Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-6786

SSL-errors 0A000126 / NS_NET_ERROR_PARTIAL_TRANSFER at nginx with reverse-proxy

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Undefined Undefined
    • None
    • rhel-9.2.0
    • nginx
    • None
    • Moderate
    • rhel-sst-cs-stacks
    • ssg_core_services
    • None
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • None
    • None
    • ---
    • None

      Description of problem:
      When using nginx as reverse-proxy the error "error:0A000126:SSL routines::unexpected eof while reading" occurs for every request.
      Clients show different error-messages:

      • curl: transfer closed with outstanding read data remaining
      • Firefox: NS_NET_ERROR_PARTIAL_TRANSFER
      • Chrome, Edge: net::ERR_INCOMPLETE_CHUNKED_ENCODING

      Version-Release number of selected component (if applicable):
      1.20.1

      How reproducible:
      Use nginx as reverse-proxy and fetch a page

      Steps to Reproduce:
      1. dnf install -y nginx
      2. cat >/etc/nginx/default.d/proxy.conf <<END
      location / {
      proxy_pass https://www.google.com;
      proxy_pass_request_headers off;
      proxy_pass_request_body off;
      }
      END
      3. systemctl start nginx
      4. curl -sSo /dev/null localhost
      5. tail /var/log/nginx/error.log

      Actual results:
      curl: (18) transfer closed with outstanding read data remaining

      2023/05/10 10:22:35 [crit] 128#128: *9 SSL_read() failed (SSL: error:0A000126:SSL routines::unexpected eof while reading) while reading upstream, client: 127.0.0.1, server: _, request: "GET / HTTP/1.1", upstream: "https://x.x.x.x:443/", host: "localhost"

      Expected results:
      No error-message

      Additional info:
      OpenSSL 3.0 raises unexpected EOF as error (https://github.com/openssl/openssl/issues/18866#issuecomment-1194219601), but offers a setting to ignore this. nginx 1.20.2 has already integrated this:
      https://github.com/nginx/nginx/compare/release-1.20.1...release-1.20.2
      So nginx has to be updated from 1.20.1 to 1.20.2.

      A test by adding the changes to 1.20.2 was successfully:
      dnf remove -y nginx
      dnf groupinstall -y "Development Tools"
      dnf install -y yum-utils rpm-build
      dnf download --source nginx
      rpm i nginx*.src.rpm
      curl -o /root/rpmbuild/SOURCES/0008-update-to-1.20.2.patch https://github.com/nginx/nginx/compare/release-1.20.1...release-1.20.2.patch
      sed -i 's/Patch6.*/&\nPatch7: 0008-update-to-1.20.2.patch/' /root/rpmbuild/SPECS/nginx.spec
      echo Skip .hgtags
      sed -i '/8747718e7751a9aac300595a96920141e3cc5078/,/From /

      {//!d;}' /root/rpmbuild/SOURCES/0008-update-to-1.20.2.patch
      echo Skip misc/GNUmakefile
      sed -i '/9b2488b2c350588423899f12fc062a35d5e86cad/,/From /{//!d;}

      ' /root/rpmbuild/SOURCES/0008-update-to-1.20.2.patch
      echo Skip docs/xml/nginx/changes.xml
      sed -i '/656597b6e248868d56ed25559846ab5c58f8f3ac/,/From /

      {//!d;}

      ' /root/rpmbuild/SOURCES/0008-update-to-1.20.2.patch
      dnf builddep -y /root/rpmbuild/SPECS/nginx.spec
      rpmbuild -bb /root/rpmbuild/SPECS/nginx.spec
      dnf install y /root/rpmbuild/RPMS/x86_64/nginx*.rpm
      curl -sSo /dev/null localhost

              luhliari@redhat.com Lubos Uhliarik
              alexp-redhat Alex Pircher (Inactive)
              Lubos Uhliarik Lubos Uhliarik
              rhel-cs-infra-services-qe rhel-cs-infra-services-qe rhel-cs-infra-services-qe rhel-cs-infra-services-qe
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated: