id,summary,reporter,owner,description,type,status,priority,milestone,component,version,resolution,keywords,cc,uname,nginx_version 1376,nginx disable client initiated renegotiation not working perfect with openssl 1.1.0c,taolinke@…,,"Hey i recompile Nginx 1.11.6 with openssl 1.1.0, then i found that disable client initiated renegotiation is not working perfect. openssl command is {{{ ./openssl s_client -tls1_2 -connect 192.168.19.133:443 -msg }}} With openssl 1.0.2h,openssl got ""write: errno =0"" after send ClientHello. {{{ R RENEGOTIATING >>> ??? [length 0005] 16 03 03 00 ac >>> TLS 1.2Handshake [length 0094], ClientHello 01 00 00 90 03 03 a8 cc dd 75 1e 1b ed f9 5b 43 df 96 0c 68 b5 5d 89 c4 db ed d7 19 95 1b e7 0b 10 9f bb 2a 30 61 00 00 10 c0 2c c0 30 c0 af c0 ad c0 24 c0 28 c0 0a c0 14 01 00 00 57 ff 01 00 0d 0c 0f 3b 9f 13 0c 93 d1 20 ac a0 31 83 00 0b 00 04 03 00 01 02 00 0a 00 0a 00 08 00 1d 00 17 00 19 00 18 00 23 00 00 00 0d 00 20 00 1e 06 01 06 02 06 03 05 01 05 02 05 03 04 01 04 02 04 03 03 01 03 02 03 03 02 01 02 02 02 03 00 16 00 00 00 17 00 00 '''write:errno=0''' }}} But With openssl 1.1.0,openssl got ""write: errno =0"" after finished renegotiation. {{{ --- R RENEGOTIATING >>> ??? [length 0005] 16 03 03 00 ac >>> TLS 1.2Handshake [length 0094], ClientHello 01 00 00 90 03 03 54 52 70 89 38 26 eb b0 95 26 69 ab 80 dd 26 6d 88 a7 87 0c 4f 76 b7 e7 20 4d c6 99 74 e5 aa 65 00 00 10 c0 2c c0 30 c0 af c0 ad c0 24 c0 28 c0 0a c0 14 01 00 00 57 ff 01 00 0d 0c 4d 15 33 c5 7f 5c da 76 29 5f 77 a8 00 0b 00 04 03 00 01 02 00 0a 00 0a 00 08 00 1d 00 17 00 19 00 18 00 23 00 00 00 0d 00 20 00 1e 06 01 06 02 06 03 05 01 05 02 05 03 04 01 04 02 04 03 03 01 03 02 03 03 02 01 02 02 02 03 00 16 00 00 00 17 00 00 <<< ??? [length 0005] 16 03 03 00 71 <<< TLS 1.2Handshake [length 0059], ServerHello 02 00 00 55 03 03 61 91 92 bc a9 9f 7d 6e 26 12 63 36 3b 49 78 14 3b 62 f0 49 a3 e9 c8 09 aa 81 da 92 b5 b4 05 59 00 c0 30 00 00 2d ff 01 00 19 18 4d 15 33 c5 7f 5c da 76 29 5f 77 a8 29 cd 5d c4 a3 88 f7 eb 39 1e a6 96 00 0b 00 04 03 00 01 02 00 23 00 00 00 17 00 00 <<< ??? [length 0005] 16 03 03 03 42 <<< TLS 1.2Handshake [length 032a], Certificate ...... <<< ??? [length 0005] 16 03 03 00 1c <<< TLS 1.2Handshake [length 0004], ServerHelloDone 0e 00 00 00 >>> ??? [length 0005] 16 03 03 00 3d >>> TLS 1.2Handshake [length 0025], ClientKeyExchange 10 00 00 21 20 72 dd b8 de 67 0c 18 8e fd 9c 54 5c 4f e9 a3 0a 55 01 c3 0a 84 29 83 f7 8e a2 fd 09 01 cb c6 24 >>> ??? [length 0005] 14 03 03 00 19 >>> TLS 1.2ChangeCipherSpec [length 0001] 01 >>> ??? [length 0005] 16 03 03 00 28 '''>>> TLS 1.2Handshake [length 0010], Finished 14 00 00 0c 28 e9 5d 49 f7 6e e4 b3 83 cb c5 ff write:errno=0''' }}} That means Nginx server costs CPU to calculate keys. That's not the purpose.",enhancement,closed,minor,,nginx-module,1.11.x,fixed,renegotiation openssl,,Linux centos_8 2.6.32-431.el6.x86_64 #1 SMP Fri Nov 22 03:15:09 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux,nginx version: nginx/1.11.6