SSL_read() failed on Nginx built with new OpenSSL 1.1.1e

pdh0710 nginx-forum at forum.nginx.org
Thu Mar 26 03:36:58 UTC 2020


(Please excuse my English)

I built Nginx 1.16.1 (current stable version) with OpenSSL 1.1.1e(newly
released), PCRE 8.44 and Zlib 1.2.11.
However, sometimes(not always) the below error logs are generated.


2020/03/26 09:53:19 [crit] 24020#24020: *6 SSL_read() failed (SSL:
error:14095126:SSL routines:ssl3_read_n:unexpected eof while reading) while
keepalive, client: 68.183.***.***, server: 0.0.0.0:443



The Nginx built with OpenSSL 1.1.1d does not generate the error logs. I
don't know how I can fix this problem.
Belows are my Nginx build configuration and nginx.conf.



--*--*--*--*--*--

./configure --with-cc-opt='-g -O2 -fPIE -fstack-protector-strong -Wformat
-Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2' \
--with-ld-opt='-Wl,-Bsymbolic-functions -fPIE -pie -Wl,-z,relro -Wl,-z,now'
\
--prefix=/nginx --user=www-data --group=www-data \
--error-log-path=/nginx/srv/nginx-error.log
--http-log-path=/nginx/srv/nginx-access.log \
--pid-path=/nginx/srv/nginx.pid --lock-path=/nginx/srv/nginx.lock \
--with-zlib=../zlib-1.2.11 --with-pcre=../pcre-8.44
--with-openssl=../openssl-1.1.1e \
--with-pcre-jit --with-file-aio --with-threads --with-http_v2_module \
--without-http_uwsgi_module --without-http_scgi_module \
--without-mail_pop3_module --without-mail_imap_module
--without-mail_smtp_module \
--with-http_ssl_module --without-http_memcached_module \
--with-http_gunzip_module --with-http_gzip_static_module



--*--*--*--*--*--

worker_processes  auto;
​
events {
       worker_connections      1024;
}
​
http {
       include         mime.types;
       default_type    application/octet-stream;
​
       log_format      main  '$time_iso8601 $remote_addr $status
$body_bytes_sent "$request" $remote_user "$http_referer" "$http_user_agent"
"$http_x_forwarded_for"';
​
       server_tokens off;
       client_max_body_size 10m;
       client_body_buffer_size 128k;
       client_body_temp_path /var/tmp/ngx_client_body_temp;
       proxy_temp_path /var/tmp/ngx_proxy_temp;
       fastcgi_temp_path /var/tmp/ngx_proxy_temp;
       merge_slashes on;
       charset utf-8;
       tcp_nopush      on;
       tcp_nodelay     on;
       sendfile        on;
       sendfile_max_chunk 1m;
       keepalive_timeout  70s;
​
       gzip  on;
       gzip_comp_level 5;
       gzip_proxied any;
       gzip_min_length 1000;
       gzip_disable "MSIE [1-6]\.(?!.*SV1)";
       gzip_types text/plain text/css text/javascript application/javascript
text/x-js application/json application/x-javascript application/octet-stream
text/mathml text/xml application/xml application/atom+xml
application/rss+xml;
       gzip_vary on;
       gzip_buffers 16 8k;
​
       server {
               server_name     myserver.com;
               listen  443 ssl http2;
               keepalive_timeout       70;
​
               #ref :
http://nginx.org/en/docs/http/configuring_https_servers.html
​
               ssl_certificate /etc/letsencrypt/live/fullchain.pem;
               ssl_certificate_key /etc/letsencrypt/live/privkey.pem;
               ssl_protocols   TLSv1.2 TLSv1.3;
               ssl_ciphers     HIGH:!aNULL:!MD5;
               ssl_prefer_server_ciphers on;
​
               ssl_session_cache shared:le_nginx_SSL:50m;
               ssl_session_timeout 1d;
               ssl_session_tickets off;
               ssl_ecdh_curve X25519:sect571r1:secp521r1:secp384r1;
               ssl_early_data on;
​
​
               error_page      400 401 402 403 404 500 502 503 504    
/err.html;
               location = /err.html {
                       root /nginx/www;
                       add_header Set-Cookie "ErrorCode=${status}; path=/;"
always;
                       internal;
               }
​
               location / {
                       root /nginx/www;
                       index index.html;
                       try_files $uri $uri/index.html =404;
                       aio threads;
​
                       location ~ \.(css|js|ico|png|gif)$ {
                               access_log off;
                       }
               }
       }
}

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,287464,287464#msg-287464



More information about the nginx mailing list