diff options
author | Sergey Kandaurov <pluknet@nginx.com> | 2022-05-12 12:04:54 +0400 |
---|---|---|
committer | Sergey Kandaurov <pluknet@nginx.com> | 2022-05-12 12:04:54 +0400 |
commit | 6cfa1c397005dc9b2904da2934120d98fe451079 (patch) | |
tree | e5c85824e541322bb9c4d693a1b472f5f5b847d8 | |
parent | 5665838b680cdc06d6eb83107e4d46db6cfae0c4 (diff) | |
download | unit-6cfa1c397005dc9b2904da2934120d98fe451079.tar.gz unit-6cfa1c397005dc9b2904da2934120d98fe451079.tar.bz2 |
Using SSL_OP_IGNORE_UNEXPECTED_EOF.
A new behaviour was introduced in OpenSSL 1.1.1e, when a peer does not send
close_notify before closing the connection. Previously, it was to return
SSL_ERROR_SYSCALL with errno 0, known since at least OpenSSL 0.9.7, and is
handled gracefully in unitd. Now it returns SSL_ERROR_SSL with a distinct
reason SSL_R_UNEXPECTED_EOF_WHILE_READING ("unexpected eof while reading").
This leads to critical errors seen in nginx within various routines such as
SSL_do_handshake(), SSL_read(), SSL_shutdown(). The behaviour was restored
in OpenSSL 1.1.1f, but presents in OpenSSL 3.0 by default.
Use of the SSL_OP_IGNORE_UNEXPECTED_EOF option added in OpenSSL 3.0 allows
setting a compatible behaviour to return SSL_ERROR_ZERO_RETURN:
https://git.openssl.org/?p=openssl.git;a=commitdiff;h=09b90e0
See for additional details: https://github.com/openssl/openssl/issues/11381
-rw-r--r-- | src/nxt_openssl.c | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/src/nxt_openssl.c b/src/nxt_openssl.c index 38cf652d..e19b1381 100644 --- a/src/nxt_openssl.c +++ b/src/nxt_openssl.c @@ -326,6 +326,11 @@ nxt_openssl_server_init(nxt_task_t *task, nxt_mp_t *mp, SSL_CTX_set_options(ctx, SSL_OP_NO_COMPRESSION); #endif +#ifdef SSL_OP_IGNORE_UNEXPECTED_EOF + /* Request SSL_ERROR_ZERO_RETURN on EOF. */ + SSL_CTX_set_options(ctx, SSL_OP_IGNORE_UNEXPECTED_EOF); +#endif + #ifdef SSL_MODE_RELEASE_BUFFERS if (nxt_openssl_version >= 10001078) { |