We have had keepalivetimeout set to 0 for several months at least. I don't think that is a complete solution. The most common error we see is 'SSL read error: ssl handshake failure.' It is the most common by far, but we also see a few other misc SSL errors. I tried turning tracing on 5-6 months ago, but the output was not useful (at least not to me) and now I can't find those logs.
I have a patch for nsopenssl that hooks into the message callback (SSL_CTX_set_msg_callback), but I haven't tried using it in production because its really, really verbose. I can give it to anyone that wants it, but its also pretty easy to derive from the msg_cb stuff in s_cb.c (from the openssl dist). It would be great if we could determine how to reproduce the issue in a controlled environment. I'm convinced its related to the MS https stack. I've tried just hammering an aolserver instance with a simple vb thing using System.Net.WebRequest over and over, but it doesn't seem to cause the error. I'm not sure if it uses the same underlying code, or if a more complicated series of events has to occur in order to generate the error. -Andrew On 1/26/07, Scott Goodwin <[EMAIL PROTECTED]> wrote:
Hi Steve, If keepalivetimeout is not set at all in your nsd.tcl, it means you are using keepalive and it is set to 30 seconds. Can you try adding the keepalivetimetout parameter and setting it to 0 as I mentioned in a previous message and see if that solves the problem? I'm pretty sure Andrew found the correct information -- that MSIE has difficulty with keepalive conns over SSL, particularly since no one has been able to replicate the problem with other browsers or load testers. Note that turning off keepalive will turn it off for non-SSL conns as well, so if you try it, do be careful. /s. On Jan 26, 2007, at 2:44 PM, Steve Manning wrote: > Hi Scott > > Long time no hear. > > The site is http://www.fancydress.com running on Linux - Centos 4.4 > (RHEL4 derived). We run AOLserver 4.0.10 with OpenACS 5.0.4 over the > top. > > OpenSSL is 0.9.7a-43-14 from the supplied RPM and were using the > nsopenssl tagged as v3.0beta26 from cvs. > >> From the config we have: > > ns_section ns/server/${server}/module/nsopenssl/sslcontext/ > users > ns_param Role server > . > . > . > . > # for Protocols "ALL" = "SSLv2, SSLv3, TLSv1" > ns_param Protocols "SSLv3, TLSv1" > ns_param CipherSuite "ALL:!ADH:RC4+RSA:+HIGH: > +MEDIUM: > +LOW:+SSLv2:+EXP" > ns_param PeerVerify false > ns_param PeerVerifyDepth 3 > ns_param Trace false > ns_param SessionCache true > ns_param SessionCacheID 1 > ns_param SessionCacheSize 512 > ns_param SessionCacheTimeout 300 > > keepalivetimeout is not set. > > Just from this evenings log I can see e.g. > > [26/Jan/2007:18:52:34][25120.3050740656][-conn:fancydress::14] > Error: nsopenssl (fancydress): SSL read error: bad write retry > > [26/Jan/2007:19:02:28][25120.3023371184][-conn:fancydress::40] > Error: nsopenssl (fancydress): SSL read error: ssl handshake > failure > > Let me know if you need anything else. > > Steve > > > On Fri, 2007-01-26 at 12:55 -0500, Scott Goodwin wrote: >> Steve, what version of OpenSSL are you running on the site that >> you're experiencing this problem on? >> >> /s. >> >> On Jan 26, 2007, at 3:55 AM, Steve Manning wrote: >> >>> Alex >>> >>> We see this problem as well and I think its related to the system >>> load. >>> Our peak load is in October when we are averaging over 500,000 >>> pages per >>> day and we have had reports of blank pages being returned during >>> this >>> time. >>> >>> I spoke to Dossy about it in Sept last year as I know hes been doing >>> some work on tidying it up but its not yet been committed. See >>> below. >>> >>> Steve >>> >> >> >> -- >> AOLserver - http://www.aolserver.com/ >> >> To Remove yourself from this list, simply send an email to >> <[EMAIL PROTECTED]> with the > -- > Steve Manning - Mandrake Linux 10.1 - Gnome 2.6 > East Goscote - Leicester - UK +44 (0)116 260 5457 > E-Mail: [EMAIL PROTECTED] - Web: www.festinalente.co.uk > AIM: verbomania - Public Key: 25665CAF from wwwkeys.pgp.net > ----------------------------------------------------------- > There are only 10 types of people in this world > Those who understand binary and those who don't > ----------------------------------------------------------- > body of "SIGNOFF AOLSERVER" in the email message. You can leave the > Subject: field of your email blank. > > > -- > AOLserver - http://www.aolserver.com/ > > To Remove yourself from this list, simply send an email to > <[EMAIL PROTECTED]> with the > body of "SIGNOFF AOLSERVER" in the email message. You can leave the > Subject: field of your email blank. -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to < [EMAIL PROTECTED]> with the body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject: field of your email blank.
-- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to <[EMAIL PROTECTED]> with the body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject: field of your email blank.
