I am able to reproduce the following error when I have nginx configured
with an upstream https connection. I have tweaked various settings all to
no avail (proxy_buffer_size, proxy_buffers, proxy_ssl_session_reuse).

2013/10/18 17:17:31 [debug] 15644#0: *39 SSL_read: -1, SSL_pending: 16384
2013/10/18 17:17:31 [debug] 15644#0: *39 SSL_get_error: 1
2013/10/18 17:17:31 [error] 15644#0: *39 SSL_read() failed (SSL:
error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record
mac) while sending to client, client: 127.0.0.1, server: -, request: "GET
/test-1 HTTP/1.1", upstream: "https://x.x.x.x:443/test-1", host:
"localhost:1182"

I've applied the following patch to log the SSL_pending bytes after an
SSL_read.

--- dist/nginx-1.4.3/src/event/ngx_event_openssl.c 2013-10-08
12:07:14.000000000 +0000
+++ new/nginx-1.4.3/src/event/ngx_event_openssl.c 2013-10-18
17:37:15.059940303 +0000
@@ -952,7 +952,9 @@ ngx_ssl_recv(ngx_connection_t *c, u_char

n = SSL_read(c->ssl->connection, buf, size);

- ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_read: %d", n);
+ ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0,
+ "SSL_read: %d, SSL_pending: %d",
+ n, SSL_pending(c->ssl->connection));

if (n > 0) {
bytes += n;

I've seen a bug report on this too (http://trac.nginx.org/nginx/ticket/215),
so thought i would send this here to see if anyone else is actively working
on the issue.

Here are my configure settings:

../configure --prefix=/var/nginx --with-debug --with-http_ssl_module
--without-http_auth_basic_module --without-http_autoindex_module
--without-http_browser_module --without-http-cache
--without-http_charset_module --without-http_empty_gif_module
--without-http_fastcgi_module --without-http_geo_module
--without-http_gzip_module --without-http_limit_conn_module
--without-http_map_module --without-http_memcached_module
--without-http_referer_module --without-http_rewrite_module
--without-http_scgi_module --without-http_split_clients_module
--without-http_ssi_module --without-http_upstream_ip_hash_module
--without-http_userid_module --without-http_uwsgi_module
--without-mail_imap_module --without-mail_pop3_module
--without-mail_smtp_module

Here is my configuration:

### Begin nginx.conf ###

worker_processes 1;

error_log logs/error.log debug;

pid logs/nginx.pid;

events {

worker_connections 1024;

}

http {

include mime.types;
default_type application/octet-stream;

access_log logs/access.log;

keepalive_timeout 60;

upstream http {

server upstream.srv:443;
keepalive 512;

}

server {

listen 1182 default_server;

server_name -;

ssl_protocols SSLv3 TLSv1;
ssl_ciphers RC4:HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;

location / {

proxy_pass https://http;

proxy_redirect off;
proxy_read_timeout 10s;
proxy_connect_timeout 6s;


proxy_buffering off;
proxy_buffer_size 64k;
proxy_buffers 6 16k;
proxy_busy_buffers_size 80k;

proxy_pass_header Server;
proxy_pass_header Date;
proxy_pass_header X-Pad;

proxy_set_header Connection "Keep-Alive";
proxy_set_header Host "upstream.srv";

}

}

}
### End nginx.conf ###
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel