Opened 3 years ago

Closed 3 years ago

Last modified 3 years ago

#1270 closed defect (wontfix)

TCP RST with SSL and HTTP Connection:close header

Reported by: elukey@… Owned by:
Priority: minor Milestone:
Component: nginx-core Version: 1.11.x
Keywords: Cc:
uname -a: Linux mw2146 4.4.0-2-amd64 #1 SMP Debian 4.4.2-3+wmf6 (2016-10-18) x86_64 GNU/Linux
nginx -V: nginx version: nginx/1.11.6
built with OpenSSL 1.1.0b 26 Sep 2016 (running with OpenSSL 1.1.0e 16 Feb 2017)
TLS SNI support enabled
configure arguments: --with-cc-opt='-g -O2 -fstack-protector-strong -Wformat -Werror=format-security -D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-z,relro -Wl,-z,now' --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --modules-path=/usr/lib/nginx/modules --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-debug --with-pcre-jit --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_v2_module --with-http_dav_module --with-http_slice_module --with-threads --with-http_addition_module --with-http_geoip_module=dynamic --with-http_gunzip_module --with-http_gzip_static_module --with-http_image_filter_module=dynamic --with-http_sub_module --with-http_xslt_module=dynamic --with-stream=dynamic --with-stream_ssl_module --with-mail=dynamic --with-mail_ssl_module --add-dynamic-module=/tmp/buildd/nginx-1.11.4/debian/modules/nginx-auth-pam --add-module=/tmp/buildd/nginx-1.11.4/debian/modules/nginx-dav-ext-module --add-dynamic-module=/tmp/buildd/nginx-1.11.4/debian/modules/nginx-echo --add-dynamic-module=/tmp/buildd/nginx-1.11.4/debian/modules/nginx-upstream-fair --add-dynamic-module=/tmp/buildd/nginx-1.11.4/debian/modules/ngx_http_substitutions_filter_module

Description

Hi everybody,

we use Nginx to terminate TLS in front of a wide range of systems, but the biggest use cases are Varnish and Apache httpd.

While running some tcpdumps on one application server running Nginx in front of Apache and HHVM I noticed regular RST packets returned by Nginx to the client when the request contained "Connection: close" and https was used.

I investigated the issue in https://phabricator.wikimedia.org/T163674 and came up with the suspicion that Nginx is eager to close the TCP connection after the HTTP request is completed, not leaving enough time for SSL to shutdown cleanly (https://phabricator.wikimedia.org/T163674#3257675 contains debug error logs to compare).

While reading https://wiki.openssl.org/index.php/Manual:SSL_shutdown(3)#NOTES it seems that this behavior is allowed but I am wondering if it is intended for Nginx to return a RST or not. In the former case it would be really nice to have a note in the docs advertising this "feature" so people will know it.

Last but not the least, this issue is not causing any errors on the client side, the RST seems to be handled fine. The only side effect is polluting TCP RST metrics and confuse a bit admins while debugging :)

Thanks in advance!

Luca

Change History (4)

comment:1 by Maxim Dounin, 3 years ago

Quoting the code:

        /*
         * The majority of browsers do not send the "close notify" alert.
         * Among them are MSIE, old Mozilla, Netscape 4, Konqueror,
         * and Links.  And what is more, MSIE ignores the server's alert.
         *
         * Opera and recent Mozilla send the alert.
         */

        c->ssl->no_wait_shutdown = 1;

If there are reasons to assume this comment is no longer true, the code may be reconsidered. It seems to be still true though.

comment:2 by elukey@…, 3 years ago

Thanks a lot for the answer, I didn't find the comment in the code before opening the task. I checked also Apache httpd and it seems doing the same thing, and the specs are definitely respected. It would be great to support the use case in which both parties send the close notify, but probably it is not that easy to do.

Would it be possible to advertise this behavior in your documentation with a little text box? It seems something worth to share.

Thanks!

in reply to:  2 comment:3 by Maxim Dounin, 3 years ago

Resolution: wontfix
Status: newclosed

Replying to elukey@…:

Thanks a lot for the answer, I didn't find the comment in the code before opening the task. I checked also Apache httpd and it seems doing the same thing, and the specs are definitely respected. It would be great to support the use case in which both parties send the close notify, but probably it is not that easy to do.

It is not possible to find out if close notify is expected or not, so the only working approach is to follow majority of clients.

Would it be possible to advertise this behavior in your documentation with a little text box? It seems something worth to share.

I don't really see how it can help users, as it is an implementation detail. The comment in question should be enough, IMHO.

comment:4 by elukey@…, 3 years ago

I am a user and I had to spend a lot of time to figure out where that RST was coming from, I don't really agree that it is an implementation detail. Anyhow, thanks a lot for the explanation!

Note: See TracTickets for help on using tickets.