id	summary	reporter	owner	description	type	status	priority	milestone	component	version	resolution	keywords	cc	uname	nginx_version
1376	nginx disable client initiated renegotiation not working perfect with openssl 1.1.0c	taolinke@…		"Hey i recompile Nginx 1.11.6 with openssl 1.1.0, then i found that disable client initiated renegotiation is not working perfect.
openssl command is 
{{{
./openssl s_client -tls1_2  -connect 192.168.19.133:443 -msg
}}}

With openssl 1.0.2h，openssl got ""write: errno =0"" after send ClientHello.

{{{
R
RENEGOTIATING
>>> ??? [length 0005]
    16 03 03 00 ac
>>> TLS 1.2Handshake [length 0094], ClientHello
    01 00 00 90 03 03 a8 cc dd 75 1e 1b ed f9 5b 43
    df 96 0c 68 b5 5d 89 c4 db ed d7 19 95 1b e7 0b
    10 9f bb 2a 30 61 00 00 10 c0 2c c0 30 c0 af c0
    ad c0 24 c0 28 c0 0a c0 14 01 00 00 57 ff 01 00
    0d 0c 0f 3b 9f 13 0c 93 d1 20 ac a0 31 83 00 0b
    00 04 03 00 01 02 00 0a 00 0a 00 08 00 1d 00 17
    00 19 00 18 00 23 00 00 00 0d 00 20 00 1e 06 01
    06 02 06 03 05 01 05 02 05 03 04 01 04 02 04 03
    03 01 03 02 03 03 02 01 02 02 02 03 00 16 00 00
    00 17 00 00
'''write:errno=0'''
}}}
But With openssl 1.1.0，openssl got ""write: errno =0"" after finished renegotiation.

{{{
---
R
RENEGOTIATING
>>> ??? [length 0005]
    16 03 03 00 ac
>>> TLS 1.2Handshake [length 0094], ClientHello
    01 00 00 90 03 03 54 52 70 89 38 26 eb b0 95 26
    69 ab 80 dd 26 6d 88 a7 87 0c 4f 76 b7 e7 20 4d
    c6 99 74 e5 aa 65 00 00 10 c0 2c c0 30 c0 af c0
    ad c0 24 c0 28 c0 0a c0 14 01 00 00 57 ff 01 00
    0d 0c 4d 15 33 c5 7f 5c da 76 29 5f 77 a8 00 0b
    00 04 03 00 01 02 00 0a 00 0a 00 08 00 1d 00 17
    00 19 00 18 00 23 00 00 00 0d 00 20 00 1e 06 01
    06 02 06 03 05 01 05 02 05 03 04 01 04 02 04 03
    03 01 03 02 03 03 02 01 02 02 02 03 00 16 00 00
    00 17 00 00
<<< ??? [length 0005]
    16 03 03 00 71
<<< TLS 1.2Handshake [length 0059], ServerHello
    02 00 00 55 03 03 61 91 92 bc a9 9f 7d 6e 26 12
    63 36 3b 49 78 14 3b 62 f0 49 a3 e9 c8 09 aa 81
    da 92 b5 b4 05 59 00 c0 30 00 00 2d ff 01 00 19
    18 4d 15 33 c5 7f 5c da 76 29 5f 77 a8 29 cd 5d
    c4 a3 88 f7 eb 39 1e a6 96 00 0b 00 04 03 00 01
    02 00 23 00 00 00 17 00 00
<<< ??? [length 0005]
    16 03 03 03 42
<<< TLS 1.2Handshake [length 032a], Certificate
......
<<< ??? [length 0005]
    16 03 03 00 1c
<<< TLS 1.2Handshake [length 0004], ServerHelloDone
    0e 00 00 00
>>> ??? [length 0005]
    16 03 03 00 3d
>>> TLS 1.2Handshake [length 0025], ClientKeyExchange
    10 00 00 21 20 72 dd b8 de 67 0c 18 8e fd 9c 54
    5c 4f e9 a3 0a 55 01 c3 0a 84 29 83 f7 8e a2 fd
    09 01 cb c6 24
>>> ??? [length 0005]
    14 03 03 00 19
>>> TLS 1.2ChangeCipherSpec [length 0001]
    01
>>> ??? [length 0005]
    16 03 03 00 28
'''>>> TLS 1.2Handshake [length 0010], Finished
    14 00 00 0c 28 e9 5d 49 f7 6e e4 b3 83 cb c5 ff
write:errno=0'''

}}}
That means Nginx server costs CPU to calculate keys.
That's not the purpose."	enhancement	closed	minor		nginx-module	1.11.x	fixed	renegotiation openssl		Linux centos_8 2.6.32-431.el6.x86_64 #1 SMP Fri Nov 22 03:15:09 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux	nginx version: nginx/1.11.6