Forum: NGINX Significant increase in number of connections after renewing SSL certificate

2974d09ac2541e892966b762aad84943?d=identicon&s=25 lpugoy (Guest)
on 2014-09-01 08:20
(Received via mailing list)
Hello. We recently renewed our SSL certificate. After reloading nginx
the
number of connections increased significantly even if the number of
requests
remained the same.

Trying out the debug log there are a lot of entries similar to the
following:
accept: 153.185.223.172:59011 fd:5
event timer add: 5: 60000:1409550689995
reusable connection: 1
epoll add event: fd:5 op:1 ev:80002001
post event 00007FF5AB84F280
delete posted event 00007FF5AB84F280
http check ssl handshake
http recv(): 1
https ssl handshake: 0x80
SSL_do_handshake: -1
SSL_get_error: 2
reusable connection: 0
post event 00007FF5AB84F280
delete posted event 00007FF5AB84F280
SSL handshake handler: 0
SSL_do_handshake: 0
SSL_get_error: 1
SSL_do_handshake() failed (SSL: error:1409441B:SSL
routines:SSL3_READ_BYTES:tlsv1 alert decrypt error:SSL alert number 51)
while SSL handshaking, client: 153.185.223.172, server: 0.0.0.0:443
close http connection: 5
SSL_shutdown: 1
event timer del: 5: 1409550689995
reusable connection: 0
free: 0000000001DE0DF0, unused: 0
free: 0000000001E15510, unused: 136

Our SSL certificate is a Positive SSL Wildcard from Comodo.

Output of nginx -V:
nginx version: openresty/1.7.2.1
built by gcc 4.6.3 (Ubuntu/Linaro 4.6.3-1ubuntu5)
TLS SNI support enabled
configure arguments: --prefix=/usr/local/openresty/nginx --with-debug
--with-cc-opt='-DNGX_LUA_USE_ASSERT -DNGX_LUA_ABORT_AT_PANIC'
--add-module=../ngx_devel_kit-0.2.19
--add-module=../echo-nginx-module-0.54
--add-module=../xss-nginx-module-0.04 --add-module=../ngx_coolkit-0.2rc1
--add-module=../set-misc-nginx-module-0.24
--add-module=../form-input-nginx-module-0.09
--add-module=../encrypted-session-nginx-module-0.03
--add-module=../srcache-nginx-module-0.28 --add-module=../ngx_lua-0.9.10
--add-module=../ngx_lua_upstream-0.02
--add-module=../headers-more-nginx-module-0.25
--add-module=../array-var-nginx-module-0.03
--add-module=../memc-nginx-module-0.15
--add-module=../redis2-nginx-module-0.11
--add-module=../redis-nginx-module-0.3.7
--add-module=../rds-json-nginx-module-0.13
--add-module=../rds-csv-nginx-module-0.05
--with-ld-opt=-Wl,-rpath,/usr/local/openresty/luajit/lib
--with-http_stub_status_module --with-http_ssl_module

Link to the debug log, with some lines removed for privacy:
http://goo.gl/xsJfNz.

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,252972,252972#msg-252972
63f341734581b167c7b698169bdd2510?d=identicon&s=25 Lukas Tribus (Guest)
on 2014-09-01 08:40
(Received via mailing list)
Hi,


> Hello. We recently renewed our SSL certificate. After reloading nginx the
> number of connections increased significantly even if the number of requests
> remained the same.


Does ssltest [1] show any chain issues? Any other warnings from that
report?



Regards,

Lukas


[1] https://www.ssllabs.com/ssltest/
2974d09ac2541e892966b762aad84943?d=identicon&s=25 lpugoy (Guest)
on 2014-09-01 09:05
(Received via mailing list)
Hello.

No, our site's grade is A. Our server is still processing requests
correctly, so some of the requests succeed but most have an SSL error.

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,252972,252974#msg-252974
63f341734581b167c7b698169bdd2510?d=identicon&s=25 Lukas Tribus (Guest)
on 2014-09-01 09:11
(Received via mailing list)
> Hello.
>
> No, our site's grade is A.


Grade is irrelevant. Does it have chain issues or not (read: does
ssltest
report "chain issues: none")?
2974d09ac2541e892966b762aad84943?d=identicon&s=25 lpugoy (Guest)
on 2014-09-01 09:11
(Received via mailing list)
To add more information, we have the chain issue "Chain issues: Contains
anchor". But removing it does not help.

Some more details:
https://prtsc.io/g4QVsY3PUY
https://prtsc.io/FmMCjDao4p
https://prtsc.io/WZksyPXucM

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,252972,252975#msg-252975
62ff150ef4a0b0bc0c2f89db62a20685?d=identicon&s=25 Dewangga (Guest)
on 2014-09-01 09:15
(Received via mailing list)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

What kind of ciphers do you use? Could you paste your ciphers
configuration there?

On 9/1/2014 14:11, lpugoy wrote:
> nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)

iQEcBAEBAgAGBQJUBBztAAoJEF1+odKB6YIxbO8H/iZ0USYpY8JACU2ZofHRTLf0
DOyODVmJViWP8vGzloDTlHbKxIBB8JBtFwTQcqfaGLDO8/GlS1HmW1FqZLDgrMSO
7Xd5VyuVjaGGbCuB06+3USWJw+Ge4Xg9ZE+KgD8Vt5pbkZy0VtUZCJKhzJXMEYuZ
AThRy33tMuJfUF9zMwdqYMY/zbdtWJnkqOWqMptp/7x+zWG97B+Il9MrQIbjcnyb
VsTJiMNOsD5q9N+8Uiozy3RKngxI5rnEWuRnFoloHdoP1ipOyUIM09A/OxFetHWA
lp9rtihR8FCJB/BikpwHcMFzXGx/Q1x9Z9CJkgwrUEAB7jicaZODVHjtqi1G1xc=
=hFo0
-----END PGP SIGNATURE-----
2974d09ac2541e892966b762aad84943?d=identicon&s=25 lpugoy (Guest)
on 2014-09-01 09:20
(Received via mailing list)
> What kind of ciphers do you use? Could you paste your ciphers
> configuration there?

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384
EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4
EECDH
EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS";

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,252972,252978#msg-252978
Please log in before posting. Registration is free and takes only a minute.
Existing account

NEW: Do you have a Google/GoogleMail, Yahoo or Facebook account? No registration required!
Log in with Google account | Log in with Yahoo account | Log in with Facebook account
No account? Register here.