Welcome! Log In Create A New Profile

Advanced

SSL_read() failed on Nginx built with new OpenSSL 1.1.1e

March 25, 2020 11:36PM
(Please excuse my English)

I built Nginx 1.16.1 (current stable version) with OpenSSL 1.1.1e(newly released), PCRE 8.44 and Zlib 1.2.11.
However, sometimes(not always) the below error logs are generated.


2020/03/26 09:53:19 [crit] 24020#24020: *6 SSL_read() failed (SSL: error:14095126:SSL routines:ssl3_read_n:unexpected eof while reading) while keepalive, client: 68.183.***.***, server: 0.0.0.0:443



The Nginx built with OpenSSL 1.1.1d does not generate the error logs. I don't know how I can fix this problem.
Belows are my Nginx build configuration and nginx.conf.



--*--*--*--*--*--

./configure --with-cc-opt='-g -O2 -fPIE -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2' \
--with-ld-opt='-Wl,-Bsymbolic-functions -fPIE -pie -Wl,-z,relro -Wl,-z,now' \
--prefix=/nginx --user=www-data --group=www-data \
--error-log-path=/nginx/srv/nginx-error.log --http-log-path=/nginx/srv/nginx-access.log \
--pid-path=/nginx/srv/nginx.pid --lock-path=/nginx/srv/nginx.lock \
--with-zlib=../zlib-1.2.11 --with-pcre=../pcre-8.44 --with-openssl=../openssl-1.1.1e \
--with-pcre-jit --with-file-aio --with-threads --with-http_v2_module \
--without-http_uwsgi_module --without-http_scgi_module \
--without-mail_pop3_module --without-mail_imap_module --without-mail_smtp_module \
--with-http_ssl_module --without-http_memcached_module \
--with-http_gunzip_module --with-http_gzip_static_module



--*--*--*--*--*--

worker_processes auto;

events {
worker_connections 1024;
}

http {
include mime.types;
default_type application/octet-stream;

log_format main '$time_iso8601 $remote_addr $status $body_bytes_sent "$request" $remote_user "$http_referer" "$http_user_agent" "$http_x_forwarded_for"';

server_tokens off;
client_max_body_size 10m;
client_body_buffer_size 128k;
client_body_temp_path /var/tmp/ngx_client_body_temp;
proxy_temp_path /var/tmp/ngx_proxy_temp;
fastcgi_temp_path /var/tmp/ngx_proxy_temp;
merge_slashes on;
charset utf-8;
tcp_nopush on;
tcp_nodelay on;
sendfile on;
sendfile_max_chunk 1m;
keepalive_timeout 70s;

gzip on;
gzip_comp_level 5;
gzip_proxied any;
gzip_min_length 1000;
gzip_disable "MSIE [1-6]\.(?!.*SV1)";
gzip_types text/plain text/css text/javascript application/javascript text/x-js application/json application/x-javascript application/octet-stream text/mathml text/xml application/xml application/atom+xml application/rss+xml;
gzip_vary on;
gzip_buffers 16 8k;

server {
server_name myserver.com;
listen 443 ssl http2;
keepalive_timeout 70;

#ref : http://nginx.org/en/docs/http/configuring_https_servers.html

ssl_certificate /etc/letsencrypt/live/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/privkey.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;

ssl_session_cache shared:le_nginx_SSL:50m;
ssl_session_timeout 1d;
ssl_session_tickets off;
ssl_ecdh_curve X25519:sect571r1:secp521r1:secp384r1;
ssl_early_data on;


error_page 400 401 402 403 404 500 502 503 504 /err.html;
location = /err.html {
root /nginx/www;
add_header Set-Cookie "ErrorCode=${status}; path=/;" always;
internal;
}

location / {
root /nginx/www;
index index.html;
try_files $uri $uri/index.html =404;
aio threads;

location ~ \.(css|js|ico|png|gif)$ {
access_log off;
}
}
}
}
Subject Author Posted

SSL_read() failed on Nginx built with new OpenSSL 1.1.1e

pdh0710 March 25, 2020 11:36PM

Re: SSL_read() failed on Nginx built with new OpenSSL 1.1.1e

itpp2012 March 26, 2020 04:14AM

RE: SSL_read() failed on Nginx built with new OpenSSL 1.1.1e

Reinis Rozitis March 26, 2020 06:32AM

Re: RE: SSL_read() failed on Nginx built with new OpenSSL 1.1.1e

pdh0710 March 26, 2020 11:44PM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 82
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready