/var/log/nginx/error.log, you sometimes see this error appear:
2017/03/10 11:54:36 [crit] 15608#15608: *628 SSL_shutdown() failed
(SSL: error:140E0197:SSL routines:SSL_shutdown:shutdown while in init) while SSL handshaking,
client: 220.127.116.11, server: 0.0.0.0:443
What is the bug report about?
The bug report is about the actual error logged to
/var/log/nginx/error.log and does not include any connection problems or clients being disconnected from the server.
What is causing this error
This error is caused by a change of behaviour in the
OpenSSL libraries. Due to this change of behaviour, nginx receives an unexpected result from the SSL software and logs this as a critical error.
When a client connects to nginx over https, a handshake is performed to establish the secure connection to the web server. If the client closes the connection before completing the handshake, an error code is returned by the OpenSSL software.
This error code does not match the return codes nginx is expecting, resulting in the error message you can find in
My visitors can’t connect to the hypernode and i see their ip’s logged in this error
The reason the handshake to establish a secure connection is aborted without completion is often because an error occurs while connecting. This can have several reasons, but mostly this is caused by the client not being able to use
SNI (Server Name Indication), a technique used to serve SSL for multiple domain names on the same ip address.
Another reason is that the ciphers or TLS version available to establish a secure connection on the client side do not match the ciphers or version on the server side.
Older browsers and crawlers using older SSL software that is not compatible anymore with modern security standards, will not be able to establish a secure connection to the web server. This connection is then aborted from the client side.
More information about this can be found in our article about the background of SSL on hypernode
I’m using cloudflare and i see only cloudflare ip’s but not actual visitors like the rest of the nginx logs
As this error appears during the initiation of the connection, no http headers have yet been sent when this error is logged. Therefore when cloudflare is used, at handshake time only the ip address connecting to nginx is known. In case of a proxy construction like cloudflare, the remote ip is the cloudflare caching server, not the visitor.
Only after the connection is established, http headers are sent, which includes the X-Forwarded-For header containing the actual ip of the requesting browser. This is the header used in our logs file as the originating ip in case cloudflare is used.
When are you going to fix this bug?
Although this is an actual bug, which should be fixed eventually, the bug and the resulting error are not as critical as they might look like. We will fix it when upgrading to a newer nginx version which should be in the second half of 2017, when we are migrating to a newer ubuntu distribution.