If you inspect your nginx error logging in /var/log/nginx/error.log, you sometimes see this error appear:

If you google this error, you will find a bug report in the nginx bug tracker that refers to a bug in OpenSSL that is causing this error.

What is the bug report about?

The bug report is about the actual error logged to /var/log/nginx/error.log and does not include any connection problems or clients being disconnected from the server.

What is causing this error

This error is caused by a change of behaviour in the OpenSSL libraries. Due to this change of behaviour, nginx receives an unexpected result from the SSL software and logs this as a critical error.

When a client connects to nginx over https, a handshake is performed to establish the secure connection to the web server. If the client closes the connection before completing the handshake, an error code is returned by the OpenSSL software.
This error code does not match the return codes nginx is expecting, resulting in the error message you can find in /var/log/nginx/error.log.

My visitors can’t connect to the hypernode and i see their ip’s logged in this error

The reason the handshake to establish a secure connection is aborted without completion is often because an error occurs while connecting. This can have several reasons, but mostly this is caused by the client not being able to use SNI (Server Name Indication), a technique used to serve SSL for multiple domain names on the same ip address.

Another reason is that the ciphers or TLS version available to establish a secure connection on the client side do not match the ciphers or version on the server side.

Older browsers and crawlers using older SSL software that is not compatible anymore with modern security standards, will not be able to establish a secure connection to the web server. This connection is then aborted from the client side.

More information about this can be found in our article about the background of SSL on hypernode

I’m using cloudflare and i see only cloudflare ip’s but not actual visitors like the rest of the nginx logs

As this error appears during the initiation of the connection, no http headers have yet been sent when this error is logged. Therefore when cloudflare is used, at handshake time only the ip address connecting to nginx is known. In case of a proxy construction like cloudflare, the remote ip is the cloudflare caching server, not the visitor.

Only after the connection is established, http headers are sent, which includes the X-Forwarded-For header containing the actual ip of the requesting browser. This is the header used in our logs file as the originating ip in case cloudflare is used.

When are you going to fix this bug?

Although this is an actual bug, which should be fixed eventually, the bug and the resulting error are not as critical as they might look like. We will fix it when upgrading to a newer nginx version which should be in the second half of 2017, when we are migrating to a newer ubuntu distribution.

00