Opened 5 years ago

Closed 5 years ago

Last modified 5 years ago

#850 closed defect (duplicate)

worker process exists, prevents OCSP stapling response (?)

Reported by: Commenter123@… Owned by:
Priority: major Milestone:
Component: documentation Version: 1.9.x
Keywords: Cc:
uname -a: Linux 3.2... x86_64 GNU/Linux
nginx -V: nginx version: nginx/1.9.7 built by gcc 4... built with LibreSSL 2.3.2 TLS SNI support enabled configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/run/ --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-http_ssl_module --with-http_realip_module --with-http_addition_module --with-http_sub_module --with-http_dav_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_secure_link_module --with-http_stub_status_module --with-http_auth_request_module --with-file-aio --with-http_v2_module --with-cc-opt='-g -O2 -fstack-protector-strong -Wformat -Werror=format-security' --with-ld-opt=-Wl,-z,relro --with-ipv6 --with-openssl=submodules/libressl --with-pcre=submodules/pcre --with-pcre-jit


When using the scan, I receive a lot of these messages in nginx' error log:

[alert] 27159#0: worker process 6455 exited on signal 11
7118#0: *3975 SSL_do_handshake() failed (SSL: error:14076102:SSL routines:SSL23_GET_CLIENT_HELLO:unsupported protocol) while SSL handshaking, client:, server:

Also I can't really get OCSP stapling to work. Sometimes it works, a lot of the times it doesn't.
Don't know if this is related to the error messages posted above, but please fix it and maybe provide a way to debug the issue.

Have tried letsencrypt, startssl, comodo certificates. It seems that letsencrypt certs fail more often with "OCSP stapling", but maybe I'm wrong.
Shouldn't nginx log something if OCSP requests fails?

Change History (2)

comment:1 by Maxim Dounin, 5 years ago

Resolution: duplicate
Status: newclosed

The segmentation fault looks like a duplicate of #845.

As for OCSP stapling, it may be a derivative problem - old workers die, and new workers don't have OCSP responses cached and hence respond without OCSP stapling till responses are loaded.

comment:2 by Commenter123@…, 5 years ago

Yup, the 3-line patch indeed seems to fix the issue. OCSP stapling now works fine.
Thank you :)

Note: See TracTickets for help on using tickets.