I think turning off keepalive might have solved the problem. I will be deploying this change to our production server tonight and will report back sometime next week.
Thanks everyone for your help. Alex -----Original Message----- From: AOLserver Discussion [mailto:[EMAIL PROTECTED] On Behalf Of Scott Goodwin Sent: Friday, January 26, 2007 12:27 PM To: [email protected] Subject: Re: [AOLSERVER] SSL read error: bad write retry Hi Steve, If keepalivetimeout is not set at all in your nsd.tcl, it means you are using keepalive and it is set to 30 seconds. Can you try adding the keepalivetimetout parameter and setting it to 0 as I mentioned in a previous message and see if that solves the problem? I'm pretty sure Andrew found the correct information -- that MSIE has difficulty with keepalive conns over SSL, particularly since no one has been able to replicate the problem with other browsers or load testers. Note that turning off keepalive will turn it off for non-SSL conns as well, so if you try it, do be careful. /s. On Jan 26, 2007, at 2:44 PM, Steve Manning wrote: > Hi Scott > > Long time no hear. > > The site is http://www.fancydress.com running on Linux - Centos 4.4 > (RHEL4 derived). We run AOLserver 4.0.10 with OpenACS 5.0.4 over the > top. > > OpenSSL is 0.9.7a-43-14 from the supplied RPM and were using the > nsopenssl tagged as v3.0beta26 from cvs. > >> From the config we have: > > ns_section ns/server/${server}/module/nsopenssl/sslcontext/ > users > ns_param Role server > . > . > . > . > # for Protocols "ALL" = "SSLv2, SSLv3, TLSv1" > ns_param Protocols "SSLv3, TLSv1" > ns_param CipherSuite "ALL:!ADH:RC4+RSA:+HIGH: > +MEDIUM: > +LOW:+SSLv2:+EXP" > ns_param PeerVerify false > ns_param PeerVerifyDepth 3 > ns_param Trace false > ns_param SessionCache true > ns_param SessionCacheID 1 > ns_param SessionCacheSize 512 > ns_param SessionCacheTimeout 300 > > keepalivetimeout is not set. > > Just from this evenings log I can see e.g. > > [26/Jan/2007:18:52:34][25120.3050740656][-conn:fancydress::14] > Error: nsopenssl (fancydress): SSL read error: bad write retry > > [26/Jan/2007:19:02:28][25120.3023371184][-conn:fancydress::40] > Error: nsopenssl (fancydress): SSL read error: ssl handshake > failure > > Let me know if you need anything else. > > Steve > > > On Fri, 2007-01-26 at 12:55 -0500, Scott Goodwin wrote: >> Steve, what version of OpenSSL are you running on the site that >> you're experiencing this problem on? >> >> /s. >> >> On Jan 26, 2007, at 3:55 AM, Steve Manning wrote: >> >>> Alex >>> >>> We see this problem as well and I think its related to the system >>> load. >>> Our peak load is in October when we are averaging over 500,000 pages >>> per day and we have had reports of blank pages being returned during >>> this time. >>> >>> I spoke to Dossy about it in Sept last year as I know hes been doing >>> some work on tidying it up but its not yet been committed. See >>> below. >>> >>> Steve >>> >> >> >> -- >> AOLserver - http://www.aolserver.com/ >> >> To Remove yourself from this list, simply send an email to >> <[EMAIL PROTECTED]> with the > -- > Steve Manning - Mandrake Linux 10.1 - Gnome 2.6 East Goscote - > Leicester - UK +44 (0)116 260 5457 > E-Mail: [EMAIL PROTECTED] - Web: www.festinalente.co.uk > AIM: verbomania - Public Key: 25665CAF from wwwkeys.pgp.net > ----------------------------------------------------------- > There are only 10 types of people in this world > Those who understand binary and those who don't > ----------------------------------------------------------- > body of "SIGNOFF AOLSERVER" in the email message. You can leave the > Subject: field of your email blank. > > > -- > AOLserver - http://www.aolserver.com/ > > To Remove yourself from this list, simply send an email to > <[EMAIL PROTECTED]> with the body of "SIGNOFF AOLSERVER" in > the email message. You can leave the > Subject: field of your email blank. -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to <[EMAIL PROTECTED]> with the body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject: field of your email blank. -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to <[EMAIL PROTECTED]> with the body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject: field of your email blank.
