Update:
The original error "SSL3_CTX_CTRL:called a function you should not cal" is
no longer on the logs.
The last occurrence dates back to early february:
2015/02/03 20:23:30 [alert] 69020#0: *16 ignoring stale global SSL error
(SSL: error:14085042:SSL routines:SSL3_CTX_CTRL:called a function
"fix" applied.
This is what I see when running ssllabs again:
2015/03/17 18:08:33 [crit] 14508#0: *478 SSL_do_handshake() failed (SSL:
error:14094085:SSL routines:SSL3_READ_BYTES:ccs received early) while SSL
handshaking, client: 64.41.200.104, server: 0.0.0.0:443
2015/03/17 18:08:34 [crit] 145
The *feeling* that the problem is related to SNI is getting stronger.
This is the error log when running ssllabs.com on the server:
==> stderr.log <==
2015/03/17 17:12:45 [crit] 40733#0: *925 SSL_do_handshake() failed (SSL:
error:14094085:SSL routines:SSL3_READ_BYTES:ccs received early) while S
Will try it.
Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,256381,257339#msg-257339
___
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Yes, it's at least strange.
The reproducing configuration is rather complex task, this newer happens in
usual browsing session (and not just in parsing config, of course). I'm
still trying to limit it to something I can publish.
Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,256381,257
may you just try my "fix"? At least, it will save me time for searching in
completely wrong place.
--- nginx-1.7.10/src/http/modules/ngx_http_ssl_module.c.orig 2015-02-10
15:33:34.0 +0100
+++ nginx-1.7.10/src/http/modules/ngx_http_ssl_module.c 2015-03-17
14:55:58.282130993 +0100
@@ -7
I am on nginx 1.7.10 with LibreSSL 2.1.5.
This is what I see in the error log:
2015/02/03 20:23:30 [alert] 69020#0: *16 ignoring stale global SSL error
(SSL: error:14085042:SSL routines:SSL3_CTX_CTRL:called a function you should
not call) while SSL handshaking, client: [...IP...], server: 0.0.0.
Hello!
On Tue, Mar 17, 2015 at 10:11:48AM -0400, rbqdg9 wrote:
> > So, the alert is harmless and can be safely ignored.
> The real problem - it doesnt, it always accompanied by something like:
> nginx[32624] trap invalid opcode ip:47e04d sp:7fff6971ae50 error:0 in
> nginx[40+a]
> (exactl
> So, the alert is harmless and can be safely ignored.
The real problem - it doesnt, it always accompanied by something like:
nginx[32624] trap invalid opcode ip:47e04d sp:7fff6971ae50 error:0 in
nginx[40+a]
(exactly one "invalid opcode" for each "function you should not call" in
nginx log
Hello!
On Tue, Mar 17, 2015 at 06:25:51AM -0400, rbqdg9 wrote:
> Maxim Dounin Wrote:
> ---
> > If you see problems with nginx 1.7.9, consider following hints
> > at http://wiki.nginx.org/Debugging.
> I think it will not help (at least if not di
and yes, upgrade to libressl 2.1.5 didn't solve this.
Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,256381,257315#msg-257315
___
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Maxim Dounin Wrote:
---
> If you see problems with nginx 1.7.9, consider following hints
> at http://wiki.nginx.org/Debugging.
I think it will not help (at least if not did by anyone who really knows
both openssl and nginx internals).
the problem
Hello!
On Tue, Feb 03, 2015 at 11:34:05AM -0500, 173279834462 wrote:
> I am coming precisely from nginx 1.7.9 + libressl 2.1.3, configured as you
> mentioned.
>
> As 1.7.9 kept crashing, we downgraded to "stable" 1.6.4.
>
> Chapter closed then. We are back to 1.7.9...
If you see problems wit
I am coming precisely from nginx 1.7.9 + libressl 2.1.3, configured as you
mentioned.
As 1.7.9 kept crashing, we downgraded to "stable" 1.6.4.
Chapter closed then. We are back to 1.7.9...
P.S. Did anybody note that the login to the forum does not use https?
Posted at Nginx Forum:
http://for
Hello!
On Sun, Feb 01, 2015 at 10:56:37AM -0500, 173279834462 wrote:
> nginx 1.6.2 + libressl 2.1.3
If you want to use nginx with LibreSSL, consider using nginx 1.7.x
(1.7.4 at least).
Also make sure to actually compile nginx with LibreSSL, not just
loading LibreSSL library instead of OpenSSL
"no OpenSSL types or functions are exposed."
http://www.openbsd.org/papers/eurobsdcon2014-libressl.html
Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,256381,256384#msg-256384
___
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/ma
nginx 1.6.2 + libressl 2.1.3
>tail -f [...]/port-443/*.log
==> stderr.log <==
2015/02/01 01:35:34 [alert] 15134#0: worker process 15139 exited on signal
11
2015/02/01 01:35:34 [alert] 15134#0: shared memory zone "SSL" was locked by
15139
2015/02/01 01:35:42 [alert] 15134#0: worker process 15138 e
17 matches
Mail list logo
