Thank you very much, overlooked your email due to filters, sorry for delay. I am very happy to help, sure I would accept a patch. Server is available from outside world but is not heavily used — we dont point load to it because of this SSL errors.
By the way, I am using default haproxy-devel port in FreeBSD tree, so http://haproxy.1wt.eu/download/1.5/src/devel/haproxy-1.5-dev17.tar.gzsource is being used. On Wed, Feb 6, 2013 at 10:56 AM, Willy Tarreau <[email protected]> wrote: > Hello Samat, > > On Tue, Feb 05, 2013 at 12:39:20PM +0400, Samat Galimov wrote: > > Hello, > > > > I have very strange behaviour of HA-Proxy version 1.5-dev17 2012/12/28 on > > FreeBSD 9.0-Stable > > > > % openssl s_client -debug -servername dharma.zvq.me -connect > > dharma.zvq.me:443 /usr/local/etc > > CONNECTED(00000003) > > write to 0x801407160 [0x801525000] (128 bytes => 128 (0x80)) > > 0000 - 16 03 01 00 7b 01 00 00-77 03 01 51 10 6a 26 66 ....{...w..Q.j&f > > 0010 - e8 2b 77 63 f9 ea 25 e8-b7 cb 51 84 0a d7 0d 7c .+wc..%...Q???.| > > 0020 - 58 2c 32 6f 0f 54 94 c6-29 57 c4 00 00 34 00 39 X,2o.T..)W???4.9 > > 0030 - 00 38 00 35 00 88 00 87-00 84 00 16 00 13 00 0a .8.5......?????? > > 0040 - 00 33 00 32 00 2f 00 45-00 44 00 41 00 05 00 04 .3.2./.E.D.A???. > > 0050 - 00 15 00 12 00 09 00 14-00 11 00 08 00 06 00 03 .........??????. > > 0060 - 00 ff 01 00 00 1a 00 00-00 12 00 10 00 00 0d 64 .........??????d > > 0070 - 68 61 72 6d 61 2e 7a 76-71 2e 6d 65 00 23 harma.zvq.me.# > > 0080 - <SPACES/NULS> > > read from 0x801407160 [0x801577000] (7 bytes => 0 (0x0)) > > 42642:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake > > > failure:/mnt/jq032hgn/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/s23_lib.c:182: > > OpenSSL is 0.9.8q 2 Dec 2010 > > > > It's randomly gives such a weird error, 50% chance, as I see. > > Are you the only one to access this service or is it in production and > used by other people ? I'm asking because we had a similar report a few > weeks ago of 0.9.8 on solaris experiencing random errors, and we suspected > that the error queue was probably sometimes filled by some SSL calls > without returning an error, and thus was not flushed. > > Would you accept to try a patch ? We have one to change the behaviour > that we have still not merged due to the lack of testers experiencing > the issue ! > > > On server side (i run haproxy with -d) i get: > > 0000000c:https.accept(0005)=0007 from [5.9.11.40:43423] > > 0000000c:https.clicls[0007:0008] > > 0000000c:https.closed[0007:0008] > > > > Here is my config: > (...) > > I see nothing wrong in your configuration, and a config should not cause > a random behaviour anyway. Also you're not in a chroot so it cannot be > caused by a lack of entropy caused by the inability to access /dev/urandom. > > Willy > >
