[Bug 4740] New: Connection reset by peer when having TLS in Nginx

mercurial-bugs at selenic.com mercurial-bugs at selenic.com
Wed Jul 1 10:10:17 CDT 2015


http://bz.selenic.com/show_bug.cgi?id=4740

          Priority: normal
            Bug ID: 4740
                CC: mercurial-devel at selenic.com
          Assignee: bugzilla at selenic.com
           Summary: Connection reset by peer when having TLS in Nginx
          Severity: bug
    Classification: Unclassified
                OS: Linux
          Reporter: jorgex0.o at gmail.com
          Hardware: PC
            Status: UNCONFIRMED
           Version: stable branch
         Component: Mercurial
           Product: Mercurial

I would like to know if this is a Python 2.x related problem.

I have Nginx as reverse proxy with the following config:

server {
    error_log /run/shm/nginx_error.log debug;

        listen 443 ssl;

    # certs sent to the client in SERVER HELLO are concatenated in
ssl_certificate
        ssl_certificate /etc/nginx/ssl/wildcard.xxxxx.crt;
        ssl_certificate_key /etc/nginx/ssl/wildcard.xxxxx.key;
        ssl_session_timeout 1d;
        ssl_session_cache shared:SSL:50m;

        # modern configuration. tweak to your needs.
        ssl_protocols TLSv1.1 TLSv1.2;
    ssl_ciphers
'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
        ssl_prefer_server_ciphers on;

        # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6
months)
        add_header Strict-Transport-Security max-age=15768000;

        # OCSP Stapling ---
        # fetch OCSP records from URL in ssl_certificate and cache them
        # ssl_stapling on;
        # ssl_stapling_verify on;


        server_name repos.xxxxxxx.ar;
        location / {
                proxy_pass https://192.xxx.xxx.53:4433;
                proxy_set_header Host $host;
                proxy_set_header X-Real-IP $remote_addr;
                client_max_body_size 50m;
        }
}
server {
    error_log /run/shm/nginx_error.log debug;
        listen 80;
        server_name repos.xxxxxx.ar;
        return 301 https://$server_name$request_uri;
}


When I try to clone, I get "Connection Reset by Peer".

If I comment this line: ssl_protocols TLSv1.1 TLSv1.2; then it works, so I
suspect it is a protocol support problem. If so, how can I fix it?



This is a part of the debug file in Nginx:


2015/07/01 11:48:23 [debug] 1112#0: *1 recv() not ready (11: Resource
temporarily unavailable)
2015/07/01 11:48:23 [debug] 1112#0: *1 free: 00000000014E21A0
2015/07/01 11:48:23 [debug] 1112#0: post event 0000000001519B70
2015/07/01 11:48:23 [debug] 1112#0: delete posted event 0000000001519B70
2015/07/01 11:48:23 [debug] 1112#0: accept on 0.0.0.0:443, ready: 0
2015/07/01 11:48:23 [debug] 1112#0: posix_memalign: 00000000014A9A20:256 @16
2015/07/01 11:48:23 [debug] 1112#0: *2 accept: 192.168.2.94 fd:12
2015/07/01 11:48:23 [debug] 1112#0: posix_memalign: 00000000014A9B30:256 @16
2015/07/01 11:48:23 [debug] 1112#0: *2 event timer add: 12: 60000:1435762163451
2015/07/01 11:48:23 [debug] 1112#0: *2 reusable connection: 1
2015/07/01 11:48:23 [debug] 1112#0: *2 epoll add event: fd:12 op:1 ev:80002001
2015/07/01 11:48:23 [debug] 1112#0: *2 post event 0000000001519D10
2015/07/01 11:48:23 [debug] 1112#0: *2 delete posted event 0000000001519D10
2015/07/01 11:48:23 [debug] 1112#0: *2 http check ssl handshake
2015/07/01 11:48:23 [debug] 1112#0: *2 http recv(): 1
2015/07/01 11:48:23 [debug] 1112#0: *2 https ssl handshake: 0x16
2015/07/01 11:48:23 [debug] 1112#0: *2 SSL_do_handshake: -1
2015/07/01 11:48:23 [debug] 1112#0: *2 SSL_get_error: 1
2015/07/01 11:48:23 [info] 1112#0: *2 SSL_do_handshake() failed (SSL:
error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol) while SSL
handshaking, client: 192.xxx.xxx.94, server: 0.0.0.0:443
2015/07/01 11:48:23 [debug] 1112#0: *2 close http connection: 12
2015/07/01 11:48:23 [debug] 1112#0: *2 SSL_shutdown: 1
2015/07/01 11:48:23 [debug] 1112#0: *2 event timer del: 12: 1435762163451
2015/07/01 11:48:23 [debug] 1112#0: *2 reusable connection: 0
2015/07/01 11:48:23 [debug] 1112#0: *2 free: 00000000014A9A20, unused: 16
2015/07/01 11:48:23 [debug] 1112#0: *2 free: 00000000014A9B30, unused: 136
2015/07/01 11:48:23 [debug] 1112#0: *1 post event 0000000001519CA8

-- 
You are receiving this mail because:
You are on the CC list for the bug.


More information about the Mercurial-devel mailing list