id	summary	reporter	owner	description	type	status	priority	milestone	component	version	resolution	keywords	cc	uname	nginx_version
1829	ssl: fail gracefully on Alert instead of ClientHello	Gernot Vormayr		"When openssl encounters an error after it already connected, but before sending a `ClientHello`, it sends an `Alert` (might happen with other libraries too). This can happen with, e.g., `curl` on debian buster with `curl --tls-max 1.0 https://localhost/` due to `/etc/ssl/openssl.cnf` specifying 1.2 as `MinVersion`. Since nginx inspects the first byte provided by the client and only invokes the ssl part if a `ClientHello` is detected (https://trac.nginx.org/nginx/browser/nginx/src/http/ngx_http_request.c#L729), it tries to interpret the `Alert` as plain http, leading to the following log output (2 lines error log, 1 line access log):

{{{
2019/08/08 09:59:12 [info] 11#11: *9 client sent invalid method while reading client request line, client: 127.0.0.1, server: host0.domain0.bd, request: ""P""
2019/08/08 09:59:12 [info] 11#11: *9 shutdown() failed (107: Transport endpoint is not connected) while reading client request line, client: 127.0.0.1, server: host0.domain0.bd, request: ""P""
127.0.0.1 - - [08/Aug/2019:09:59:12 +0000] ""\x15\x03\x01\x00\x02\x02P"" 400 157 ""-"" ""-""
}}}

The attached patch handles this case by logging the error, followed by closing the connection: 

{{{
2019/08/08 10:00:18 [info] 188#188: *1 peer sent SSL alert while SSL handshaking, client: 127.0.0.1, server: 0.0.0.0:443
}}}
"	defect	closed	minor		nginx-module	1.16.x	wontfix			Linux 2560ab422d73 5.2.6-arch1-1-ARCH #1 SMP PREEMPT Sun Aug 4 14:58:49 UTC 2019 x86_64 GNU/Linux	"nginx version: nginx/1.16.0
built by gcc 8.3.0 (Debian 8.3.0-6) 
built with OpenSSL 1.1.1c  28 May 2019
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-cc-opt='-g -O2 -fdebug-prefix-map=/data/builder/debuild/nginx-1.16.0/debian/debuild-base/nginx-1.16.0=. -fstack-protector-strong -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fPIC' --with-ld-opt='-Wl,-z,relro -Wl,-z,now -Wl,--as-needed -pie'"