Warning: Bad TLS record (error -0xFFFFFFFF)

[s0nx]

Motivation

While running h2load test with multiple streams, several TLS warnings can be observed in logs.

[tempesta tls] Warning: [::ffff:192.168.122.1] Bad TLS record (error -0xFFFFFFFF)                                                                              
[tempesta tls] Warning: [::ffff:192.168.122.1] Bad TLS record (error -0xFFFFFFFF)                                                                              
[tempesta tls] Warning: [::ffff:192.168.122.1] Bad TLS record (error -0xFFFFFFFF)                                                                              
[tempesta tls] Warning: [::ffff:192.168.122.1] Bad TLS record (error -0xFFFFFFFF)                                                                              
[tempesta tls] Warning: [::ffff:192.168.122.1] Bad TLS record (error -0xFFFFFFFF)                                                                              
[tempesta tls] Warning: [::ffff:192.168.122.1] Bad TLS record (error -0xFFFFFFFF)                                                                              
[tempesta tls] Warning: [::ffff:192.168.122.1] Bad TLS record (error -0xFFFFFFFF)                                                                              
[tempesta tls] Warning: [::ffff:192.168.122.1] Bad TLS record (error -0xFFFFFFFF)                                                                              
[tempesta tls] Warning: [::ffff:192.168.122.1] Bad TLS record (error -0xFFFFFFFF)                                                                              
[tempesta tls] Warning: [::ffff:192.168.122.1] Bad TLS record (error -0xFFFFFFFF)                                                                              
net_ratelimit: 1850 callbacks suppressed                                                                                                  

Testing

Tempesta FW conf:

listen 443 proto=h2;

cache 1;
cache_fulfill * *;

srv_group ngx_local {
	# The address is on the same VM
	server 127.0.0.1:8000;
}

vhost f35tfw.local {
	tls_certificate /root/certs/tempesta/RSA/tfw-root.crt;
        tls_certificate_key /root/certs/tempesta/RSA/tfw-root.key;

	proxy_pass ngx_local;
}

http_chain {
	-> f35tfw.local;
}

NGINX conf:

# vim: tabstop=4 expandtab shiftwidth=4 softtabstop=4
user www-data;
worker_processes 4;
pid /run/nginx.pid;

events {
    worker_connections 768;
    # multi_accept on;
}

http {
    sendfile on;
    tcp_nopush on;
    tcp_nodelay on;
    keepalive_timeout 65;
    types_hash_max_size 2048;
    # server_tokens off;

    # server_names_hash_bucket_size 64;
    # server_name_in_redirect off;

    include /etc/nginx/mime.types;
    default_type text/html;

    access_log /var/log/nginx/access.log;
    error_log /var/log/nginx/error.log;

    gzip on;
    gzip_disable "msie6";

    # gzip_vary on;
    # gzip_proxied any;
    # gzip_comp_level 6;
    # gzip_buffers 16 8k;
    # gzip_http_version 1.1;
    # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;

    server {
        listen 127.0.0.1:8000 default_server;

        root /var/www/tempesta-tech.com;

        index index;

        server_name _;

        error_page 403 404 /oops;
    }
}

The issue can only be reproduced when running h2load test with multiple streams, e.g.:
h2load https://f35tfw.local -t 2 -c 1000 -D 60 -m 100