Nginx 0.5.35 ssl error

Tho_Nguyen · January 29, 2008, 8:39pm

I have nginx 0.5.35 on centos 5.1 with openssl 0.9.8b.

some of the error are similar to previous post regarding download on
ssl.

2008/01/29 13:23:33 [crit] 21470#0: *35748 SSL_write() failed (SSL:
error:1409F07F:SSL routines:SSL3_WRITE_PENDING:bad write retry) while
sending
to client, client: 172.23.75.21, server: agile.seating-intier.com,
request: “POST /Filemgr/VueServlet?172.23.65.132:5099 HTTP/1.1”,
upstream:
“http://172.23.65.131:8080/Filemgr/VueServlet?172.23.65.132:5099”,
host: “agile.seating-intier.com”
2008/01/29 13:24:35 [crit] 21461#0: *36006 SSL_write() failed (SSL:
error:1409F07F:SSL routines:SSL3_WRITE_PENDING:bad write retry) while
sending
to client, client: 172.23.75.21, server: agile.seating-intier.com,
request: “POST /Filemgr/VueServlet?172.23.65.132:5099 HTTP/1.1”,
upstream:
“http://172.23.65.131:8080/Filemgr/VueServlet?172.23.65.132:5099”,
host: “agile.seating-intier.com”
2008/01/29 13:50:37 [crit] 21466#0: *38294 SSL_do_handshake() failed
(SSL:
error:140943E8:SSL routines:SSL3_READ_BYTES:reason(1000)) while reading
client
request line, client: 172.23.75.135, server: agile.seating-intier.com
2008/01/29 13:50:37 [crit] 21466#0: *38295 SSL_do_handshake() failed
(SSL:
error:140943E8:SSL routines:SSL3_READ_BYTES:reason(1000)) while reading
client
request line, client: 172.23.75.135, server: agile.seating-intier.com

output from nginx -V

nginx -V

nginx version: nginx/0.5.35
built by gcc 4.1.2 20070626 (Red Hat 4.1.2-14)
configure arguments: --user=nginx --group=nginx
–prefix=/usr/share/nginx –
sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --error-log-
path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log
–http-
client-body-temp-path=/var/lib/nginx/tmp/client_body --http-proxy-temp-
path=/var/lib/nginx/tmp/proxy --http-fastcgi-temp-
path=/var/lib/nginx/tmp/fastcgi --pid-path=/var/run/nginx.pid --lock-
path=/var/lock/subsys/nginx --with-http_ssl_module
–with-http_realip_module –
with-http_addition_module --with-http_sub_module --with-http_dav_module
–with-
http_flv_module --with-http_stub_status_module --with-http_perl_module
–with-
mail --with-mail_ssl_module --with-cc-opt=-O2 -g -pipe -Wall -Wp,-
D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector
–param=ssp-buffer-size=4 -
m32 -march=i386 -mtune=generic -fasynchronous-unwind-tables

Tho_Nguyen · January 29, 2008, 9:31pm

On Tue, Jan 29, 2008 at 07:14:51PM +0000, Tho Nguyen wrote:

2008/01/29 13:24:35 [crit] 21461#0: *36006 SSL_write() failed (SSL:
request line, client: 172.23.75.135, server: agile.seating-intier.com
path=/var/lib/nginx/tmp/fastcgi --pid-path=/var/run/nginx.pid --lock-
path=/var/lock/subsys/nginx --with-http_ssl_module --with-http_realip_module –
with-http_addition_module --with-http_sub_module --with-http_dav_module --with-
http_flv_module --with-http_stub_status_module --with-http_perl_module --with-
mail --with-mail_ssl_module --with-cc-opt=-O2 -g -pipe -Wall -Wp,-
D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -
m32 -march=i386 -mtune=generic -fasynchronous-unwind-tables

Try the attached patch.

Tho_Nguyen · January 29, 2008, 9:33pm

On Tue, Jan 29, 2008 at 07:14:51PM +0000, Tho Nguyen wrote:

I have nginx 0.5.35 on centos 5.1 with openssl 0.9.8b.

Is this a custom build of nginx 0.5.35 or one from the yum EPEL testing
repository?

If it is a custom build of nginx, try this one from the EPEL repository
and see if it works for you.

http://download.fedora.redhat.com/pub/epel/testing/5/x86_64/nginx-0.5.35-1.el5.x86_64.rpm

enjoy,

-jeremy

Tho_Nguyen · January 30, 2008, 3:42am

Jeremy H. <jeremy@…> writes:

http://download.fedora.redhat.com/pub/epel/testing/5/x86_64/nginx-0.5.35-
1.el5.x86_64.rpm

enjoy,

-jeremy

the rpm is nginx-0.5.34-1.el5.src.rpm. I updated it with 0.5.35 source.
The
rest of the files in the src rpm looks the same.

Tho_Nguyen · January 30, 2008, 4:11am

Igor S. <is@…> writes:

Try the attached patch.

I have applied the patch. Will tried to have it test on thursday.

Tho_Nguyen · January 30, 2008, 8:49pm

Tho Nguyen <tho.nguyen@…> writes:

Igor S. <is@…> writes:

Try the attached patch.

I have applied the patch. Will tried to have it test on thursday.

I can put the server back into production to see but with my limited
testing,
the patch seems to resolved the issue.

Thanks

Tho_Nguyen · February 4, 2008, 9:33pm

The patch seems to have resolved the SSL3_WRITE_PENDING:bad write retry
error.

The SSL3_READ_BYTES:reason(1000) error is still there.

2008/02/04 15:12:23 [crit] 11762#0: *22267 SSL_do_handshake() failed
(SSL:
error:140943E8:SSL routines:SSL3_READ_BYTES:reason(1000)) while reading
client
request line, client: 172.23.75.21, server: agile.seating-intier.com
2008/02/04 15:12:23 [crit] 11762#0: *22268 SSL_do_handshake() failed
(SSL:
error:140943E8:SSL routines:SSL3_READ_BYTES:reason(1000)) while reading
client
request line, client: 172.23.75.21, server: agile.seating-intier.com
2008/02/04 15:12:23 [crit] 11762#0: *22271 SSL_do_handshake() failed
(SSL:
error:140943E8:SSL routines:SSL3_READ_BYTES:reason(1000)) while reading
client
request line, client: 172.23.75.21, server: agile.seating-intier.com
2008/02/04 15:12:23 [crit] 11762#0: *22272 SSL_do_handshake() failed
(SSL:
error:140943E8:SSL routines:SSL3_READ_BYTES:reason(1000)) while reading
client
request line, client: 172.23.75.21, server: agile.seating-intier.com

Tho_Nguyen · February 5, 2008, 12:48pm

On Mon, Feb 04, 2008 at 08:20:12PM +0000, Tho Nguyen wrote:

The patch seems to have resolved the SSL3_WRITE_PENDING:bad write retry error.

OK.

request line, client: 172.23.75.21, server: agile.seating-intier.com
2008/02/04 15:12:23 [crit] 11762#0: *22272 SSL_do_handshake() failed (SSL:
error:140943E8:SSL routines:SSL3_READ_BYTES:reason(1000)) while reading client
request line, client: 172.23.75.21, server: agile.seating-intier.com

“reason(1000)” means that peer has sent a “close notify” alert while SSL
handshake. In next 0.6.x version I will decrease this and some other
handshake errors at info level.