Hello! On Mon, Oct 21, 2013 at 11:57:34AM -0700, Piotr Sikora wrote:
> Hey, > > > Looks like a regression in OpenSSL 1.0.0+. I'm able to reporduce > > the problem with OpenSSL 1.0.0 and more recent versions, including > > recent git snapshot, but everything is fine with OpenSSL 0.9.8y > > and previous versions. > > > > Bisection on OpenSSL 1.0.0 branch may be a helpful to trace the > > exact cause. > > I've looked a bit into this over the weekend and it seems that it's > being triggered by use of both: reading ahead and releasing buffers > (introduced in OpenSSL-1.0.0, hence the regression) on the client side > with upstream buffering off (I wasn't able to reproduce it with > upstream buffering on, but that might be just because it's harder to > trigger, as OpenSSL code path is effectively the same in both cases). > > I don't think that we're affected on the server side (which would > actually suggest nginx bug), so the work-around for the issue (at > least for the time being) is to stop releasing buffers when nginx acts > as a client. I'm a bit tempted to do it only for the case with > buffering turned off, but from looking at the code I can't tell why it > would make a difference. While I tend to think that the problem is indeed related to SSL_MODE_RELEASE_BUFFERS I don't see any reasons why the server side shouldn't be affected. Could you please point out why you think so? In any case I don't think we should commit any workarounds before the problem is at least understood. Trivial mitigation for the errors observed so far would be to switch proxy_buffering back to on, as by default, and/or use larger buffers. -- Maxim Dounin http://nginx.org/en/donation.html _______________________________________________ nginx-devel mailing list nginx-devel@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx-devel
