#850 closed defect (duplicate)
worker process exists, prevents OCSP stapling response (?)
Reported by: | Owned by: | ||
---|---|---|---|
Priority: | major | Milestone: | |
Component: | documentation | Version: | 1.9.x |
Keywords: | Cc: | ||
uname -a: | Linux mydomain.com 3.2... x86_64 GNU/Linux | ||
nginx -V: | nginx version: nginx/1.9.7 built by gcc 4... built with LibreSSL 2.3.2 TLS SNI support enabled configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-http_ssl_module --with-http_realip_module --with-http_addition_module --with-http_sub_module --with-http_dav_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_secure_link_module --with-http_stub_status_module --with-http_auth_request_module --with-file-aio --with-http_v2_module --with-cc-opt='-g -O2 -fstack-protector-strong -Wformat -Werror=format-security' --with-ld-opt=-Wl,-z,relro --with-ipv6 --with-openssl=submodules/libressl --with-pcre=submodules/pcre --with-pcre-jit |
Description
When using the ssllabs.com scan, I receive a lot of these messages in nginx' error log:
[alert] 27159#0: worker process 6455 exited on signal 11
and
7118#0: *3975 SSL_do_handshake() failed (SSL: error:14076102:SSL routines:SSL23_GET_CLIENT_HELLO:unsupported protocol) while SSL handshaking, client: xxx.xxx.xxx.xxx, server: 0.0.0.0:443
Also I can't really get OCSP stapling to work. Sometimes it works, a lot of the times it doesn't.
Don't know if this is related to the error messages posted above, but please fix it and maybe provide a way to debug the issue.
Have tried letsencrypt, startssl, comodo certificates. It seems that letsencrypt certs fail more often with "OCSP stapling", but maybe I'm wrong.
Shouldn't nginx log something if OCSP requests fails?
Change History (2)
comment:1 by , 9 years ago
Resolution: | → duplicate |
---|---|
Status: | new → closed |
comment:2 by , 9 years ago
Yup, the 3-line patch indeed seems to fix the issue. OCSP stapling now works fine.
Thank you :)
The segmentation fault looks like a duplicate of #845.
As for OCSP stapling, it may be a derivative problem - old workers die, and new workers don't have OCSP responses cached and hence respond without OCSP stapling till responses are loaded.