1、version

Deiver： qat1.7.l.4.9.0-00008
Qat_Engine：v0.5.44
OpenSSL-1.1.1g

2、./nginx/sbin/nginx -V

nginx version: openresty/1.15.8.1
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-36) (GCC)
built with OpenSSL 1.1.1g 21 Apr 2020
TLS SNI support enabled
configure arguments: --prefix=/export/servers/OpenResty-1.15.8/nginx --with-cc-opt='-O2 -ggdb -O2 -I/export/servers/OpenResty-1.15.8/include -I/export/servers/OpenSSL-1.1.1g/include -I/export/servers/qat/QATzip/include -I/export/servers/zlib-1.2.11/include -D NGX_SECURE_MEM -D JD_NGX_SSL_HANDSHAKE_TIME -D JD_NGX_HTTP_UPSTREAM_RANDOM -Wno-error=deprecated-declarations' --add-module=../ngx_devel_kit-0.3.1rc1 --add-module=../echo-nginx-module-0.61 --add-module=../xss-nginx-module-0.06 --add-module=../ngx_coolkit-0.2 --add-module=../set-misc-nginx-module-0.32 --add-module=../form-input-nginx-module-0.12 --add-module=../encrypted-session-nginx-module-0.08 --add-module=../srcache-nginx-module-0.31 --add-module=../ngx_lua-0.10.15 --add-module=../ngx_lua_upstream-0.07 --add-module=../headers-more-nginx-module-0.33 --add-module=../array-var-nginx-module-0.05 --add-module=../memc-nginx-module-0.19 --add-module=../redis2-nginx-module-0.15 --add-module=../redis-nginx-module-0.3.7 --add-module=../rds-json-nginx-module-0.15 --add-module=../rds-csv-nginx-module-0.09 --add-module=../ngx_stream_lua-0.0.7 --with-ld-opt='-Wl,-rpath,/export/servers/OpenResty-1.15.8/luajit/lib -Wl,-rpath=/export/servers/OpenSSL-1.1.1g/lib -L/export/servers/OpenSSL-1.1.1g/lib -L/export/servers/qat/QATzip/lib64 -lqatzip -L/export/servers/zlib-1.2.11/lib -lz -lssl' --with-pcre=/root/rpmbuild/BUILD/OpenResty-1.15.8-2.3-56.851dbdb/thirdparty/pcre-8.39 --with-pcre-jit --with-threads --with-http_auth_request_module --with-http_ssl_module --with-http_gzip_static_module --with-http_stub_status_module --with-http_v2_module --with-http_realip_module --with-http_addition_module --with-http_slice_module --add-module=/root/rpmbuild/BUILD/OpenResty-1.15.8-2.3-56.851dbdb/thirdparty/lua-ssl-nginx-module --add-module=/root/rpmbuild/BUILD/OpenResty-1.15.8-2.3-56.851dbdb/thirdparty/ngx_http_dyups_module --add-module=/root/rpmbuild/BUILD/OpenResty-1.15.8-2.3-56.851dbdb/thirdparty/ngx_http_sticky_module --with-stream --with-stream_ssl_module --with-openssl-async --with-http_gunzip_module --with-pcre-opt='-g -Ofast -fPIC -m64 -march=native -fstack-protector-strong -D_FORTIFY_SOURCE=2' --add-dynamic-module=/root/rpmbuild/BUILD/OpenResty-1.15.8-2.3-56.851dbdb/thirdparty/nginx_qat_module --add-dynamic-module=/root/rpmbuild/BUILD/OpenResty-1.15.8-2.3-56.851dbdb/thirdparty/nginx_qatzip_module --with-stream --with-stream_ssl_preread_module

3、ldd nginx/sbin/nginx

linux-vdso.so.1 =>  (0x00007fff5dadb000)
libqatzip.so.1 => /export/servers/qat/QATzip/lib64/libqatzip.so.1 (0x00007f62f51d1000)
libz.so.1 => /export/servers/zlib-1.2.11/lib/libz.so.1 (0x00007f62f4fb6000)
libssl.so.1.1 => /export/servers/OpenSSL-1.1.1g/lib/libssl.so.1.1 (0x00007f62f4d1f000)
libdl.so.2 => /lib64/libdl.so.2 (0x00007f62f4b1b000)
libpthread.so.0 => /lib64/libpthread.so.0 (0x00007f62f48ff000)
libcrypt.so.1 => /lib64/libcrypt.so.1 (0x00007f62f46c8000)
libluajit-5.1.so.2 => /export/servers/OpenResty-1.15.8/luajit/lib/libluajit-5.1.so.2 (0x00007f62f4449000)
libm.so.6 => /lib64/libm.so.6 (0x00007f62f4147000)
libcrypto.so.1.1 => /export/servers/OpenSSL-1.1.1g/lib/libcrypto.so.1.1 (0x00007f62f3c8a000)
libc.so.6 => /lib64/libc.so.6 (0x00007f62f38bd000)
libqat_s.so => /export/servers/qat/QAT_Driver/lib/libqat_s.so (0x00007f62f35e8000)
libusdm_drv_s.so => /export/servers/qat/QAT_Driver/lib/libusdm_drv_s.so (0x00007f62f33d0000)
/lib64/ld-linux-x86-64.so.2 (0x00007f62f583c000)
libfreebl3.so => /lib64/libfreebl3.so (0x00007f62f31cd000)
libgcc_s.so.1 => /lib64/libgcc_s.so.1 (0x00007f62f2fb7000)
libudev.so.1 => /lib64/libudev.so.1 (0x00007f62f2da1000)
librt.so.1 => /lib64/librt.so.1 (0x00007f62f2b99000)
libcap.so.2 => /lib64/libcap.so.2 (0x00007f62f2994000)
libdw.so.1 => /lib64/libdw.so.1 (0x00007f62f2745000)
libattr.so.1 => /lib64/libattr.so.1 (0x00007f62f2540000)
libelf.so.1 => /lib64/libelf.so.1 (0x00007f62f2328000)
liblzma.so.5 => /lib64/liblzma.so.5 (0x00007f62f2102000)
libbz2.so.1 => /lib64/libbz2.so.1 (0x00007f62f1ef2000)

4、curl https://my-qat.jd.com:4443/

5、nginx error log:

hugepage_mmap_phy_addr:147 mkstemp(/dev/hugepages/qat/usdm.AmiB7S) for hpg_fd failed with errno: 13
hugepage_alloc_slab:211 mmap on huge page memory allocation failed
2020/06/23 16:17:17 [crit] 10029#10029: *11 SSL_do_handshake() failed (SSL: error:800800DF:lib(128):qat_ecdh_compute_key:presultx pdata malloc failure error:1422F006:SSL routines:ssl_generate_pkey_group:EVP lib) while SSL handshaking, client: 172.28.13.159, server: 172.28.12.190:4443

Environment

I have an Ubuntu 22.04 with Intel 4xx hardware. I have installed the QAT Hardware 2.0 along with Openssl 3.0, QAT_Engine for Openssl, and QATzip.

Problem

NGINX installs without any issues. But when I run the tests using nginx-test.sh qat or nginx-test.sh dasync I am getting an error.

Command used to run the test:

NGINX_SRC_DIR=/home/ritik-intel/QAT-Scripts/NGINX-QAT NGINX_INSTALL_DIR=/Nginx OPENSSL_ROOT=/home/ritik-intel/QAT-Scripts/openssl-git OPENSSL_LIB=/Openssl QZ_ROOT=/home/ritik-intel/QAT-Scripts/QATzip test/nginx-test.sh qat

Output:

x86_64-linux-gnu-gcc -c  -I ../../../../../src/core -I ../../../../../src/event -I ../../../../../src/event/modules -I ../../../../../src/engine -I ../../../../../src/engine/modules -I ../../../../../src/os/unix -I /usr/include/libxml2 -I ../../../../../objs -I ../../../../../src/http -I ../../../../../src/http/modules -I ../../../../../src/http/v2 -I ../../../../../src/http/modules/perl -D_REENTRANT -D_GNU_SOURCE -DDEBIAN -fwrapv -fno-strict-aliasing -pipe -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -I/usr/lib/x86_64-linux-gnu/perl/5.34/CORE -g -DNGX_SECURE_MEM -DNGX_INTEL_SDL -I/Openssl/include -I/QAT-Driver/quickassist/include -I/QAT-Driver/quickassist/include/dc -I/home/ritik-intel/QAT-Scripts/QATzip/include -Wno-error=deprecated-declarations -O   -DVERSION=\"1.22.1\" -DXS_VERSION=\"1.22.1\" -fPIC "-I/usr/lib/x86_64-linux-gnu/perl/5.34/CORE"   nginx.c
cc -o objs/ngx_http_qatzip_filter_module.so \
objs/addon/nginx_qatzip_module/ngx_http_qatzip_filter_module.o \
objs/ngx_http_qatzip_filter_module_modules.o \
-Wl,-rpath=/Openssl/lib64 -L/Openssl/lib64 -L/home/ritik-intel/QAT-Scripts/QATzip/src -lqatzip -lz \
-z noexecstack -z relro -z now -pie -Wl,-E -fstack-protector-strong -L/usr/local/lib -L/usr/lib/x86_64-linux-gnu/perl/5.34/CORE -lperl -ldl -lm -lpthread -lc -lcrypt \
-shared
/usr/bin/ld: cannot find -lperl: No such file or directory
collect2: error: ld returned 1 exit status
make[1]: *** [objs/Makefile:1904: objs/ngx_http_qatzip_filter_module.so] Error 1
make[1]: *** Waiting for unfinished jobs....
rm -f blib/arch/a

...

/usr/bin/ld: cannot find -lperl: No such file or directory
collect2: error: ld returned 1 exit status
make[1]: *** [objs/Makefile:1904: objs/ngx_http_qatzip_filter_module.so] Error 1
make[1]: *** Waiting for unfinished jobs....
rm -f blib/arch/auto/nginx/nginx.so
x86_64-linux-gnu-gcc  -Wl,-rpath=/Openssl/lib64 -L/Openssl/lib64 -L/home/ritik-intel/QAT-Scripts/QATzip/src -lqatzip -lz -shared -L/usr/local/lib -fstack-protector-strong  nginx.o  -o blib/arch/auto/nginx/nginx.so  \
      \

chmod 755 blib/arch/auto/nginx/nginx.so
Manifying 1 pod document
make[2]: Leaving directory '/home/ritik-intel/QAT-Scripts/NGINX-QAT/objs/src/http/modules/perl'
rm -rf objs/install_perl
make[1]: Leaving directory '/home/ritik-intel/QAT-Scripts/NGINX-QAT'
make: *** [Makefile:10: build] Error 2
cp: cannot stat '/home/ritik-intel/QAT-Scripts/NGINX-QAT/objs/ngx_ssl_engine_qat_module.so': No such file or directory
cp: cannot stat '/home/ritik-intel/QAT-Scripts/NGINX-QAT/objs/ngx_http_qatzip_filter_module.so': No such file or directory
case /home/ritik-intel/QAT-Scripts/NGINX-QAT/test/nginx-tests/not_modified.t failed
Nginx Official Test RESULT:FAIL

Specifically, the issue is here:

/usr/bin/ld: cannot find -lperl: No such file or directory

Please let me know how I can proceed.

Hello,

I am getting an SSL handshake failure when running a request through the default supplied nginx.QAT-sample.conf (for testing).

Environment:

Centos 7.7.1908
QAT_Engine v0.5.43
QATzip v1.0.1
Openssl 1.1.1c
Intel Communications Chipset 8950 Series

Am getting this error specifically:

*3 SSL_do_handshake() failed (SSL: error:800650ED:lib(128):build_decrypt_op_buf:p q dmp dmq convert to fb failure error:141EC044:SSL routines:tls_construct_server_key_exchange:internal error) while SSL handshaking

Let me know if you need anymore information.

Is there any plan to support the provider mechanism of openssl3.0?

Recurrence condition

configure

qatzip_chunk_size 64k;
qatzip_stream_size 256k;
qatzip_buffers 16 8k;

file

low compression ratios, such as scans and size > 256k

Hi,

we are facing numerous segfaults, maybe related to SSL_shutdown errors. No difference between event/poll method (nor internal/external/heuristic). SSL pipelines usage also does not make any difference. The SSL_shutdown errors look like this [crit] 23057#0: *5413 SSL_shutdown() failed (SSL: error:1409F07F:SSL routines:ssl3_write_pending:bad write retry) while closing request.

• first segfault is happening while http2 is enabled, this has not been investigated further yet, as we simply tried to disable H2 for the moment

Core was generated by `nginx: worker process                                       '.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  ngx_palloc (pool=0x0, size=size@entry=56) at src/core/ngx_palloc.c:126
126	    if (size <= pool->max) {
(gdb) bt
#0  ngx_palloc (pool=0x0, size=size@entry=56) at src/core/ngx_palloc.c:126
#1  0x0000564521c44173 in ngx_http_v2_send_settings (h2c=0x56452370d6f0, ack=ack@entry=1) at src/http/v2/ngx_http_v2.c:2441
#2  0x0000564521c468c2 in ngx_http_v2_state_settings (h2c=0x56452370d6f0, pos=0x564523717839 "", end=0x564523718e20 "") at src/http/v2/ngx_http_v2.c:1957
#3  0x0000564521c47b55 in ngx_http_v2_read_handler (rev=0x7f1a17250218) at src/http/v2/ngx_http_v2.c:379
#4  0x0000564521c00bcb in ngx_epoll_process_events (cycle=<optimized out>, timer=<optimized out>, flags=<optimized out>) at src/event/modules/ngx_epoll_module.c:889
#5  0x0000564521bf63ca in ngx_process_events_and_timers (cycle=cycle@entry=0x56452369aec0) at src/event/ngx_event.c:247
#6  0x0000564521bfe1d5 in ngx_worker_process_cycle (cycle=cycle@entry=0x56452369aec0, data=data@entry=0x13) at src/os/unix/ngx_process_cycle.c:769
#7  0x0000564521bfcb8c in ngx_spawn_process (cycle=cycle@entry=0x56452369aec0, proc=proc@entry=0x564521bfe160 <ngx_worker_process_cycle>, data=data@entry=0x13, 
    name=name@entry=0x564521c704f7 "worker process", respawn=respawn@entry=-3) at src/os/unix/ngx_process.c:198
#8  0x0000564521bfe490 in ngx_start_worker_processes (cycle=cycle@entry=0x56452369aec0, n=20, type=type@entry=-3) at src/os/unix/ngx_process_cycle.c:360
#9  0x0000564521bff2ea in ngx_master_process_cycle (cycle=0x56452369aec0) at src/os/unix/ngx_process_cycle.c:132
#10 0x0000564521bd8e74 in main (argc=3, argv=<optimized out>) at src/core/nginx.c:374

• second segafult, however, is happening due to empty r->read_event_handler

Core was generated by `nginx: worker process                                       '.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x0000000000000000 in ?? ()
[Current thread is 1 (Thread 0x7f0b18f1ab40 (LWP 15981))]
(gdb) bt
#0  0x0000000000000000 in ?? ()
#1  0x00005585c657e441 in ngx_http_request_handler (ev=0x7f0b0e9fe968) at src/http/ngx_http_request.c:2216
#2  0x00005585c6568bcb in ngx_epoll_process_events (cycle=<optimized out>, timer=<optimized out>, flags=<optimized out>) at src/event/modules/ngx_epoll_module.c:889
#3  0x00005585c655e3ca in ngx_process_events_and_timers (cycle=cycle@entry=0x5585c7b00ec0) at src/event/ngx_event.c:247
#4  0x00005585c65661d5 in ngx_worker_process_cycle (cycle=cycle@entry=0x5585c7b00ec0, data=data@entry=0x9) at src/os/unix/ngx_process_cycle.c:769
#5  0x00005585c6564b8c in ngx_spawn_process (cycle=cycle@entry=0x5585c7b00ec0, proc=proc@entry=0x5585c6566160 <ngx_worker_process_cycle>, data=data@entry=0x9, 
    name=name@entry=0x5585c65d84f7 "worker process", respawn=respawn@entry=-3) at src/os/unix/ngx_process.c:198
#6  0x00005585c6566490 in ngx_start_worker_processes (cycle=cycle@entry=0x5585c7b00ec0, n=20, type=type@entry=-3) at src/os/unix/ngx_process_cycle.c:360
#7  0x00005585c65672ea in ngx_master_process_cycle (cycle=0x5585c7b00ec0) at src/os/unix/ngx_process_cycle.c:132
#8  0x00005585c6540e74 in main (argc=3, argv=<optimized out>) at src/core/nginx.c:374
(gdb) select 1
(gdb) print *r
$2 = {signature = 3350589192, connection = 0x5585c7b3ed40, ctx = 0x5585c7c8ac30, main_conf = 0x0, srv_conf = 0x0, loc_conf = 0x0, read_event_handler = 0x0, 
  write_event_handler = 0x0, cache = 0x1, upstream = 0x7f0b0f080658, upstream_states = 0x0, pool = 0x5585c7c8ab70, header_in = 0x5585c7b76960, headers_in = {headers = {.... <THERE CONTINUES A LOT OF OTHER OUTPUT>

in src/http/ngx_http_request.c at 2216 is r->read_event_handler(r);

config
nginx-qat.txt

full gdb output
nginx-gdb.txt

I do not really yet know how to reproduce it, but it happens quite often so I can provide you with any other info you might need, including compiled binaries and core dumps. Let me please know if you need anything else. I'll be glad for any response.

Thanks,
Tomas

kernel: 3.10.0-957.21.3.el7.x86_64
qat_driver: qat1.7.l.4.7.0-00006
qat_engine: v0.5.43
qat_zip: v1.0.1
openssl: openssl-1.1.1c
asynch_mode_nginx: v0.4.1

[root@mycentos asynch_mode_nginx]# ./sbin/nginx -V
nginx version: nginx/1.16.1
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-36) (GCC)
built with OpenSSL 1.1.1c 28 May 2019
TLS SNI support enabled
configure arguments: --prefix=/export/servers/asynch_mode_nginx --with-http_ssl_module --with-http_stub_status_module --with-http_v2_module --with-stream --with-stream_ssl_module --with-pcre=/export/servers/pcre-8.40 --with-pcre-jit --with-zlib=/export/servers/zlib-1.2.11 --with-pcre-opt='-g -Ofast -fPIC -m64 -march=native -fstack-protector-strong -D_FORTIFY_SOURCE=2' --with-zlib-opt='-g -Ofast -fPIC -m64 -march=native -fstack-protector-strong -D_FORTIFY_SOURCE=2' --add-dynamic-module=modules/nginx_qatzip_module --add-dynamic-module=modules/nginx_qat_module --with-cc-opt=' -fPIC -DNGX_SECURE_MEM -I/export/servers/openssl-1.1.1c/include -I/export/servers/qat/QAT-1.7/QATzip/include -Wno-error=deprecated-declarations' --with-ld-opt='-Wl,-rpath=/export/servers/openssl-1.1.1c/lib -L/export/servers/openssl-1.1.1c/lib -L/export/servers/qat/QAT-1.7/QATzip/src -lqatzip -lz -lssl'
nginx.conf:
...
load_module modules/ngx_ssl_engine_qat_module.so;
load_module modules/ngx_http_qatzip_filter_module.so;

events {
use epoll;
worker_connections 102400;
}

ssl_engine {
use_engine qat;
default_algorithms ALL;
qat_engine {
qat_offload_mode async;
qat_notify_mode poll;
qat_poll_mode heuristic;
qat_heuristic_poll_asym_threshold 48;
qat_heuristic_poll_sym_threshold 24;
}
}
....
http {
gzip on;
gzip_http_version 1.0;
gzip_proxied any;
qatzip_sw failover;
qatzip_min_length 128;
qatzip_comp_level 1;
qatzip_buffers 16 8k;
qatzip_types text/css text/javascript text/xml text/plain text/x-component application/javascript application/json application/xml application/rss+xml font/truetype font/opentype application/vnd.ms-fontobject image/svg+xml application/octet-stream image/jpeg;
qatzip_chunk_size 64k;
qatzip_stream_size 256k;
qatzip_sw_threshold 256;
server {
....
}
}

nginx error log:
2020/06/16 18:59:09 [emerg] 4119#0: QAT Engine failed: GET_NUM_REQUESTS_IN_FLIGHT
2020/06/16 18:59:09 [emerg] 4120#0: QAT Engine failed: GET_NUM_REQUESTS_IN_FLIGHT
2020/06/16 18:59:09 [emerg] 4121#0: QAT Engine failed: GET_NUM_REQUESTS_IN_FLIGHT
2020/06/16 18:59:09 [emerg] 4123#0: QAT Engine failed: GET_NUM_REQUESTS_IN_FLIGHT
2020/06/16 18:59:09 [emerg] 4122#0: QAT Engine failed: GET_NUM_REQUESTS_IN_FLIGHT
2020/06/16 18:59:09 [emerg] 4124#0: QAT Engine failed: GET_NUM_REQUESTS_IN_FLIGHT
2020/06/16 18:59:09 [emerg] 4126#0: QAT Engine failed: GET_NUM_REQUESTS_IN_FLIGHT
2020/06/16 18:59:09 [emerg] 4125#0: QAT Engine failed: GET_NUM_REQUESTS_IN_FLIGHT
2020/06/16 18:59:09 [emerg] 4137#0: QAT Engine failed: GET_NUM_REQUESTS_IN_FLIGHT
2020/06/16 18:59:09 [emerg] 4136#0: QAT Engine failed: GET_NUM_REQUESTS_IN_FLIGHT
2020/06/16 18:59:09 [emerg] 4135#0: QAT Engine failed: GET_NUM_REQUESTS_IN_FLIGHT
2020/06/16 18:59:09 [emerg] 4138#0: QAT Engine failed: GET_NUM_REQUESTS_IN_FLIGHT
2020/06/16 18:59:09 [emerg] 4139#0: QAT Engine failed: GET_NUM_REQUESTS_IN_FLIGHT
2020/06/16 18:59:09 [emerg] 4140#0: QAT Engine failed: GET_NUM_REQUESTS_IN_FLIGHT
2020/06/16 18:59:09 [emerg] 4142#0: QAT Engine failed: GET_NUM_REQUESTS_IN_FLIGHT
2020/06/16 18:59:09 [emerg] 4141#0: QAT Engine failed: GET_NUM_REQUESTS_IN_FLIGHT
2020/06/16 18:59:09 [emerg] 4132#0: QAT Engine failed: GET_NUM_REQUESTS_IN_FLIGHT
2020/06/16 18:59:09 [emerg] 4128#0: QAT Engine failed: GET_NUM_REQUESTS_IN_FLIGHT
2020/06/16 18:59:09 [emerg] 4127#0: QAT Engine failed: GET_NUM_REQUESTS_IN_FLIGHT
2020/06/16 18:59:09 [emerg] 4130#0: QAT Engine failed: GET_NUM_REQUESTS_IN_FLIGHT
2020/06/16 18:59:09 [emerg] 4129#0: QAT Engine failed: GET_NUM_REQUESTS_IN_FLIGHT
2020/06/16 18:59:10 [alert] 4117#0: worker process 4119 exited with fatal code 2 and cannot be respawned
2020/06/16 18:59:10 [alert] 4117#0: worker process 4120 exited with fatal code 2 and cannot be respawned
2020/06/16 18:59:10 [alert] 4117#0: worker process 4121 exited with fatal code 2 and cannot be respawned
2020/06/16 18:59:09 [emerg] 4131#0: QAT Engine failed: GET_NUM_REQUESTS_IN_FLIGHT
2020/06/16 18:59:10 [alert] 4117#0: worker process 4122 exited with fatal code 2 and cannot be respawned
2020/06/16 18:59:10 [alert] 4117#0: worker process 4123 exited with fatal code 2 and cannot be respawned
2020/06/16 18:59:10 [alert] 4117#0: worker process 4124 exited with fatal code 2 and cannot be respawned
2020/06/16 18:59:10 [alert] 4117#0: worker process 4126 exited with fatal code 2 and cannot be respawned

Is it possible build module for nginx plus?

Hi,

In reverse proxy configuration, we have identified a problem that send HTTP GET to the server during handshake.
This problem occurs after the proxy receives a ServerHello in a situation where approximately 1000 CPS load is applied.
Not all traffic fails (some traffic fails)

• tcpdump

// 10.1.1.174 = client ip addr, 30.1.1.14 = server ip addr

 219827 12.080228   10.1.1.174            52327  30.1.1.14             443    TCP      74     52327→443 [SYN] Seq=0 Win=5840 Len=0 MSS=1460 SACK_PERM=1 TSval=101322087 TSecr=0 WS=256
 219833 12.080289   30.1.1.14             443    10.1.1.174            52327  TCP      74     443→52327 [SYN, ACK] Seq=0 Ack=1 Win=32768 Len=0 MSS=1460 WS=1 TSval=0 TSecr=101322087
 219836 12.080298   10.1.1.174            52327  30.1.1.14             443    TCP      66     52327→443 [ACK] Seq=1 Ack=1 Win=5888 Len=0 TSval=101322087 TSecr=0
 219862 12.080446   10.1.1.174            52327  30.1.1.14             443    TLSv1.2  242    Client Hello
 219906 12.080534   30.1.1.14             443    10.1.1.174            52327  TLSv1.2  878    Server Hello, Certificate, Server Hello Done
 219908 12.080544   10.1.1.174            52327  30.1.1.14             443    TCP      66     52327→443 [ACK] Seq=177 Ack=813 Win=7680 Len=0 TSval=101322087 TSecr=0
 219960 12.081126   10.1.1.174            52327  30.1.1.14             443    TLSv1.2  113    Continuation Data
 219966 12.081181   30.1.1.14             443    10.1.1.174            52327  TLSv1.2  73     Alert (Level: Fatal, Description: Protocol Version)
 219970 12.081245   30.1.1.14             443    10.1.1.174            52327  TCP      60     443→52327 [FIN, ACK] Seq=820 Ack=224 Win=32768 Len=0
 219971 12.081253   30.1.1.14             443    10.1.1.174            52327  TCP      60     443→52327 [RST, ACK] Seq=821 Ack=224 Win=32768 Len=0
 223958 12.150892   10.1.1.174            52327  30.1.1.14             443    TCP      66     52327→443 [RST, ACK] Seq=224 Ack=821 Win=7680 Len=0 TSval=101322094 TSecr=0

• Network

Client <---> 80 Proxy <---> 443 Server

• Version
  • nginx: 1.11.5
  • qat_engine: 0.5.37
  • async_mode_nginx: 0.3.5
• nginx configuration

ssl_engine {
    use_engine qat;
    default_algorithms RSA,PKEY,PKEY_CRYPTO;
    qat_engine {
        qat_offload_mode async;
        qat_notify_mode poll;
        qat_poll_mode internal;
        qat_internal_poll_interval 1000000;
    }
}

upstream backend_server {
    server backend_server_ip:443;
    ...
}

server {
    listen proxy_ip:80;
    proxy_bind $remote_addr transparent;
    ...
    location {
        proxy_pass https://backend_server;
        proxy_ssl_asynch on;
        ...
    }
}

In the first SSL_do_handshake, the c->write->handler is maintained if the non-block socket is successfully read,
In the next write event, we verified that an HTTP GET was sent from ngx_http_upstream_send_request_handler.

Assigning ngx_ssl_empty_handler to the write handler solves this problem.

diff --git a/nginx/src/event/ngx_event_openssl.c b/nginx/src/event/ngx_event_openssl.c
index 07b7cc2..53bf1b6 100644
--- a/nginx/src/event/ngx_event_openssl.c
+++ b/nginx/src/event/ngx_event_openssl.c
@@ -1608,6 +1608,10 @@ ngx_ssl_handshake(ngx_connection_t *c)
             c->read->saved_handler = c->read->handler;
             c->read->handler = ngx_ssl_empty_handler;
         }
+        if (c->write->handler != ngx_ssl_empty_handler) {
+            c->write->saved_handler = c->write->handler;
+            c->write->handler = ngx_ssl_empty_handler;
+        }
 
         ngx_add_timer(c->async, NGX_ASYNC_EVENT_TIMEOUT);
 
@@ -1665,6 +1669,10 @@ ngx_ssl_handshake_async_handler(ngx_event_t *aev)
         c->read->handler = c->read->saved_handler;
         c->read->saved_handler = ngx_ssl_empty_handler;
     }
+    if (c->write->saved_handler != ngx_ssl_empty_handler) {
+        c->write->handler = c->write->saved_handler;
+        c->write->saved_handler = ngx_ssl_empty_handler;
+    }
 
     if (ngx_ssl_handshake(c) == NGX_AGAIN) {
         return;

Give us feedback.

Thank you.

Hello!

I'm benchmarking asynch-nginx performance using following software/hardware:

• Intel Corporation DH895XCC Series QAT
• Intel(R) Xeon(R) Gold 5220R CPU @ 2.20GHz
• Debian 11
• linux kernel 5.10.0-19-amd64
• QAT.L.4.20.0-00001
• qat-engine-0.6.18
• asynch-nginx-0.4.9

For SSL load I use tls-perf with 16 threads, 200 connections per thread:

./tls-perf.sh -T 10 -l 200 -t 16 --tls 1.2 -c AES256-GCM-SHA384 192.168.1.2 1443

It looks like that when device isn't fast enough to handle incoming requests, SSL connections are getting dropped with following messages in nginx error log:

2023/01/26 12:52:18 [crit] 121215#0: *184014 SSL_do_handshake() failed (SSL: error:800B5044:lib(128):qat_rsa_decrypt:internal error error:800B8044:lib(128):qat_rsa_priv_dec:internal error error:1419F093:SSL routines:tls_process_cke_rsa:decryption failed) while SSL handshaking, client: 192.168.1.1, server: 0.0.0.0:1443

And sometimes it even reports

2023/01/26 12:52:18 [crit] 121216#0: accept4() failed (24: Too many open files)

I'm using slightly modified version of dh895xcc/multi_process_event-driven_optimized/dh895xcc_dev0.conf:

[GENERAL]
ServicesEnabled = cy
ServicesProfile = CRYPTO
ConfigVersion = 2
CyNumConcurrentSymRequests = 2048
CyNumConcurrentAsymRequests = 1024
InterruptCoalescingTimerNs = 500

statsGeneral = 1
statsDh = 1
statsDrbg = 1
statsDsa = 1
statsEcc = 1
statsKeyGen = 1
statsDc = 1
statsLn = 1
statsPrime = 1
statsRsa = 1
statsSym = 1
ProcDebug = 0
AutoResetOnError = 0

[KERNEL]
NumberCyInstances = 0
NumberDcInstances = 0

[SHIM]
NumberCyInstances = 1
NumberDcInstances = 0
NumProcesses = 32
LimitDevAccess = 1
Cy0Name = "UserCY0"
Cy0IsPolled = 2
Cy0CoreAffinity = 0-31

And ssl engine in nginx is configured as

ssl_engine {
        use_engine qatengine;
        default_algorithms ALL;
        qat_engine {
                qat_offload_mode async;
                qat_notify_mode poll;
                qat_poll_mode external;
                qat_external_poll_interval 4; # that yields best results for me
        }
}

As a result I'm not able to pull more than 20k handshakes per second with such config despite nginx workers are not fully utilizing CPU. And if I try to add more client connections, then I ran into "internal error" problem described above.

Can you suggest anything to improve performance/get rid of that errors?

If SSL async time out happens (i.e. c->async->timedout is set) during SSL handshake, then when handling async event in ngx_ssl_handshake_async_handler the c->ssl->handler is called, which is ngx_http_ssl_handshake_handler, which calls ngx_http_close_connection, which calls ngx_ssl_shutdown. This seems like correct behavior.

But in the ngx_ssl_shutdown function it goes through this branch of code

    if (SSL_in_init(c->ssl->connection)) {
        if(c->asynch) {
            /* Check if there is inflight request.
             * Wait till async job becomes finished.
             */
            if (SSL_want_async(c->ssl->connection)) {
                ngx_ssl_async_process_fds(c);
                if(!c->async->timer_set)
                    ngx_add_timer(c->async, NGX_ASYNC_EVENT_TIMEOUT);
                return NGX_AGAIN;
            }

SSL_want_async return 1, since last SSL_do_handshake & SSL_get_error returned WANT ASYNC, ngx_ssl_async_process_fds does nothing and timer is set. After 10 seconds (NGX_ASYNC_EVENT_TIMEOUT) the same happen again. And again and again…

In nginx error log there are the following lines every 10 seconds

2018/12/18 17:07:30 [debug] 14094#0: timer delta: 148
2018/12/18 17:07:30 [debug] 14094#0: *22834 event timer del: 75: 3755265
2018/12/18 17:07:30 [debug] 14094#0: *22834 SSL handshake async handler
2018/12/18 17:07:30 [debug] 14094#0: *22834 close http connection: 75
2018/12/18 17:07:30 [debug] 14094#0: *22834 ngx_ssl_async_process_fds called
2018/12/18 17:07:30 [debug] 14094#0: *22834 event timer add: 75: 10000:3765265
2018/12/18 17:07:30 [debug] 14094#0: worker cycle
2018/12/18 17:07:30 [debug] 14094#0: epoll timer: 92

I think that in above snippet you should change the third if to

if (!c->async->timedout && SSL_want_async(c->ssl->connection)) {

Hi Team.

When I configured "proxy_ssl_asynch on", why nginx return 502? But there is no errors if I configure "ssl_asynch on".

load_module modules/ngx_ssl_engine_qat_module.so;
ssl_engine {
use_engine qat;
default_algorithms RSA,EC,DH,PKEY_CRYPTO;
qat_engine {
qat_offload_mode async;
qat_notify_mode poll;
}
}

server {
listen 443 ssl;
location /ssl {
proxy_pass http://unix:/usr/local/nginx/nginx.sock;
proxy_ssl_asynch on;
}
}

And there is error.log:
[error] 31995#0: *19 SSL_do_handshake() failed (SSL: error:1408F10B:SSL routines:ssl3_get_record:wrong version number) while SSL handshaking to upstream

OS: CentOS 6.8
kernel: 2.6.32-642.el6.x86_64
asynch_mode_nginx version: 0.3.6
openssl version: 1.1.0g
QAT Driver version: qat1.7.l.4.4.0-00023
QAT_Engine version: 0.5.39

Thanks in advance !

CPU使用率都是

QPS都是7000+

但是这个计数器的数值是在变化的 /sys/kernel/debug/qat_dh895xcc_0000:1c:00.0/fw_counters
下面是我的nginx配置：
worker_processes 16;

load_module modules/ngx_http_qatzip_filter_module.so;
load_module modules/ngx_ssl_engine_qat_module.so;

events {
use epoll;
worker_connections 65535;
}

Enable QAT engine in heretic mode.

ssl_engine {
use_engine qat;
default_algorithms ALL;
#default_algorithms RSA,EC,DH,DSA;
qat_engine {
qat_offload_mode async;
qat_notify_mode poll;
qat_poll_mode heuristic;
qat_sw_fallback on;
}
}

http {
gzip on;
gzip_min_length 128;
gzip_comp_level 1;
gzip_types text/css text/javascript text/xml text/plain text/x-component application/javascript application/json application/xml application/rss+xml font/truetype font/opentype application/vnd.ms-fontobject image/svg+xml;
gzip_vary on;
gzip_disable "msie6";
gzip_http_version 1.0;

qatzip_sw failover;
qatzip_min_length 128;
qatzip_comp_level 1;
qatzip_buffers 16 8k;
qatzip_types text/css text/javascript text/xml text/plain text/x-component application/javascript application/json application/xml application/rss+xml font/truetype font/opentype application/vnd.ms-fontobject image/svg+xml application/octet-stream image/jpeg;
qatzip_chunk_size   64k;
qatzip_stream_size  256k;
qatzip_sw_threshold 256;

keepalive_timeout 0;
keepalive_requests 0;
sendfile on;
tcp_nopush     on;
tcp_nodelay on;

log_format gdttest '{"time_local":"$time_iso8601",'
                       '"client":"$remote_addr",'
                       '"url":"$uri",'
                       '"status":$status,'
                       '"domain":"$host",'
                       '"upstream_addr":"$upstream_addr",'
                       '"upstream_connect_time":"$upstream_connect_time",'
                       '"upstream_header_time":"$upstream_header_time",'
                       '"upstream_response_time":"$upstream_response_time",'
                       '"request_time":"$request_time"'
            '}';

vhost_traffic_status_zone shared:vhost_traffic_status:32m;
vhost_traffic_status_filter_by_host on;
vhost_traffic_status_filter_max_node 16 uris client::ports;

include vhosts/*.conf;

}
server {
#If QAT Engine enabled, asynch need to add to listen directive or just add ssl_asynch on; to the context.
listen 443 backlog=65535 ssl asynch;
server_name ssltest.test.com;
access_log logs/ssl.log gdttest;

    ssl_protocols       TLSv1.2;
    ssl_certificate ssl/test.com.crt;
    ssl_certificate_key ssl/test.com.key;

    location / {
    proxy_pass http://os_test;
    proxy_connect_timeout 10s;
    proxy_read_timeout 10s;
    proxy_send_timeout 10s;
    proxy_set_header X-Http-scheme https;
    proxy_set_header u-se-real-ip $remote_addr;
    proxy_set_header    X-Real-IP       $remote_addr;
    proxy_set_header    Host    $host:$server_port;
    proxy_set_header    X-Forwarded-For $proxy_add_x_forwarded_for;
   }

}

nginx还伴随一些报错：
[error] cpaDcGetInstances() - : Invalid API Param - numInstances is 0
Error in cpaDcGetInstances status = -4
g_process.qz_init_status = QZ_NO_HW
[error] cpaDcGetInstances() - : Invalid API Param - numInstances is 0
Error in cpaDcGetInstances status = -4
g_process.qz_init_status = QZ_NO_HW

is there any docker image for this that could be used in kubernetes?

Nginx worker CPU 100%，endless loop

Hello Team,

I have successfully installed the services according to the document, and there is no problem in the nginx configuration test, but I can't start it successfully. The wrong information is as follows:
nginx: [emerg] QAT Engine failed: ENABLE_HEURISTIC_POLLING
nginx: [emerg] ssl engine send ctrl failed
nginx: [emerg] ssl engine set failed

This is the version of my services:
nginx: openresty-1.13.6.2
openssl: 1.1.0g
QAT driver: QAT1.7.Upstream.L.1.0.3_42
QAT engine: 0.5.34

Thanks in advance!

I have found a problem with keepalive connections. After the first request the function ngx_http_set_keepalive is called, where the request struct is freed (ngx_http_free_request), which is followed by this patched code

    wev = c->write;
    wev->handler = ngx_http_empty_handler;

[...]

#if (NGX_HTTP_SSL)
    if (c->ssl) {
        ngx_ssl_free_buffer(c);
    }
#endif

    rev->handler = ngx_http_keepalive_handler;

    if (wev->active && (ngx_event_flags & NGX_USE_LEVEL_EVENT)) {
#if (NGX_HTTP_SSL)
        if (c->asynch && ngx_del_async_conn) {
            if (c->num_async_fds) {
                ngx_del_async_conn(c, NGX_DISABLE_EVENT);
                c->num_async_fds--;
            }
        }
#endif
        if (ngx_del_event(wev, NGX_WRITE_EVENT, 0) != NGX_OK) {
            ngx_http_close_connection(c);
            return;
        }
    }

The function ngx_del_async_conn is not called, because wev->active is 0.

Then sometimes happen that epoll is waken up with async event EPOLLIN | EPOLLOUT, when a new request haven't arrived yet. So ngx_ssl_write_async_handler is called, which sets c->read->handler to ngx_http_request_handler instead of ngx_http_keepalive_handler. And then when out-of-band keepalive packet arrives, the ngx_http_request_handler is called, which crashes, because request structure is already freed (see segfaults reported in #6 ).

I was able to fix the problem by adding

    if (c->destroyed) {
        return;
    }

at the beginning of functions ngx_ssl_read_async_handler and ngx_ssl_write_async_handler. But I think it should be fixed by proper calling ngx_del_async_conn, i.e. fix the condition, when it is called.

On release: v0.4.6

To reproduce, replace "xxx" with an non-existant IP in the following http config snippet:

http {
    include       mime.types;
    default_type  application/octet-stream;

    ssl_certificate cert/test.crt;
    ssl_certificate_key cert/test.key;
    ssl_session_ticket_key cert/ticket.key;

    server {
        listen       xxx:8443;

        location / {
            root   html;
            index  index.html index.htm;
        }
    }
}

Then run nginx -t:

nginx -t
nginx: the configuration file /opt/nginx-asynch/conf/nginx.conf syntax is ok
nginx: [emerg] bind() to xxx:8443 failed (99: Cannot assign requested address)
Segmentation fault (core dumped)

But starting nginx directly would not cause the segmentation fault.

nginx
nginx: [emerg] bind() to xxx:8443 failed (99: Cannot assign requested address)

The cause is in freeing SSL ctx even if it's not been initialized so I proposed the following fix:

#49

Hi,

I tried loading load_module modules/ngx_http_opentracing_module.so; by downloading .so file from opentracing git,
it returns binary incompatible, how do I build aysnc nginx with opentracing on?

error trace
nginx: [emerg] module "/var/www/modules/ngx_http_opentracing_module.so" is not binary compatible in /usr/share/nginx/conf/nginx.conf:2

I have successfully built asynch_mode_nginx against the latest QAT 1.7, and OpenSSL 1.1.0i, but I noticed that NGINX version is 1.10.3:

[root@localhost asynch_mode_nginx-0.3.5]# fakeroot/usr/local/nginx/sbin/nginx -V
nginx version: nginx/1.10.3
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-11) (GCC) 
built with OpenSSL 1.1.0i  14 Aug 2018
TLS SNI support enabled
configure arguments: --prefix=/usr/local/nginx --with-http_ssl_module \ 
--add-dynamic-module=modules/nginx_qat_module/ \
--with-cc-opt='-DNGX_SECURE_MEM -I/usr/local/ssl/include \
-Wno-error=deprecated-declarations' \
--with-ld-opt='-Wl,-rpath=/usr/local/ssl/lib -L/usr/local/ssl/lib'

Last update on 1.10 branch was 31 Jan 2017 (not as old as myself but), that in Internet time sounds like a long time ago.

Is there any plan to add support to a more recent version of NGINX?

Could I get QAT hardware async offload by just (statically) linking OpenSSL 1.1.0i with Intel OpenSSL* Engine, to the 1.14 executable?

Could I adapt nginx-1.10.3-async.patch to 1.12 or 1.14 version of NGINX?

To give some context, I'm currently running the 1.12 stable branch (without QAT) with Google PageSpeed in production, and planning to upgrade to the new 1.14 stable branch, since it fixes some warnings seen in error log, related to the Intel optimized zlib patch.

Hello Team,

There is no any errors while running ./configure:
NGINX_INSTALL_DIR='/usr/local/QAT_nginx'
OPENSSL_LIB='/usr/local/openssl-1.1.0g'
./configure
--prefix=$NGINX_INSTALL_DIR
--with-http_ssl_module
--add-dynamic-module=modules/nginx_qat_module/
--with-cc-opt="-DNGX_SECURE_MEM -I$OPENSSL_LIB/include -Wno-error=deprecated-declarations"
--with-ld-opt="-Wl,-rpath=$OPENSSL_LIB/lib -L$OPENSSL_LIB/lib" \

But some errors while running 'make':
/usr/bin/ld: objs/addon/nginx_qat_module/ngx_ssl_engine_qat_module.o: relocation R_X86_64_PC32 against symbol 'ngx_ssl_engine_qat_module' can not be used when making a shared object; recompile with -fPIC
/usr/bin/ld: final link failed: Bad value
collect2: ld returned 1 exit status
make[1]: *** [objs/ngx_ssl_engine_qat_module.so] Error 1
make[1]: Leaving directory '/usr/local/src/ssl/asynch_mode_nginx-0.3.6'
make: *** [build] Error 2

Due to install QATzip failed, I didn't add nginx_qatzip_module while running './configure'

OS; CentOS 6.8
kernel: 2.6.32-642.el6.x86_64
asynch_mode_nginx version: 0.3.6
openssl version: openssl-1.1.0g
QAT Driver version: qat1.7.l.4.4.0-00023

How to work around this problem?

Thanks in advance!

我用的是tengine-2.2.2版本，使用的过程中发现nginx -s reload 时候会报错，nginx报错信息如下
"[error] icp_sal_userStart() - : icp_adf_userProcessToStart failed"
请问有没有支持reload的patch？

asynch_mode_nginx：v0.4.1
Deiver： qat1.7.l.4.9.0-00008
Qat_Engine：v0.5.44
OpenSSL-1.1.1g
QATzip：v1.0.1

cat nginx.conf:

worker_processes 16;
worker_cpu_affinity 01111111111111111000000000000000;
user root;

error_log logs/error.log error;

pid nginx.pid;

load_module modules/ngx_ssl_engine_qat_module.so;
load_module modules/ngx_http_qatzip_filter_module.so;

events {
use epoll;
worker_connections 102400;
}

ssl_engine {
use_engine qat;
default_algorithms ALL;
qat_engine {
qat_offload_mode async;
qat_notify_mode poll;
qat_poll_mode heuristic;
qat_sw_fallback on;
}
}

stream {
upstream myngx_stream_ups {
server 172.28.150.52:8881 weight=1 max_fails=3 fail_timeout=5s;
server 172.28.150.52:8882 weight=1 max_fails=3 fail_timeout=5s;
}

log_format main '$remote_addr [$time_local] '
             '$protocol $status $bytes_sent $bytes_received '
             '$session_time "$upstream_addr" '
             '"$upstream_bytes_sent" "$upstream_bytes_received" "$upstream_connect_time"';
access_log logs/stream_access.log main  buffer=4k flush=5s;
server {
    listen 172.28.33.190:6443 ssl asynch reuseport;

    ssl_certificate      cert/jd;
    ssl_certificate_key  cert/jd;

    ssl_protocols  TLSv1.2 TLSv1.3;
    ssl_ciphers  ECDH+AESGCM:AES128+RSA:HIGH:!aNULL:!MD5;
    ssl_prefer_server_ciphers on;
    ssl_session_cache   shared:STREAM_SSL:300m;
    ssl_session_timeout 24h;

    proxy_pass myngx_stream_ups;
}

server {
    listen 172.28.33.190:7443 reuseport;
    proxy_pass myngx_stream_ups;
}

}

strace -p 8684
sched_yield() = 0
sched_yield() = 0
sched_yield() = 0
sched_yield() = 0
sched_yield() = 0
sched_yield() = 0
.....

Hello,

[root@localhost asynch_mode_nginx]# /openssl/apps/openssl engine -t -c -vvvv qat
(qat) Reference implementation of QAT crypto engine
[RSA, DSA, DH, AES-128-CBC-HMAC-SHA1, AES-128-CBC-HMAC-SHA256, AES-256-CBC-HMAC-SHA1, AES-256-CBC-HMAC-SHA256, TLS1-PRF]
[ available ]
ENABLE_EXTERNAL_POLLING: Enables the external polling interface to the engine.
(input flags): NO_INPUT
POLL: Polls the engine for any completed requests
(input flags): NO_INPUT
SET_INSTANCE_FOR_THREAD: Set instance to be used by this thread
(input flags): NUMERIC
GET_NUM_OP_RETRIES: Get number of retries
(input flags): NO_INPUT
SET_MAX_RETRY_COUNT: Set maximum retry count
(input flags): NUMERIC
SET_INTERNAL_POLL_INTERVAL: Set internal polling interval
(input flags): NUMERIC
GET_EXTERNAL_POLLING_FD: Returns non blocking fd for crypto engine
(input flags): NO_INPUT
ENABLE_EVENT_DRIVEN_POLLING_MODE: Set event driven polling mode
(input flags): NO_INPUT
GET_NUM_CRYPTO_INSTANCES: Get the number of crypto instances
(input flags): NO_INPUT
DISABLE_EVENT_DRIVEN_POLLING_MODE: Unset event driven polling mode
(input flags): NO_INPUT
SET_EPOLL_TIMEOUT: Set epoll_wait timeout
(input flags): NUMERIC
SET_CRYPTO_SMALL_PACKET_OFFLOAD_THRESHOLD: Set QAT small packet threshold
(input flags): STRING
ENABLE_INLINE_POLLING: Enables the inline polling mode.
(input flags): NO_INPUT
ENABLE_HEURISTIC_POLLING: Enable the heuristic polling mode
(input flags): NO_INPUT
GET_NUM_REQUESTS_IN_FLIGHT: Get the number of in-flight requests
(input flags): NUMERIC
INIT_ENGINE: Initializes the engine if not already initialized
(input flags): NO_INPUT

works fine. nginx not:

[root@localhost asynch_mode_nginx]# nginx
nginx: [emerg] ENGINE_by_id("qat") failed
nginx: [emerg] ssl engine send ctrl failed
nginx: [emerg] ssl engine set failed

how i can fix that?

Thank you.

Hi
I want to use asynch_mode_nginx with openssl_1.1.1 and i get this error in nginx error log:

SSL_get_error : 10

Do you have any plan to support Openssl_1.1.1?

I want to use openssl_1.1.1 because of TLS1.3

Thanks

https://github.com/intel/asynch_mode_nginx/blob/master/src/event/ngx_event_openssl.c#L1660

we can see that, c->async_fd is just to passed fd to ngx_add_async_conn or ngx_del_async_conn.
why not add all the fds ?

if we only want to add/del one fd， the loop is not needed at all.

    if (num_del_fds) {
        for (loop = 0; loop < num_del_fds; loop++) {
            c->async_fd = del_fds[loop];
            if (c->num_async_fds) {
                ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0, "%s: deleting fd = %d", __func__, c->async_fd);
                ngx_del_async_conn(c, NGX_DISABLE_EVENT);
                c->num_async_fds--;
            }
        }
    }
    if (num_add_fds) {
        for (loop = 0; loop < num_add_fds; loop++) {
            if (c->num_async_fds == 0) {
                c->num_async_fds++;
                c->async_fd = add_fds[loop];
                ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0, "%s: adding fd = %d", __func__, c->async_fd);
                ngx_add_async_conn(c);
            }
        }
    }

Hello Team,

I had configured asynch_mode_nginx with Internal and Heuristic of poll mode and did some tests, but the results were nearly the same.

With Internal, the result was 41575.35, and with Heuristic, the result was 41613.51.

My question is that what is the different between Internal and Heuristic and what we can benefit from Heuristic?

Thanks in advance.

My testing script:

#!/bin/bash
ab_path=/usr/bin
cpu=`cat /proc/cpuinfo | grep processor | wc -l `
count=${1-$cpu}
for ((i=0; i<$count; i++))
    do
        $ab_path/ab -n 40960 -c 48 -Z AES128-SHA https://127.0.0.1/ > $i.txt &
done
wait
total=0
for ((i=0; i<$count; i++))
    do
        cur=`cat $i.txt  | grep "Requests per second" | tr -s " " | cut -d" " -f 4`
        echo "test$i=$cur"
        if [[ $cur == "" ]]
            then
                echo "error on $i"
            exit
        fi
        total=$(echo "$total+$cur" | bc)
done
echo "-------------"
echo total=$total

quic has become more and more popular.
does intel has any plan on adaption the nginx quic branch?

Hello,

Can you update codebase to nginx 1.15.11? Current 1.14.2 version have bug with limit_req, limits not working.

Thank you.

As far as I can tell, everything in QAT, QAT Engine, and qat_contig_mem is working properly. All the tests pass; openssl speed returns delightfully fast numbers. nginx, however, won't accept connections: After reading the TLS Client Hello, the worker goes into a hard loop polling. From strace:

9295  accept4(11, {sa_family=AF_INET, sin_port=htons(40716), sin_addr=inet_addr("96.74.122.182")}, [16], SOCK_NONBLOCK) = 3
9295  epoll_ctl(13, EPOLL_CTL_ADD, 3, {EPOLLIN|EPOLLRDHUP|EPOLLET, {u32=635871744, u64=140635045011968}}) = 0
9295  epoll_wait(13, {{EPOLLIN, {u32=635871744, u64=140635045011968}}}, 512, 60000) = 1
9295  recvfrom(3, "\26", 1, MSG_PEEK, NULL, NULL) = 1
9295  read(3, "\26\3\1\2\0\1\0\1\374\3\3\22\16}E\201)\234\327\235M\306%\fW\16\364|b\303(Z"..., 16709) = 517
9295  open("/dev/qat_contig_mem", O_RDWR) = 15
9295  ioctl(15, 0xc0209500, 0x7ffdbbf354c0) = 0
9295  mmap(NULL, 262144, PROT_READ|PROT_WRITE, MAP_SHARED|MAP_LOCKED, 15, 0xffff8808450e0000) = 0x7fe825e40000
9295  sched_yield()                     = 0
9295  sched_yield()                     = 0
9295  sched_yield()                     = 0
9295  sched_yield()                     = 0
9295  sched_yield()                     = 0

O.S. Debian 8
Kernel 3.16.51-3
Driver 1.6, from qatmux.l.2.6.0-60.tar.gz
OpenSSL openssl-1.1.0j.tar.gz
Engine and asynch_mode_nginx cloned from github

I am assuming I'm doing something fundamentally wrong. Thinking about trying a debug build next.

现在有几个业务，nginx启动后几分钟就会有进程100%cpu占满，gdb attach看了一下是这样子：

nginx.conf：
load_module modules/ngx_ssl_engine_qat_module.so;
ssl_engine {
use_engine qat;
default_algorithms RSA;
qat_engine {
qat_offload_mode async;
qat_notify_mode poll;
qat_poll_mode external;
qat_shutting_down_release on;
}
}

其中的poll mode 改成heuristic一样有问题

qat engine相关代码：

应该是这个循环一直出不来

相同方案在另一个类似业务里却没出问题，两者代码完全相同，区别是出问题的业务会跑一部分lua代码，用的是LuaJIT-2.0.5和lua-nginx-module-0.9.20，不出问题的业务不会跑到lua代码。lua主要做了计算md5和重定向。

use openresty to make have error happened：
modules/nginx_qat_module/ngx_ssl_engine_qat_module.c:42:28: error: ngx_ssl_engine.h: No such file or directory
modules/nginx_qat_module/ngx_ssl_engine_qat_module.c:148: error: ‘NGX_SSL_ENGINE_CONF’ undeclared here (not in a function)
modules/nginx_qat_module/ngx_ssl_engine_qat_module.c:155: error: ‘NGX_SSL_ENGINE_SUB_CONF’ undeclared here (not in a function)

Can you officially provide a version of nginx1.12 for qat? We need this release in our production environment.

QAT.L.4.17.0-00002
QAT_Engine-v0.6.11
openssl-1.1.1k

nginx.conf

ssl_engine {
use_engine qatengine;
default_algorithms ALL;
qat_engine {
qat_offload_mode async;
qat_notify_mode poll;
qat_poll_mode heuristic;
qat_sw_fallback on;
}
}

error:
When nginx work cpu is 100%, a large number of close-waits are generated, and nginx -s reload cannot shutting down the old nginx process.

debug:

pstack 363897
#0 0x00007fd4b2a796f0 in __read_nocancel () from /lib64/libpthread.so.0
#1 0x00007fd4b0aad8b5 in read (__nbytes=8, __buf=0x55c24bc9c7f8, __fd=) at /usr/include/bits/unistd.h:44
#2 qat_pause_job (job=, jobStatus=jobStatus@entry=2) at qat_events.c:278
#3 0x00007fd4b0ab465b in qat_chained_ciphers_do_cipher (ctx=0x55c24b51fc40, out=0x55c24b6b5638 "\233'Q\346\033\b\303F\367\323\323\301\377͎a\254\034\003u\033\066Ƥ:㐘泸7\351w}%\362\064\371J\216J\222\227\241\202\030\263\032\070+>\260\037\313\327\r\222\361\366\224\263\300\251Ș؀s\031D\344\221a\235ʝpt\321&\351{\254\304\373'j\241\346\374\370rIM\257ޖ\353@\242\021lO\217\375\222B\330\371\005I\354UWL\017U\274Ӹ\276Bq)l_nP\b\341\375ti|\b\b\313d\305\004\365?\177\020\324\251B.9\211r\231\322'\031\326h!\037\274\003ij\001^S\321\064ZlQ\022y/\256\213B\261\216\236\"\346\363\376\240\206KA\257\237\313\325\345/\033\231", <incomplete sequence \311>..., in=0x55c24b6b5638 "\233'Q\346\033\b\303F\367\323\323\301\377͎a\254\034\003u\033\066Ƥ:㐘泸7\351w}%\362\064\371J\216J\222\227\241\202\030\263\032\070+>\260\037\313\327\r\222\361\366\224\263\300\251Ș؀s\031D\344\221a\235ʝpt\321&\351{\254\304\373'j\241\346\374\370rIM\257ޖ\353@\242\021lO\217\375\222B\330\371\005I\354UWL\017U\274Ӹ\276Bq)l_nP\b\341\375ti|\b\b\313d\305\004\365?\177\020\324\251B.9\211r\231\322'\031\326h!\037\274\003ij\001^S\321\064ZlQ\022y/\256\213B\261\216\236\"\346\363\376\240\206KA\257\237\313\325\345/\033\231", <incomplete sequence \311>..., len=4208) at qat_hw_ciphers.c:1483
#4 0x00007fd4b1deaefc in tls1_enc () from /etc/nginx/.openssl/lib/libssl.so.1.1
#5 0x00007fd4b1deb9f6 in ssl3_get_record () from /etc/nginx/.openssl/lib/libssl.so.1.1
#6 0x00007fd4b1de8ec3 in ssl3_read_bytes () from /etc/nginx/.openssl/lib/libssl.so.1.1
#7 0x00007fd4b1df0b7a in ssl3_read () from /etc/nginx/.openssl/lib/libssl.so.1.1
#8 0x00007fd4b197e884 in async_start_func () from /etc/nginx/.openssl/lib/libcrypto.so.1.1
#9 0x00007fd4b155dd40 in ?? () from /lib64/libc.so.6
#10 0x0000000000000000 in ?? ()

pstack 363892
#0 0x00007fd4b2a796f0 in __read_nocancel () from /lib64/libpthread.so.0
#1 0x00007fd4b0aad8b5 in read (__nbytes=8, __buf=0x55c24c81dfc8, __fd=) at /usr/include/bits/unistd.h:44
#2 qat_pause_job (job=, jobStatus=jobStatus@entry=2) at qat_events.c:278
#3 0x00007fd4b0ab465b in qat_chained_ciphers_do_cipher (ctx=0x55c24bf744d0, out=0x55c24b5bdfc8 "$\244D\255\336\066\037\002\346Ƹ/ɂS\032V\254\060\251ش#w\372\362\367\061\241\025ʆ\035W\266\225)m@\331\n/:\020=\237雁a\n\340C!\354\270\367|\232\236\031\304<K\254.\267\246\376v|\026\310aa\005\202Kզ!m\265\344\262F\372\204\244\021=\263^\326.a\210\tD"\254\066M$t?BoT]\254n\356*\216\372\231\247\066\237]jj\304T\235\026q%tmC!\301Ɩ\267\340K?1\302\200\361^q", in=0x55c24b5bdfc8 "$\244D\255\336\066\037\002\346Ƹ/ɂS\032V\254\060\251ش#w\372\362\367\061\241\025ʆ\035W\266\225)m@\331\n/:\020=\237雁a\n\340C!\354\270\367|\232\236\031\304<K\254.\267\246\376v|\026\310aa\005\202Kզ!m\265\344\262F\372\204\244\021=\263^\326.a\210\tD"\254\066M$t?BoT]\254n\356*\216\372\231\247\066\237]jj\304T\235\026q%tmC!\301Ɩ\267\340K?1\302\200\361^q", len=3088) at qat_hw_ciphers.c:1483
#4 0x00007fd4b1deaefc in tls1_enc () from /etc/nginx/.openssl/lib/libssl.so.1.1
#5 0x00007fd4b1deb9f6 in ssl3_get_record () from /etc/nginx/.openssl/lib/libssl.so.1.1
#6 0x00007fd4b1de8ec3 in ssl3_read_bytes () from /etc/nginx/.openssl/lib/libssl.so.1.1
#7 0x00007fd4b1df0b7a in ssl3_read () from /etc/nginx/.openssl/lib/libssl.so.1.1
#8 0x00007fd4b197e884 in async_start_func () from /etc/nginx/.openssl/lib/libcrypto.so.1.1
#9 0x00007fd4b155dd40 in ?? () from /lib64/libc.so.6
#10 0x0000000000000000 in ?? ()

help me!!!

1. There are extra spaces in ** Nginx supports setting worker to non-root user, for example:**, and there is a problem with the alignment of the subsequent paragraphs
2. The title is missing for link 9 https://github.com/intel/asynch_mode_nginx/blob/master/test/performance_bkm/README.md

nginx 1.16 added a directive with the name "ssl_engine" in the event module to access OpenSSL engines. It has a different syntax than the one in this module, but generally speaking the name conflict is an issue.

This is not an issue ,but query regarding the behavior of nginx. If the default algorithm set to RSA and if the request connection cipher is some other type elliptical curve ,what will happen to the request?. Will be dropped at nginx level or what would be the behavior?

Hi,
I wanted to use the dasync engine provided by OpenSSL. I have been able to load that engine and attach it to OpenSSL. I am using OpenSSL 1.1.1l and the async_mode_nginx repository. I have ssl_async on the Nginx config and I can see the requests getting offloaded. The issue I have been seeing is that some of the requests fail when I have more than one connection and multiple requests. The requests start to fail with as low as 3 requests with one thread and two connections.
Has anyone tried to test the dasync code with Nginx async? If yes was it scalable?

The error I get
2022/08/17 03:11:10 [info] 15355#15355: *11784 SSL_do_handshake() failed (SSL: error:1408F119:SSL routines:ssl3_get_record:decryption failed or bad record mac) while SSL handshaking, client: 10.0.1.1, server: 0.0.0.0:443

i install all Software Requirements, then Run Nginx official test failed, maybe i have not correct Driver config files?

according to Software Requirements. it need QAT engine and QATzip. but both of them are need correct Driver config files to work.

when i install QAT engine and copy QAT engine's Driver config files(/QAT_Engine/qat/config/c6xx/multi_process_optimized) to /etc, run command ./openssl engine -t -c -vvvv qat is available.

when i install QATzip and copy QATzip's Driver config files(/QATzip/config_file/c6xx/multiple_process_opt/*) to /etc, command cd $QZ_ROOT/test/performance_tests and ./run_perf_test.sh work well
, but run command ./openssl engine -t -c -vvvv qat is unavailable.

It seems according to readme install, I can only make one of them work properly. so what kind of Driver config do i need to run nginx?

my environment

centos7
3.10.0-693.el7.x86_64

#lsmod | fgrep qa
qat_c62x               17889  0 
intel_qat             212930  2 usdm_drv,qat_c62x
authenc                17776  1 intel_qat
uio                    19259  1 intel_qat
qat_contig_mem         13414  0 

when i run ./nginx-test.sh qat or ./nginx-test.sh dasync, both failed and failed log are

./h2.t                               (Wstat: 6400 Tests: 143 Failed: 25)
  Failed tests:  30-31, 43-44, 46, 53-55, 58, 60-61, 64-72
                80-81, 83, 90, 116
  Non-zero exit status: 25
./h2_fastcgi_request_buffering.t     (Wstat: 3072 Tests: 50 Failed: 12)
  Failed tests:  4, 9, 13, 17, 20, 24, 29, 33, 37, 41, 45
                48
  Non-zero exit status: 12
./h2_headers.t                       (Wstat: 65280 Tests: 65 Failed: 43)
  Failed tests:  1-18, 20, 23, 25, 27, 39-55, 57-60
  Non-zero exit status: 255
  Parse errors: Bad plan.  You planned 94 tests but ran 65.
./h2_limit_conn.t                    (Wstat: 512 Tests: 6 Failed: 2)
  Failed tests:  1, 3
  Non-zero exit status: 2
./h2_limit_req.t                     (Wstat: 1280 Tests: 9 Failed: 5)
  Failed tests:  1-5
  Non-zero exit status: 5
./h2_proxy_cache.t                   (Wstat: 512 Tests: 14 Failed: 2)
  Failed tests:  1, 4
  Non-zero exit status: 2
./h2_proxy_protocol.t                (Wstat: 256 Tests: 6 Failed: 1)
  Failed test:  2
  Non-zero exit status: 1
./h2_proxy_request_buffering.t       (Wstat: 3072 Tests: 51 Failed: 12)
  Failed tests:  4, 8, 12, 16, 20, 25, 28, 32, 37, 41, 45
                48
  Non-zero exit status: 12
./h2_proxy_request_buffering_ssl.t   (Wstat: 2560 Tests: 42 Failed: 10)
  Failed tests:  4, 9, 13, 17, 20, 24, 29, 33, 37, 40
  Non-zero exit status: 10
./h2_proxy_ssl.t                     (Wstat: 256 Tests: 3 Failed: 1)
  Failed test:  1
  Non-zero exit status: 1
./h2_request_body.t                  (Wstat: 9728 Tests: 44 Failed: 38)
  Failed tests:  1-4, 6-14, 17, 19-42
  Non-zero exit status: 38
./h2_request_body_preread.t          (Wstat: 512 Tests: 10 Failed: 2)
  Failed tests:  1, 8
  Non-zero exit status: 2
./h2_server_tokens.t                 (Wstat: 1536 Tests: 11 Failed: 6)
  Failed tests:  1-2, 4-5, 7-8
  Non-zero exit status: 6
./h2_ssl_verify_client.t             (Wstat: 768 Tests: 5 Failed: 3)
  Failed tests:  1-3
  Non-zero exit status: 3
./h2_variables.t                     (Wstat: 256 Tests: 6 Failed: 1)
  Failed test:  4
  Non-zero exit status: 1
./mail_imap_ssl.t                    (Wstat: 256 Tests: 14 Failed: 1)
  Failed test:  10
  Non-zero exit status: 1
./proxy_ssi_body.t                   (Wstat: 0 Tests: 3 Failed: 0)
  TODO passed:   1
./ssl.t                              (Wstat: 1024 Tests: 12 Failed: 8)
  Failed tests:  3-10
  Non-zero exit status: 4
  Parse errors: Bad plan.  You planned 20 tests but ran 12.

eventfd not closed when connection closed while SSL handshaking.
Remaining eventfd causes a memory leak and oom killer run.

nginx config and debug log are as follows:

nginx config:

  location  OUR_LOC {
    proxy_set_header Host $http_host;           #default
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;                #x-forwarded-for
    proxy_pass OUR_SER;
    proxy_next_upstream off;
    proxy_set_header Connection "";             #connection-pooling
    proxy_ssl_protocols TLSv1.1 TLSv1 TLSv1.2;
    proxy_ssl_ciphers ALL:!ADH:!EXPORT:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:!AECDH;
    proxy_ssl_asynch on;
    proxy_ssl_session_reuse off;
    proxy_ssl_server_name on;
    proxy_ssl_name $host;
  }

• proxy_ssl, asynch mode is enabled.

ssl_engine config:

ssl_engine {
    use_engine qat;
    default_algorithms RSA,PKEY,PKEY_CRYPTO;
    qat_engine {
        qat_offload_mode async;
        qat_notify_mode poll;
        qat_poll_mode heuristic;
        qat_shutting_down_release on;
    }
}

• This issue also occurs in qat_poll_mode internal

debug log:

2020/09/16 11:16:17 [debug] 14869#0: *9 http upstream check client, write event:0, "/index.html"
2020/09/16 11:16:17 [info] 14869#0: *9 epoll_wait() reported that client prematurely closed connection, so upstream connection is closed too while SSL handshaking to upstream, client: 171.10.0.1, server: , request: "GET /index.html HTTP/1.1", upstream: "https://172.90.0.10:443/index.html", host: "localhost"
2020/09/16 11:16:17 [debug] 14869#0: *9 finalize http upstream request: 499
2020/09/16 11:16:17 [debug] 14869#0: *9 finalize http proxy request
2020/09/16 11:16:17 [debug] 14869#0: *9 ngx_ssl_async_process_fds called
2020/09/16 11:16:17 [debug] 14869#0: *9 close http upstream connection: 34
2020/09/16 11:16:17 [debug] 14869#0: *9 free: 00000000016ADBD0
2020/09/16 11:16:17 [debug] 14869#0: *9 free: 00000000016B0160, unused: 32
2020/09/16 11:16:17 [debug] 14869#0: *9 event timer del: 34: 180512685
2020/09/16 11:16:17 [debug] 14869#0: *9 event timer del: 34: 180462695
2020/09/16 11:16:17 [debug] 14869#0: *9 epoll del async connection: fd:37
2020/09/16 11:16:17 [debug] 14869#0: *9 reusable connection: 0
2020/09/16 11:16:17 [debug] 14869#0: *9 http finalize request: 499, "/index.html?" a:1, c:1

proc fd:

# ls -al /proc/27624/fd | nl | tail
  6409	lrwx------ 1 root nogroup 64 Sep 17 10:53 990 -> anon_inode:[eventfd]
  6410	lrwx------ 1 root nogroup 64 Sep 17 10:53 991 -> anon_inode:[eventfd]
  6411	lrwx------ 1 root nogroup 64 Sep 17 10:53 992 -> anon_inode:[eventfd]
  6412	lrwx------ 1 root nogroup 64 Sep 17 10:53 993 -> anon_inode:[eventfd]
  6413	lrwx------ 1 root nogroup 64 Sep 17 10:53 994 -> anon_inode:[eventfd]
  6414	lrwx------ 1 root nogroup 64 Sep 17 10:53 995 -> anon_inode:[eventfd]
  6415	lrwx------ 1 root nogroup 64 Sep 17 10:53 996 -> anon_inode:[eventfd]
  6416	lrwx------ 1 root nogroup 64 Sep 17 10:53 997 -> anon_inode:[eventfd]
  6417	lrwx------ 1 root nogroup 64 Sep 17 10:53 998 -> anon_inode:[eventfd]
  6418	lrwx------ 1 root nogroup 64 Sep 17 10:53 999 -> anon_inode:[eventfd]

• I checked that a large number of eventfds were left in the /proc/NGX_PID/fd file.
• If this problem persists, the heap and anon memory size increase, resulting in a memory leak and oom killer killed nginx.

solution:

When fin is received from the client, nginx waits without terminating the connection.
ngx_ssl_handshake_async_handler calls finalize_request when the QAT engine's work is done (call write(efd)) and nginx is notified of work completion.

why:

When SSL_in_init() returns true, calling SSL_shutdown is not possible. Actually, when ngx_ssl_shutdown is forced to call SSL_shutdown, core dump occurred and nginx restarted.

ask:

Is there a better way to gracefully shutdown when fins are received from the client during SSL handshaking?

patch:

diff --git a/src/core/ngx_connection.h b/src/core/ngx_connection.h
index cc06def..4e70f19 100644
--- a/src/core/ngx_connection.h
+++ b/src/core/ngx_connection.h
@@ -133,6 +133,7 @@ struct ngx_connection_s {
     ngx_socket_t        fd;
 #if (NGX_SSL)
     ngx_socket_t        async_fd;
+    unsigned            closed:1;
 #endif
     ngx_recv_pt         recv;
     ngx_send_pt         send;
diff --git a/src/http/ngx_http_upstream.c b/src/http/ngx_http_upstream.c
index 8d7a1ca..099211e 100644
--- a/src/http/ngx_http_upstream.c
+++ b/src/http/ngx_http_upstream.c
@@ -1779,6 +1779,10 @@ ngx_http_upstream_ssl_handshake(ngx_http_request_t *r, ngx_http_upstream_t *u,

     if (c->ssl->handshaked) {

+        if (c->asynch && c->closed) {
+            ngx_http_upstream_finalize_request(r, u, 0);
+        }
+
         if (u->conf->ssl_verify) {
             rc = SSL_get_verify_result(c->ssl->connection);

@@ -4328,6 +4332,19 @@ ngx_http_upstream_finalize_request(ngx_http_request_t *r,
     ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0,
                    "finalize http upstream request: %i", rc);

+    if (u->peer.connection && u->peer.connection->ssl && u->peer.connection->asynch) {
+        if (SSL_in_init(u->peer.connection->ssl->connection)
+                && SSL_want_async(u->peer.connection->ssl->connection)) {
+            if (u->peer.connection->closed) {
+                return;
+            }
+            ngx_log_debug0(NGX_LOG_DEBUG_HTTP, r->connection->log, 0,
+                           "connection closed but wait async job");
+            u->peer.connection->closed = 1;
+            return;
+        }
+    }
+
     if (u->cleanup == NULL) {
         /* the request was already finalized */
         ngx_http_finalize_request(r, NGX_DONE);
@@ -4392,6 +4409,9 @@ ngx_http_upstream_finalize_request(ngx_http_request_t *r,
         }

         ngx_close_connection(u->peer.connection);
+        if (u->peer.connection->asynch && u->peer.connection->closed) {
+            ngx_http_finalize_request(r, NGX_DONE);
+        }
     }

     u->peer.connection = NULL;

• We are using a different version(v0.3.5), but I made a patch with the latest version of asynch_mode_nginx.
• I will update the results after retesting in the latest version of asynch_mode_nginx.

thanks !

this kind of configuration in openssl.conf will not be effective for Nginx

so should i delete it? if i keep it, then it's failed to start nginx:

nginx: [emerg] QAT Engine failed: ENABLE_EXTERNAL_POLLING
nginx: [emerg] ssl engine send ctrl failed
nginx: [emerg] ssl engine set failed

• OS: Redhat 8.4
  • Kernel: 4.18.0-305.12.1.el8_4.x86_64
  • openssl: OpenSSL 1.1.1g FIPS 21 Apr 2020 (Redhat Default)
• QAT Hardware: Intel QAT 8970
  • QAT Engine: v0.6.7
  • QAT Driver: qat1.7.l.4.14.0-00031
• Nginx: v1.20.1

Redhat cannot be installed from the source code, but because the default is already 1.1.1g, there is no need to update openssl

OpenSSL

Confirm that openssl can use QAT

$ openssl speed rsa2048 
$ openssl speed -engine qatengine rsa2048
$ openssl speed -engine qatengine -async_jobs 8 rsa2048

Nginx

Install

asynch_mode_nginx needs to specify the location of openssl lib, but I don’t know

$ ./configure --prefix=/etc/nginx --conf-path=/etc/nginx/nginx.conf \
--without-http_rewrite_module --with-http_ssl_module --with-http_stub_status_module \
--with-http_v2_module --with-stream --with-stream_ssl_module \
--add-dynamic-module=modules/nginx_qat_module/ \
--with-cc-opt="-DNGX_SECURE_MEM -I/opt/QAT/quickassist/include -I/opt/QAT/quickassist/include/dc 
-Wno-error=deprecated-declarations"

Check module

$ ll /etc/nginx/modules/
-rwxr-xr-x 1 root root 88096 Sep  6 06:40 ngx_ssl_engine_qat_module.so

Config

load_module modules/ngx_ssl_engine_qat_module.so;
ssl_engine {
    use_engine qatengine;
    default_algorithms RSA,EC,DH,PKEY_CRYPTO;
    qat_engine {
            qat_offload_mode async;
            qat_notify_mode poll;
            qat_poll_mode heuristic;
            qat_sw_fallback on;
    }
}

Nginx config test

$ /etc/nginx/sbin/nginx -t

nginx: [emerg] dlopen() "/usr/lib/nginx/modules/ngx_stream_module.so" failed (/usr/lib/nginx/modules/ngx_stream_module.so: cannot open shared object file: No such file or directory) in /etc/nginx/conf/nginx.conf:12
nginx: configuration file /etc/nginx/conf/nginx.conf test failed

Does the installation method need to be modified?

Hello,

I am getting an SSL handshake failure when I use asynch_mode_nginx. I am usnig nginx.QAT-sample.conf as an example.

Environment:

CentOS 7.8.2003
QAT_Engine v0.5.44
QATzip v1.0.1
OpenSSL 3.0.0-alpha3-dev
Intel Corporation DH895XCC Series QAT
Nginx-1.16.1

1. when I run openssl test for QAT Engine it looks good:
   openssl engine -t -c -vvvv qat

(qat) Reference implementation of QAT crypto engine
[RSA, DSA, DH, AES-128-CBC-HMAC-SHA1, AES-128-CBC-HMAC-SHA256, AES-256-CBC-HMAC-SHA1, AES-256-CBC-HMAC-SHA256, TLS1-PRF, HKDF, X25519, X448]
....

Details about issue:
2. when I test Asynch_mode_nginx / SSL (https://serverhostname - from browser) it returns the error in nginx log:

SSL_do_handshake() failed (SSL: error:3900008C:Provider routines::missing seed error:14000044:SSL routines::internal error) while SSL handshaking, client:

3. when I test Asynch_mode_nginx / SSL from command line -- openssl s_client -connect serverhostname:443 it returns me error:

CONNECTED(00000003)
40:77:4C:5E:7B:7F:00:00:error:SSL routines::unexpected eof while reading:ssl/record/rec_layer_s3.c:307:

4. I checked ssl certificate itself and it is good:

I used the usual nginx(Without Asynch) on the same server and ssl passed ok.

can you please help me to find out the issue?

Thanks

With the below configuration nginx worker segfaults immediately on start:

$ cat nginx-segfault-on-worker-start.conf 
worker_processes 1;

load_module modules/ngx_ssl_engine_qat_module.so;

error_log /home/dvuser14/sandbox/error.log info;
pid /home/dvuser14/sandbox/nginx.pid;

#ssl_engine {        # This directive enables the use of QAT offload.  If "ssl_engine" is ommitted, then software will be used
#    use_engine qatengine;
#    default_algorithms ALL;
#    qat_engine {
#        qat_notify_mode poll;
#        qat_offload_mode async;
#        qat_external_poll_interval 1;
#    }
#}

events  {}

http {}

Backtrace:

(gdb) bt full
#0  ngx_ssl_engine_qat_process_init (cycle=0x55af0eb25a20) at modules/nginx_qat_module//ngx_ssl_engine_qat_module.c:1123
        conf = <optimized out>
#1  0x000055af0cf9294e in ngx_worker_process_init (cycle=cycle@entry=0x55af0eb25a20, worker=worker@entry=0) at src/os/unix/ngx_process_cycle.c:950
        set = {__val = {0 <repeats 16 times>}}
        n = <optimized out>
        tp = <optimized out>
        i = <optimized out>
        cpu_affinity = <optimized out>
        rlmt = {rlim_cur = 140721928421624, rlim_max = 1}
        ccf = <optimized out>
        ls = <optimized out>
#2  0x000055af0cf92e1a in ngx_worker_process_cycle (cycle=cycle@entry=0x55af0eb25a20, data=data@entry=0x0) at src/os/unix/ngx_process_cycle.c:745
        worker = 0
#3  0x000055af0cf9146b in ngx_spawn_process (cycle=cycle@entry=0x55af0eb25a20, proc=0x55af0cf92df0 <ngx_worker_process_cycle>, data=0x0, name=0x55af0cff5a33 "worker process", respawn=respawn@entry=1)
    at src/os/unix/ngx_process.c:199
        on = 1
        pid = 0
        s = 1
#4  0x000055af0cf93bc4 in ngx_reap_children (cycle=0x55af0eb25a20) at src/os/unix/ngx_process_cycle.c:633
        i = <optimized out>
        live = 0
        n = <optimized out>
        ch = {command = 2, pid = 297231, slot = 1, fd = -1}
        ccf = <optimized out>
        i = <optimized out>
        n = <optimized out>
        live = <optimized out>
        ch = <optimized out>
        ccf = <optimized out>
#5  ngx_master_process_cycle (cycle=0x55af0eb25a20) at src/os/unix/ngx_process_cycle.c:177
        title = <optimized out>
        p = <optimized out>
        size = <optimized out>
        i = <optimized out>
        n = <optimized out>
        sigio = 0
        set = {__val = {0 <repeats 16 times>}}
        itv = {it_interval = {tv_sec = 94210354199220, tv_usec = 0}, it_value = {tv_sec = 0, tv_usec = 0}}
        live = <optimized out>
        delay = 0
        ls = <optimized out>
        ccf = 0x55af0eb26a98
#6  0x000055af0cf6aadc in main (argc=<optimized out>, argv=<optimized out>) at src/core/nginx.c:389
        b = <optimized out>
        log = <optimized out>
        i = <optimized out>
        cycle = 0x55af0eb21a10
        init_cycle = {conf_ctx = 0x0, pool = 0x55af0eb05cf0, log = 0x55af0d22a560 <ngx_log>, new_log = {log_level = 0, file = 0x0, connection = 0, disk_full_time = 0, handler = 0x0, data = 0x0, 
            writer = 0x0, wdata = 0x0, action = 0x0, next = 0x0}, log_use_stderr = 0, files = 0x0, free_connections = 0x0, free_connection_n = 0, modules = 0x0, modules_n = 0, modules_used = 0, 
          reusable_connections_queue = {prev = 0x0, next = 0x0}, reusable_connections_n = 0, listening = {elts = 0x0, nelts = 0, size = 0, nalloc = 0, pool = 0x0}, paths = {elts = 0x0, nelts = 0, 
            size = 0, nalloc = 0, pool = 0x0}, config_dump = {elts = 0x0, nelts = 0, size = 0, nalloc = 0, pool = 0x0}, config_dump_rbtree = {root = 0x0, sentinel = 0x0, insert = 0x0}, 
          config_dump_sentinel = {key = 0, left = 0x0, right = 0x0, parent = 0x0, color = 0 '\000', data = 0 '\000'}, open_files = {last = 0x0, part = {elts = 0x0, nelts = 0, next = 0x0}, size = 0, 
            nalloc = 0, pool = 0x0}, shared_memory = {last = 0x0, part = {elts = 0x0, nelts = 0, next = 0x0}, size = 0, nalloc = 0, pool = 0x0}, connection_n = 0, files_n = 0, connections = 0x0, 
          read_events = 0x0, write_events = 0x0, async_events = 0x0, old_cycle = 0x0, conf_file = {len = 37, data = 0x55af0eb05d40 " "}, conf_param = {len = 0, data = 0x0}, conf_prefix = {len = 27, 
            data = 0x55af0eb05d40 " "}, prefix = {len = 27, data = 0x7ffc608e5475 "l/nginx/sbin/nginx -p /tmp/nginx-test-w9Kc7SxfE9/ -c nginx.conf"}, lock_file = {len = 0, data = 0x0}, hostname = {
            len = 0, data = 0x0}, no_ssl_init = 0}
        cd = <optimized out>
        ccf = <optimized out>
(gdb) 

With the empty ssl_engine {} block, nginx worker segfaults on exit; configuration:

$ cat nginx-segfault-on-worker-exit.conf 
worker_processes 1;

load_module modules/ngx_ssl_engine_qat_module.so;

error_log /home/dvuser14/sandbox/error.log info;
pid /home/dvuser14/sandbox/nginx.pid;

ssl_engine {        # This directive enables the use of QAT offload.  If "ssl_engine" is ommitted, then software will be used
#    use_engine qatengine;
#    default_algorithms ALL;
#    qat_engine {
#        qat_notify_mode poll;
#        qat_offload_mode async;
#        qat_external_poll_interval 1;
#    }
}

events  {}

http {}

Backtrace:

(gdb) bt full
#0  0x00007fe716dead00 in ?? ()
No symbol table info available.
#1  0x00007fe717958b61 in engine_pkey_meths_free () from /usr/local/ssl/lib/libcrypto.so.1.1
No symbol table info available.
#2  0x00007fe717955fa2 in engine_free_util () from /usr/local/ssl/lib/libcrypto.so.1.1
No symbol table info available.
#3  0x00007fe7179567d4 in ENGINE_remove () from /usr/local/ssl/lib/libcrypto.so.1.1
No symbol table info available.
#4  0x00007fe7179568b5 in engine_list_cleanup () from /usr/local/ssl/lib/libcrypto.so.1.1
No symbol table info available.
#5  0x00007fe717955e36 in engine_cleanup_cb_free () from /usr/local/ssl/lib/libcrypto.so.1.1
No symbol table info available.
#6  0x00007fe7179efaa3 in OPENSSL_sk_pop_free () from /usr/local/ssl/lib/libcrypto.so.1.1
No symbol table info available.
#7  0x00007fe717956149 in engine_cleanup_int () from /usr/local/ssl/lib/libcrypto.so.1.1
No symbol table info available.
#8  0x00007fe71797fa9d in OPENSSL_cleanup () from /usr/local/ssl/lib/libcrypto.so.1.1
No symbol table info available.
#9  0x00007fe717260f8c in __run_exit_handlers () from /lib64/libc.so.6
No symbol table info available.
#10 0x00007fe7172610c0 in exit () from /lib64/libc.so.6
No symbol table info available.
#11 0x00005610b640744a in ngx_worker_process_exit (cycle=cycle@entry=0x5610b8151a00) at src/os/unix/ngx_process_cycle.c:1053
        i = <optimized out>
        c = <optimized out>
#12 0x00005610b6407f59 in ngx_worker_process_cycle (cycle=cycle@entry=0x5610b8151a00, data=data@entry=0x0) at src/os/unix/ngx_process_cycle.c:763
        worker = 0
#13 0x00005610b640646b in ngx_spawn_process (cycle=cycle@entry=0x5610b8151a00, proc=proc@entry=0x5610b6407df0 <ngx_worker_process_cycle>, data=data@entry=0x0, 
    name=name@entry=0x5610b646aa33 "worker process", respawn=respawn@entry=-3) at src/os/unix/ngx_process.c:199
        on = 1
        pid = 0
        s = 0
#14 0x00005610b6407590 in ngx_start_worker_processes (cycle=cycle@entry=0x5610b8151a00, n=1, type=type@entry=-3) at src/os/unix/ngx_process_cycle.c:363
        i = 0
        ch = {command = 1, pid = 0, slot = 0, fd = 0}
#15 0x00005610b640880f in ngx_master_process_cycle (cycle=0x5610b8151a00) at src/os/unix/ngx_process_cycle.c:133
        title = <optimized out>
        p = <optimized out>
        size = <optimized out>
        i = <optimized out>
        n = <optimized out>
        sigio = <optimized out>
        set = {__val = {0 <repeats 16 times>}}
        itv = {it_interval = {tv_sec = 94629807864684, tv_usec = 0}, it_value = {tv_sec = 0, tv_usec = 0}}
        live = <optimized out>
        delay = <optimized out>
        ls = <optimized out>
        ccf = 0x5610b8153820
#16 0x00005610b63dfadc in main (argc=<optimized out>, argv=<optimized out>) at src/core/nginx.c:389
        b = <optimized out>
        log = <optimized out>
        i = <optimized out>
        cycle = 0x5610b8151a00
        init_cycle = {conf_ctx = 0x0, pool = 0x5610b8135ce0, log = 0x5610b669f560 <ngx_log>, new_log = {log_level = 0, file = 0x0, connection = 0, disk_full_time = 0, handler = 0x0, data = 0x0, 
            writer = 0x0, wdata = 0x0, action = 0x0, next = 0x0}, log_use_stderr = 0, files = 0x0, free_connections = 0x0, free_connection_n = 0, modules = 0x0, modules_n = 0, modules_used = 0, 
          reusable_connections_queue = {prev = 0x0, next = 0x0}, reusable_connections_n = 0, listening = {elts = 0x0, nelts = 0, size = 0, nalloc = 0, pool = 0x0}, paths = {elts = 0x0, nelts = 0, 
            size = 0, nalloc = 0, pool = 0x0}, config_dump = {elts = 0x0, nelts = 0, size = 0, nalloc = 0, pool = 0x0}, config_dump_rbtree = {root = 0x0, sentinel = 0x0, insert = 0x0}, 
          config_dump_sentinel = {key = 0, left = 0x0, right = 0x0, parent = 0x0, color = 0 '\000', data = 0 '\000'}, open_files = {last = 0x0, part = {elts = 0x0, nelts = 0, next = 0x0}, size = 0, 
            nalloc = 0, pool = 0x0}, shared_memory = {last = 0x0, part = {elts = 0x0, nelts = 0, next = 0x0}, size = 0, nalloc = 0, pool = 0x0}, connection_n = 0, files_n = 0, connections = 0x0, 
          read_events = 0x0, write_events = 0x0, async_events = 0x0, old_cycle = 0x0, conf_file = {len = 50, data = 0x7ffd57c28539 ""}, conf_param = {len = 0, data = 0x0}, conf_prefix = {len = 23, 
            data = 0x7ffd57c28539 ""}, prefix = {len = 18, data = 0x5610b64669e1 "/usr/local/nginx//"}, lock_file = {len = 0, data = 0x0}, hostname = {len = 0, data = 0x0}, no_ssl_init = 0}
        cd = <optimized out>
        ccf = <optimized out>
(gdb)

So, the bare working minimum is something like this:

ssl_engine {
    use_engine qatengine;
}

I'm sure this must be fixed so valid configurations (without ssl_engine {} block at all) would work.

Compilation error against nginx-1.14.2:

/home/asynch_mode_nginx/modules/nginx_qat_module/ngx_ssl_engine_qat_module.c:284:31: error: 'ngx_connection_t {aka struct ngx_connection_s}' has no member named 'ssl_enabled'
(!c[i].ssl && c[i].ssl_enabled)) {

There is no ssl_enabled defined in structure ngx_connection_s in either 1.14.2, or 1.10.3 (as claimed the module was developed on,) or even earlier version of nginx. What exactly is the code compiled against?

looks like only:

ssl_engine {
    use_engine qatengine; 
    ...
}

is allowed. I'm building QAT Engine separately for both HW and SW paths: qat-sw and qat-hw but

ssl_engine {
    use_engine qat-sw; 
    ...
}

gives: nginx: [emerg] invalid engine type "qat-sw" in /usr/share/nginx/conf/nginx.conf:20

When I start nginx, it say:

nginx: [emerg] ENGINE_by_id("qatengine") failed
nginx: [emerg] ssl engine send ctrl failed
nginx: [emerg] ssl engine set failed

And my nginx config file:

worker_processes 88;

load_module modules/ngx_ssl_engine_qat_module.so;

events {
use epoll;
worker_connections 8192;
multi_accept on;
accept_mutex on;
}

ssl_engine {
use_engine qatengine;
default_algorithms RSA,EC,DH,PKEY_CRYPTO;
qat_engine {
qat_sw_fallback on;
qat_offload_mode async;
qat_notify_mode poll;
qat_poll_mode heuristic;
qat_shutting_down_release on;
}
}

An async event time out is set up if SSL_get_error returns SSL_ERROR_WANT_ASYNC:

ngx_add_timer(c->async, NGX_ASYNC_EVENT_TIMEOUT);

But the timer is never deleted.

So it happens, if for example nginx is waiting for data to be read from connection for more than NGX_ASYNC_EVENT_TIMEOUT (10 seconds), the timer finishes and c->async->timedout is set to 1.

I think that the timer should be deleted when an async event is triggered. Which means that

    if (aev->timer_set) {
        ngx_del_timer(aev);
    }

should be in everyngx_ssl_*_async_handler.

Tested with NGX_ASYNC_EVENT_TIMEOUT 1000 and it indeed fixes the problem.

One more question. Is there any particular reason that async timeout is chosen to be 10 seconds?

Note: External polling and heuristic polling are unavailable in SSL proxy and stream module up to current release.

What does this mean in README.md? I can set proxy_ssl_asynch on and qat_poll_mode heuristic, the nginx works well and the firmware requests/responses count has effective increase in qat fw_counters, have no idea about this comment.