summaryrefslogtreecommitdiffhomepage
diff options
context:
space:
mode:
authorSergey Kandaurov <pluknet@nginx.com>2022-05-12 12:04:54 +0400
committerSergey Kandaurov <pluknet@nginx.com>2022-05-12 12:04:54 +0400
commit6cfa1c397005dc9b2904da2934120d98fe451079 (patch)
treee5c85824e541322bb9c4d693a1b472f5f5b847d8
parent5665838b680cdc06d6eb83107e4d46db6cfae0c4 (diff)
downloadunit-6cfa1c397005dc9b2904da2934120d98fe451079.tar.gz
unit-6cfa1c397005dc9b2904da2934120d98fe451079.tar.bz2
Using SSL_OP_IGNORE_UNEXPECTED_EOF.
A new behaviour was introduced in OpenSSL 1.1.1e, when a peer does not send close_notify before closing the connection. Previously, it was to return SSL_ERROR_SYSCALL with errno 0, known since at least OpenSSL 0.9.7, and is handled gracefully in unitd. Now it returns SSL_ERROR_SSL with a distinct reason SSL_R_UNEXPECTED_EOF_WHILE_READING ("unexpected eof while reading"). This leads to critical errors seen in nginx within various routines such as SSL_do_handshake(), SSL_read(), SSL_shutdown(). The behaviour was restored in OpenSSL 1.1.1f, but presents in OpenSSL 3.0 by default. Use of the SSL_OP_IGNORE_UNEXPECTED_EOF option added in OpenSSL 3.0 allows setting a compatible behaviour to return SSL_ERROR_ZERO_RETURN: https://git.openssl.org/?p=openssl.git;a=commitdiff;h=09b90e0 See for additional details: https://github.com/openssl/openssl/issues/11381
-rw-r--r--src/nxt_openssl.c5
1 files changed, 5 insertions, 0 deletions
diff --git a/src/nxt_openssl.c b/src/nxt_openssl.c
index 38cf652d..e19b1381 100644
--- a/src/nxt_openssl.c
+++ b/src/nxt_openssl.c
@@ -326,6 +326,11 @@ nxt_openssl_server_init(nxt_task_t *task, nxt_mp_t *mp,
SSL_CTX_set_options(ctx, SSL_OP_NO_COMPRESSION);
#endif
+#ifdef SSL_OP_IGNORE_UNEXPECTED_EOF
+ /* Request SSL_ERROR_ZERO_RETURN on EOF. */
+ SSL_CTX_set_options(ctx, SSL_OP_IGNORE_UNEXPECTED_EOF);
+#endif
+
#ifdef SSL_MODE_RELEASE_BUFFERS
if (nxt_openssl_version >= 10001078) {