Hello! On Sun, Apr 19, 2015 at 06:08:35PM -0400, rPawel wrote:
> Hi Guys, > > I posted originally my issue on askubuntu but I think this will be a better > place > > http://askubuntu.com/questions/611418/intermittent-ssl-handshake-issues-on-ubuntu-12-04-and-nginx. > > Original post > -------------------------------- > > # In simple terms > > I am having issues with https handshakes. I am currently using nginx but it > is most likely not an nginx issue. > > # Behaviour > > Web clients such as browsers will sometimes present "SSL connection error" > (Chrome) > > Apache benchmark will spit out several error lines and will report around > 1-10% failures. Errors below will appear in random order but the first one > is more common. > > (1) Benchmarking mysite.net (be patient)...SSL read failed (1) - closing > connection > 128494120003296:error:1408F119:SSL routines:SSL3_GET_RECORD:decryption > failed or bad record mac:s3_pkt.c:486: > > (2) SSL read failed (1) - closing connection > 128494120003296:error:140943FC:SSL routines:SSL3_READ_BYTES:sslv3 alert bad > record mac:s3_pkt.c:1262:SSL alert number 20 > > # Server setup > Ubuntu: > > Ubuntu 12.04 64bit with all updates and patches installed, server > restarted. > Nginx: > > nginx/1.6.3 - from nginx.org (deb http://nginx.org/packages/ubuntu/ precise > nginx) > > OpenSSL dynamically linked: > > # ldd `which nginx` | grep ssl > libssl.so.1.0.0 => /lib/x86_64-linux-gnu/libssl.so.1.0.0 > (0x00007f3065569000) > > # strings /lib/x86_64-linux-gnu/libssl.so.1.0.0 | grep "^OpenSSL " > OpenSSL 1.0.1 14 Mar 2012 > > Nginx server config (with limited cyphers) > OpenSSL: > > 1.0.1 14 Mar 2012 > > #dpkg -s libssl1.0.0 > Version: 1.0.1-4ubuntu5.25 This looks similar to this ticket (turned out to be a bug in OpenSSL, see comments for details): http://trac.nginx.org/nginx/ticket/215 Try upgrading to OpenSSL 1.0.1h or newer to see if it helps. Alternatively, make sure the OpenSSL package you are using includes the fix in question. [...] -- Maxim Dounin http://nginx.org/ _______________________________________________ nginx mailing list [email protected] http://mailman.nginx.org/mailman/listinfo/nginx
