Significant increase in number of connections after renewing SSL certificate

Server NGINX
#1

Hello. We recently renewed our SSL certificate. After reloading nginx
the
number of connections increased significantly even if the number of
requests
remained the same.

Trying out the debug log there are a lot of entries similar to the
following:
accept: 153.185.223.172:59011 fd:5
event timer add: 5: 60000:1409550689995
reusable connection: 1
epoll add event: fd:5 op:1 ev:80002001
post event 00007FF5AB84F280
delete posted event 00007FF5AB84F280
http check ssl handshake
http recv(): 1
https ssl handshake: 0x80
SSL_do_handshake: -1
SSL_get_error: 2
reusable connection: 0
post event 00007FF5AB84F280
delete posted event 00007FF5AB84F280
SSL handshake handler: 0
SSL_do_handshake: 0
SSL_get_error: 1
SSL_do_handshake() failed (SSL: error:1409441B:SSL
routines:SSL3_READ_BYTES:tlsv1 alert decrypt error:SSL alert number 51)
while SSL handshaking, client: 153.185.223.172, server: 0.0.0.0:443
close http connection: 5
SSL_shutdown: 1
event timer del: 5: 1409550689995
reusable connection: 0
free: 0000000001DE0DF0, unused: 0
free: 0000000001E15510, unused: 136

Our SSL certificate is a Positive SSL Wildcard from Comodo.

Output of nginx -V:
nginx version: openresty/1.7.2.1
built by gcc 4.6.3 (Ubuntu/Linaro 4.6.3-1ubuntu5)
TLS SNI support enabled
configure arguments: --prefix=/usr/local/openresty/nginx --with-debug
–with-cc-opt=’-DNGX_LUA_USE_ASSERT -DNGX_LUA_ABORT_AT_PANIC’
–add-module=…/ngx_devel_kit-0.2.19
–add-module=…/echo-nginx-module-0.54
–add-module=…/xss-nginx-module-0.04 --add-module=…/ngx_coolkit-0.2rc1
–add-module=…/set-misc-nginx-module-0.24
–add-module=…/form-input-nginx-module-0.09
–add-module=…/encrypted-session-nginx-module-0.03
–add-module=…/srcache-nginx-module-0.28 --add-module=…/ngx_lua-0.9.10
–add-module=…/ngx_lua_upstream-0.02
–add-module=…/headers-more-nginx-module-0.25
–add-module=…/array-var-nginx-module-0.03
–add-module=…/memc-nginx-module-0.15
–add-module=…/redis2-nginx-module-0.11
–add-module=…/redis-nginx-module-0.3.7
–add-module=…/rds-json-nginx-module-0.13
–add-module=…/rds-csv-nginx-module-0.05
–with-ld-opt=-Wl,-rpath,/usr/local/openresty/luajit/lib
–with-http_stub_status_module --with-http_ssl_module

Link to the debug log, with some lines removed for privacy:
http://goo.gl/xsJfNz.

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,252972,252972#msg-252972

#2

Hi,

Hello. We recently renewed our SSL certificate. After reloading nginx the
number of connections increased significantly even if the number of requests
remained the same.

Does ssltest [1] show any chain issues? Any other warnings from that
report?

Regards,

Lukas

[1] https://www.ssllabs.com/ssltest/

#3

Hello.

No, our site’s grade is A. Our server is still processing requests
correctly, so some of the requests succeed but most have an SSL error.

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,252972,252974#msg-252974

#4

Hello.

No, our site’s grade is A.

Grade is irrelevant. Does it have chain issues or not (read: does
ssltest
report “chain issues: none”)?

#5

To add more information, we have the chain issue “Chain issues: Contains
anchor”. But removing it does not help.

Some more details:
https://prtsc.io/g4QVsY3PUY
https://prtsc.io/FmMCjDao4p
https://prtsc.io/WZksyPXucM

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,252972,252975#msg-252975

#6

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

What kind of ciphers do you use? Could you paste your ciphers
configuration there?

On 9/1/2014 14:11, lpugoy wrote:

[email protected] http://mailman.nginx.org/mailman/listinfo/nginx

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)

iQEcBAEBAgAGBQJUBBztAAoJEF1+odKB6YIxbO8H/iZ0USYpY8JACU2ZofHRTLf0
DOyODVmJViWP8vGzloDTlHbKxIBB8JBtFwTQcqfaGLDO8/GlS1HmW1FqZLDgrMSO
7Xd5VyuVjaGGbCuB06+3USWJw+Ge4Xg9ZE+KgD8Vt5pbkZy0VtUZCJKhzJXMEYuZ
AThRy33tMuJfUF9zMwdqYMY/zbdtWJnkqOWqMptp/7x+zWG97B+Il9MrQIbjcnyb
VsTJiMNOsD5q9N+8Uiozy3RKngxI5rnEWuRnFoloHdoP1ipOyUIM09A/OxFetHWA
lp9rtihR8FCJB/BikpwHcMFzXGx/Q1x9Z9CJkgwrUEAB7jicaZODVHjtqi1G1xc=
=hFo0
-----END PGP SIGNATURE-----

#7

What kind of ciphers do you use? Could you paste your ciphers
configuration there?

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers “EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384
EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4
EECDH
EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS”;

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,252972,252978#msg-252978