summaryrefslogtreecommitdiffhomepage
path: root/src/nxt_cert.c
diff options
context:
space:
mode:
authorSergey Kandaurov <pluknet@nginx.com>2022-05-12 12:04:54 +0400
committerSergey Kandaurov <pluknet@nginx.com>2022-05-12 12:04:54 +0400
commit6cfa1c397005dc9b2904da2934120d98fe451079 (patch)
treee5c85824e541322bb9c4d693a1b472f5f5b847d8 /src/nxt_cert.c
parent5665838b680cdc06d6eb83107e4d46db6cfae0c4 (diff)
downloadunit-6cfa1c397005dc9b2904da2934120d98fe451079.tar.gz
unit-6cfa1c397005dc9b2904da2934120d98fe451079.tar.bz2
Using SSL_OP_IGNORE_UNEXPECTED_EOF.
A new behaviour was introduced in OpenSSL 1.1.1e, when a peer does not send close_notify before closing the connection. Previously, it was to return SSL_ERROR_SYSCALL with errno 0, known since at least OpenSSL 0.9.7, and is handled gracefully in unitd. Now it returns SSL_ERROR_SSL with a distinct reason SSL_R_UNEXPECTED_EOF_WHILE_READING ("unexpected eof while reading"). This leads to critical errors seen in nginx within various routines such as SSL_do_handshake(), SSL_read(), SSL_shutdown(). The behaviour was restored in OpenSSL 1.1.1f, but presents in OpenSSL 3.0 by default. Use of the SSL_OP_IGNORE_UNEXPECTED_EOF option added in OpenSSL 3.0 allows setting a compatible behaviour to return SSL_ERROR_ZERO_RETURN: https://git.openssl.org/?p=openssl.git;a=commitdiff;h=09b90e0 See for additional details: https://github.com/openssl/openssl/issues/11381
Diffstat (limited to 'src/nxt_cert.c')
0 files changed, 0 insertions, 0 deletions