Hi Maxim,

On 3/26/2012 12:47 PM, Maxim Dounin wrote:
> As already suggested - you may build nginx with any particular
> openssl version statically, by using --with-openssl= configure
> argument.

I followed your advice and built a backlevel RPM for libcripto.so6 and
libssl.so6 so none of the deps are broken in CentOS 5. Then, I built the
OpenSSL 1.0.1 RPM's and rebuilt Nginx against the latest libs:
# yum list openssl* nginx
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* base: mirrors.manchester.icecolo.com
* extras: mirrors.manchester.icecolo.com
* updates: mirrors.manchester.icecolo.com
Installed Packages
nginx.x86_64 1.0.14-1.el5 installed
openssl.x86_64 1.0.1-1.el5 installed
openssl-libs.x86_64 1.0.1-1.el5 installed
openssl098e.x86_64 0.9.8e-1.el5 installed

# nginx -V
nginx version: nginx/1.0.14
built by gcc 4.1.2 20080704 (Red Hat 4.1.2-52)
TLS SNI support enabled
configure arguments: --user=nginx --group=nginx
--prefix=/usr/share/nginx --sbin-path=/usr/sbin/nginx
--conf-path=/etc/nginx/nginx.conf --pid-path=/var/run/nginx.pid
--error-log-path=/var/log/nginx/error.log
--http-log-path=/var/log/nginx/access.log
--http-client-body-temp-path=/var/lib/nginx/client
--http-fastcgi-temp-path=/var/lib/nginx/fastcgi
--http-proxy-temp-path=/var/lib/nginx/proxy
--http-scgi-temp-path=/var/lib/nginx/scgi
--http-uwsgi-temp-path=/var/lib/nginx/uwsgi
--lock-path=/var/lock/subsys/nginx --with-cc-opt='-O3 -g -m64
-mtune=nocona -m128bit-long-double -mmmx -msse3 -mfpmath=sse'
--with-file-aio --with-http_addition_module --with-http_dav_module
--with-http_degradation_module --with-http_flv_module
--with-http_geoip_module --with-http_gzip_static_module
--with-http_image_filter_module --with-http_mp4_module
--with-http_perl_module --with-http_random_index_module
--with-http_realip_module --with-http_secure_link_module
--with-http_ssl_module --with-http_stub_status_module
--with-http_sub_module --with-http_xslt_module --with-mail
--with-mail_ssl_module --with-poll_module --with-rtsig_module
--with-select_module

http {
...
ssl_prefer_server_ciphers on;
ssl_ciphers RC4:HIGH:!aNULL:!MD5;
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_session_cache shared:SSL:5m;
ssl_session_timeout 10m;
...

server {
listen 192.168.1.3:443 ssl default_server;
server_name www.domain.com;
access_log off;
error_log /var/log/nginx/localhost.error.log error;
root /var/www/domain.com;
index index.php index.html;
ssl_certificate domain.com.crt;
ssl_certificate_key domain.com.key;
...
}
}

Even if I eliminated the OpenSSL version issues, I still have random
[crit] SSL_write() failures at the same frequency as before. They are
also accompanied by open socket alerts, of this format:
[alert] 2380#0: open socket #34 left in connection 12

I'm looking forward to your suggestions.

Regards,

Floren


_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx