SSL_shutdown() failed (SSL:) while proxying

I am testing 0.5.35 as a replacement for my perdition IMAP/POP3
proxies. I fed a bit of real traffic to nginx today and within a
few seconds I see SSL_shutdown errors in the logs. Nothing in
testing produced that error but it is 100% repeatable. It looks
to me to be a bogus error message.

FreeBSD 4.11 and openssl 0.9.8g.

openssl s_client -connect localhost:995

+OK POP3 ready
quit
+OK
closed

2008/01/17 19:08:51 [debug] 75716#0: *1 malloc: 080D4F00:256
2008/01/17 19:08:51 [debug] 75716#0: *1 pop3 auth state
2008/01/17 19:08:51 [debug] 75716#0: *1 SSL_read: 5
2008/01/17 19:08:51 [debug] 75716#0: *1 SSL_read: -1
2008/01/17 19:08:51 [debug] 75716#0: *1 SSL_get_error: 2
2008/01/17 19:08:51 [debug] 75716#0: *1 SSL to write: 5
2008/01/17 19:08:51 [debug] 75716#0: *1 SSL_write: 5
2008/01/17 19:08:51 [debug] 75716#0: *1 close mail connection: 12
2008/01/17 19:08:51 [debug] 75716#0: *1 SSL_shutdown: 0
2008/01/17 19:08:51 [debug] 75716#0: *1 SSL_get_error: 5
2008/01/17 19:08:51 [crit] 75716#0: *1 SSL_shutdown() failed (SSL:)
while in auth state, client: 127.0.0.1, server: 127.0.0.1:995

SSL_set_shutdown() is called with mode == 0. n == 5 after
SSL_get_error()
as is sslerr logged above. ngx_errno (errno) == 0.

It seems like this is a non error condition. I’m silencing the
message with this bit of code in ngx_ssl_shutdown():1039

err = (sslerr == SSL_ERROR_SYSCALL) ? ngx_errno : 0;

if (err == 0)
{
    SSL_free(c->ssl->connection);
    c->ssl = NULL;

    return NGX_OK;
}

IMAP/POP3 starttls and pure SSL sessions work just fine. That’s
what makes me think this is a bogus message. Could this error be
the symptom of a problem elsewhere?

On Thu, Jan 17, 2008 at 07:41:49PM -0500, John Capo wrote:

+OK POP3 ready
2008/01/17 19:08:51 [debug] 75716#0: *1 SSL_write: 5

IMAP/POP3 starttls and pure SSL sessions work just fine. That’s
what makes me think this is a bogus message. Could this error be
the symptom of a problem elsewhere?

The attached patch should fix the message.

Quoting Igor S. ([email protected]):

openssl s_client -connect localhost:995
2008/01/17 19:08:51 [debug] 75716#0: *1 SSL_get_error: 2
It seems like this is a non error condition. I’m silencing the
}

IMAP/POP3 starttls and pure SSL sessions work just fine. That’s
what makes me think this is a bogus message. Could this error be
the symptom of a problem elsewhere?

The attached patch should fix the message.

I’ll send this again with the correct sender address :frowning:

The patch does silence the message.

John Capo
Tuffmail.com


Igor S.
http://sysoev.ru/en/

This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.

| Privacy Policy | Terms of Service | Remote Ruby Jobs