SSL_read() failed on Nginx built with new OpenSSL 1.1.1e

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

SSL_read() failed on Nginx built with new OpenSSL 1.1.1e

redflag
(Please excuse my English)

I built Nginx 1.16.1 (current stable version) with OpenSSL 1.1.1e(newly
released), PCRE 8.44 and Zlib 1.2.11.
However, sometimes(not always) the below error logs are generated.


2020/03/26 09:53:19 [crit] 24020#24020: *6 SSL_read() failed (SSL:
error:14095126:SSL routines:ssl3_read_n:unexpected eof while reading) while
keepalive, client: 68.183.***.***, server: 0.0.0.0:443



The Nginx built with OpenSSL 1.1.1d does not generate the error logs. I
don't know how I can fix this problem.
Belows are my Nginx build configuration and nginx.conf.



--*--*--*--*--*--

./configure --with-cc-opt='-g -O2 -fPIE -fstack-protector-strong -Wformat
-Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2' \
--with-ld-opt='-Wl,-Bsymbolic-functions -fPIE -pie -Wl,-z,relro -Wl,-z,now'
\
--prefix=/nginx --user=www-data --group=www-data \
--error-log-path=/nginx/srv/nginx-error.log
--http-log-path=/nginx/srv/nginx-access.log \
--pid-path=/nginx/srv/nginx.pid --lock-path=/nginx/srv/nginx.lock \
--with-zlib=../zlib-1.2.11 --with-pcre=../pcre-8.44
--with-openssl=../openssl-1.1.1e \
--with-pcre-jit --with-file-aio --with-threads --with-http_v2_module \
--without-http_uwsgi_module --without-http_scgi_module \
--without-mail_pop3_module --without-mail_imap_module
--without-mail_smtp_module \
--with-http_ssl_module --without-http_memcached_module \
--with-http_gunzip_module --with-http_gzip_static_module



--*--*--*--*--*--

worker_processes  auto;

events {
       worker_connections      1024;
}

http {
       include         mime.types;
       default_type    application/octet-stream;

       log_format      main  '$time_iso8601 $remote_addr $status
$body_bytes_sent "$request" $remote_user "$http_referer" "$http_user_agent"
"$http_x_forwarded_for"';

       server_tokens off;
       client_max_body_size 10m;
       client_body_buffer_size 128k;
       client_body_temp_path /var/tmp/ngx_client_body_temp;
       proxy_temp_path /var/tmp/ngx_proxy_temp;
       fastcgi_temp_path /var/tmp/ngx_proxy_temp;
       merge_slashes on;
       charset utf-8;
       tcp_nopush      on;
       tcp_nodelay     on;
       sendfile        on;
       sendfile_max_chunk 1m;
       keepalive_timeout  70s;

       gzip  on;
       gzip_comp_level 5;
       gzip_proxied any;
       gzip_min_length 1000;
       gzip_disable "MSIE [1-6]\.(?!.*SV1)";
       gzip_types text/plain text/css text/javascript application/javascript
text/x-js application/json application/x-javascript application/octet-stream
text/mathml text/xml application/xml application/atom+xml
application/rss+xml;
       gzip_vary on;
       gzip_buffers 16 8k;

       server {
               server_name     myserver.com;
               listen  443 ssl http2;
               keepalive_timeout       70;

               #ref :
http://nginx.org/en/docs/http/configuring_https_servers.html

               ssl_certificate /etc/letsencrypt/live/fullchain.pem;
               ssl_certificate_key /etc/letsencrypt/live/privkey.pem;
               ssl_protocols   TLSv1.2 TLSv1.3;
               ssl_ciphers     HIGH:!aNULL:!MD5;
               ssl_prefer_server_ciphers on;

               ssl_session_cache shared:le_nginx_SSL:50m;
               ssl_session_timeout 1d;
               ssl_session_tickets off;
               ssl_ecdh_curve X25519:sect571r1:secp521r1:secp384r1;
               ssl_early_data on;


               error_page      400 401 402 403 404 500 502 503 504    
/err.html;
               location = /err.html {
                       root /nginx/www;
                       add_header Set-Cookie "ErrorCode=${status}; path=/;"
always;
                       internal;
               }

               location / {
                       root /nginx/www;
                       index index.html;
                       try_files $uri $uri/index.html =404;
                       aio threads;

                       location ~ \.(css|js|ico|png|gif)$ {
                               access_log off;
                       }
               }
       }
}

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,287464,287464#msg-287464

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: SSL_read() failed on Nginx built with new OpenSSL 1.1.1e

redflag
See https://forum.nginx.org/read.php?2,287377
Revert back to 1.1.1d

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,287464,287466#msg-287466

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

RE: SSL_read() failed on Nginx built with new OpenSSL 1.1.1e

Reinis Rozitis
In reply to this post by redflag
> The Nginx built with OpenSSL 1.1.1d does not generate the error logs. I don't
> know how I can fix this problem.
> Belows are my Nginx build configuration and nginx.conf.

I'm using 1.1.1e bit with reverted EOF patch (so far haven't seen any issues and it seems they are going to revert it anyways):

cd openssl-1.1.1e
wget https://patch-diff.githubusercontent.com/raw/openssl/openssl/pull/10882.patch
patch -R -p1 < 10882.patch

then recompile nginx


rr

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: RE: SSL_read() failed on Nginx built with new OpenSSL 1.1.1e

redflag
> cd openssl-1.1.1e
> wget
https://patch-diff.githubusercontent.com/raw/openssl/openssl/pull/10882.patch
> patch -R -p1 < 10882.patch
>
> then recompile nginx

Thank you. This solution fix the problem.

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,287464,287473#msg-287473

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx