic-functions -fPIE -pie -Wl,-z,relro -Wl,-z,now'
\
--prefix=/nginx --user=www-data --group=www-data \
--error-log-path=/nginx/srv/nginx-error.log
--http-log-path=/nginx/srv/nginx-access.log \
--pid-path=/nginx/srv/nginx.pid --lock-path=/nginx/srv/nginx.lock \
--with-zlib=../zlib-1.2.11 --with-pcre=../pcre-8.44
--with-openssl=../openssl-1.1.1e \
--with-pcre-jit --with-file-aio --with-threads --with-http_v2_module \
--without-http_uwsgi_module --without-http_scgi_module \
--without-mail_pop3_module --without-mail_imap_module
--without-mail_smtp_module \
--with-http_ssl_module --without-http_memcached_module \
--with-http_gunzip_module --with-http_gzip_static_module
--*--*--*--*--*--
worker_processes auto;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
log_format main '$time_iso8601 $remote_addr $status
$body_bytes_sent "$request" $remote_user "$http_referer" "$http_user_agent"
"$http_x_forwarded_for"';
server_tokens off;
client_max_body_size 10m;
client_body_buffer_size 128k;
client_body_temp_path /var/tmp/ngx_client_body_temp;
proxy_temp_path /var/tmp/ngx_proxy_temp;
fastcgi_temp_path /var/tmp/ngx_proxy_temp;
merge_slashes on;
charset utf-8;
tcp_nopush on;
tcp_nodelay on;
sendfile on;
sendfile_max_chunk 1m;
keepalive_timeout 70s;
gzip on;
gzip_comp_level 5;
gzip_proxied any;
gzip_min_length 1000;
gzip_disable "MSIE [1-6]\.(?!.*SV1)";
gzip_types text/plain text/css text/javascript application/javascript
text/x-js application/json application/x-javascript application/octet-stream
text/mathml text/xml application/xml application/atom+xml
application/rss+xml;
gzip_vary on;
gzip_buffers 16 8k;
server {
server_name myserver.com;
listen 443 ssl http2;
keepalive_timeout 70;
#ref :
http://nginx.org/en/docs/http/configuring_https_servers.html
ssl_certificate /etc/letsencrypt/live/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/privkey.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:le_nginx_SSL:50m;
ssl_session_timeout 1d;
ssl_session_tickets off;
ssl_ecdh_curve X25519:sect571r1:secp521r1:secp384r1;
ssl_early_data on;
error_page 400 401 402 403 404 500 502 503 504
/err.html;
location = /err.html {
root /nginx/www;
add_header Set-Cookie "ErrorCode=${status}; path=/;"
always;
internal;
}
location / {
root /nginx/www;
index index.html;
try_files $uri $uri/index.html =404;
aio threads;
location ~ \.(css|js|ico|png|gif)$ {
access_log off;
}
}
}
}
Posted at Nginx Forum: https://forum.nginx.org/read.php?2,287464,287464#msg-287464
More information about the nginx
mailing list