Hi, After working a bit more on the issue, I also found that:
- Using a new pair of key/certificate makes the problem not to show anymore. So, some files will make it fail, some files make it work. The files are of different length, so it seems to be correlated to that. - Using LD_PRELOAD with an "empty" (as in no C code) so file makes the problem disappear. I discover this while trying to hook the calls to OpenSSL, just to discover that even if I removed all my code, the problem will go away. As there are at least 3 different ways to make it disappear, looks to me that is not directly related to SSL session, but to something completely different. I cannot run valgrind on the MIPS hardware (no enough RAM), and I've been trying to reproduce it on QEMU, to no avail. Any ideas on how to proceed? Do you think Valgrind will help at all? Any other insights? On Thu, Mar 8, 2018 at 12:16 PM, Abilio Marques <[email protected]> wrote: > Using NGINX 1.12.2 on MIPS (haven't tested on x86), if I set: > > ssl_session_cache shared:SSL:1m; # it also fails with 10m > > > And the client reestablishes the connection, it > gets: net::ERR_SSL_BAD_RECORD_MAC_ALERT when trying to reuse SSL session. > > Has anyone seen anything like this? > > > More detail: > > This was tested on 1.12.2, on a MIPS CPU, using OpenSSL 1.0.2j, and built > by gcc 4.8.3 (OpenWrt/Linaro GCC 4.8-2014.04 r47070). > > Interesting portion of my configuration file: > > server { > listen 443 ssl; > > ssl_certificate /etc/ssl/certs/bridge.cert.pem; > ssl_certificate_key /etc/ssl/private/bridge.key.pem; > > ssl_protocols TLSv1.2; > ssl_prefer_server_ciphers on; > ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256; > ssl_ecdh_curve prime256v1; > > ssl_session_timeout 24h; > ssl_session_tickets on; > ssl_session_cache shared:SSL:1m; # set to 10m, still fails, remove, > the problem seems to disappear > > keepalive_timeout 1s; # reduced during troubleshooting to make it > trigger easily > keepalive_requests 1; # reduced during troubleshooting to make it > trigger easily > > include apiv1.conf; # where all the location rules are > } > > > > >
_______________________________________________ nginx mailing list [email protected] http://mailman.nginx.org/mailman/listinfo/nginx
