Hello!

On Sat, Mar 31, 2012 at 06:39:37PM -0400, Floren Munteanu wrote:

> Hi Maxim,
>
> On 3/26/2012 12:47 PM, Maxim Dounin wrote:
> >As already suggested - you may build nginx with any particular
> >openssl version statically, by using --with-openssl= configure
> >argument.
>
> I followed your advice and built a backlevel RPM for libcripto.so6
> and libssl.so6 so none of the deps are broken in CentOS 5. Then, I
> built the OpenSSL 1.0.1 RPM's and rebuilt Nginx against the latest
> libs:
> # yum list openssl* nginx
> Loaded plugins: fastestmirror
> Loading mirror speeds from cached hostfile
> * base: mirrors.manchester.icecolo.com
> * extras: mirrors.manchester.icecolo.com
> * updates: mirrors.manchester.icecolo.com
> Installed Packages
> nginx.x86_64 1.0.14-1.el5 installed
> openssl.x86_64 1.0.1-1.el5 installed
> openssl-libs.x86_64 1.0.1-1.el5 installed
> openssl098e.x86_64 0.9.8e-1.el5 installed
>
> # nginx -V
> nginx version: nginx/1.0.14
> built by gcc 4.1.2 20080704 (Red Hat 4.1.2-52)
> TLS SNI support enabled
> configure arguments: --user=nginx --group=nginx
> --prefix=/usr/share/nginx --sbin-path=/usr/sbin/nginx
> --conf-path=/etc/nginx/nginx.conf --pid-path=/var/run/nginx.pid
> --error-log-path=/var/log/nginx/error.log
> --http-log-path=/var/log/nginx/access.log
> --http-client-body-temp-path=/var/lib/nginx/client
> --http-fastcgi-temp-path=/var/lib/nginx/fastcgi
> --http-proxy-temp-path=/var/lib/nginx/proxy
> --http-scgi-temp-path=/var/lib/nginx/scgi
> --http-uwsgi-temp-path=/var/lib/nginx/uwsgi
> --lock-path=/var/lock/subsys/nginx --with-cc-opt='-O3 -g -m64
> -mtune=nocona -m128bit-long-double -mmmx -msse3 -mfpmath=sse'
> --with-file-aio --with-http_addition_module --with-http_dav_module
> --with-http_degradation_module --with-http_flv_module
> --with-http_geoip_module --with-http_gzip_static_module
> --with-http_image_filter_module --with-http_mp4_module
> --with-http_perl_module --with-http_random_index_module
> --with-http_realip_module --with-http_secure_link_module
> --with-http_ssl_module --with-http_stub_status_module
> --with-http_sub_module --with-http_xslt_module --with-mail
> --with-mail_ssl_module --with-poll_module --with-rtsig_module
> --with-select_module

Please also check if nginx actually uses new openssl library, ldd
should be helpful here.

>
> http {
> ...
> ssl_prefer_server_ciphers on;
> ssl_ciphers RC4:HIGH:!aNULL:!MD5;
> ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
> ssl_session_cache shared:SSL:5m;
> ssl_session_timeout 10m;
> ...
>
> server {
> listen 192.168.1.3:443 ssl default_server;
> server_name www.domain.com;
> access_log off;
> error_log /var/log/nginx/localhost.error.log error;
> root /var/www/domain.com;
> index index.php index.html;
> ssl_certificate domain.com.crt;
> ssl_certificate_key domain.com.key;
> ...
> }
> }
>
> Even if I eliminated the OpenSSL version issues, I still have random
> [crit] SSL_write() failures at the same frequency as before. They
> are also accompanied by open socket alerts, of this format:
> [alert] 2380#0: open socket #34 left in connection 12
>
> I'm looking forward to your suggestions.

As already suggested, it whould be cool to check if you see the
same problem in 1.1.x.

And to proceed further we need debug log, see here:

http://wiki.nginx.org/Debugging

Note you'll need to recompile nginx with "--with-debug" configure
argument to obtain one.

Maxim Dounin

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx