Mercurial > hg > nginx

comparison src/event/ngx_event_openssl.c @ 7899:1a03af395f44

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
SSL: use of the SSL_OP_IGNORE_UNEXPECTED_EOF option. A new behaviour was introduced in OpenSSL 1.1.1e, when a peer does not send close_notify before closing the connection. Previously, it was to return SSL_ERROR_SYSCALL with errno 0, known since at least OpenSSL 0.9.7, and is handled gracefully in nginx. Now it returns SSL_ERROR_SSL with a distinct reason SSL_R_UNEXPECTED_EOF_WHILE_READING ("unexpected eof while reading"). This leads to critical errors seen in nginx within various routines such as SSL_do_handshake(), SSL_read(), SSL_shutdown(). The behaviour was restored in OpenSSL 1.1.1f, but presents in OpenSSL 3.0 by default. Use of the SSL_OP_IGNORE_UNEXPECTED_EOF option added in OpenSSL 3.0 allows to set a compatible behaviour to return SSL_ERROR_ZERO_RETURN: https://git.openssl.org/?p=openssl.git;a=commitdiff;h=09b90e0 See for additional details: https://github.com/openssl/openssl/issues/11381
author Sergey Kandaurov <pluknet@nginx.com>
date Tue, 10 Aug 2021 23:43:17 +0300
parents 4195a6f0c61c
children 509b663a789c
comparison
equal deleted inserted replaced
7898:8f7107617550 7899:1a03af395f44
374 SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_ANTI_REPLAY); 374 SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_ANTI_REPLAY);
375 #endif 375 #endif
376 376
377 #ifdef SSL_OP_NO_CLIENT_RENEGOTIATION 377 #ifdef SSL_OP_NO_CLIENT_RENEGOTIATION
378 SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_CLIENT_RENEGOTIATION); 378 SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_CLIENT_RENEGOTIATION);
379 #endif
380
381 #ifdef SSL_OP_IGNORE_UNEXPECTED_EOF
382 SSL_CTX_set_options(ssl->ctx, SSL_OP_IGNORE_UNEXPECTED_EOF);
379 #endif 383 #endif
380 384
381 #ifdef SSL_MODE_RELEASE_BUFFERS 385 #ifdef SSL_MODE_RELEASE_BUFFERS
382 SSL_CTX_set_mode(ssl->ctx, SSL_MODE_RELEASE_BUFFERS); 386 SSL_CTX_set_mode(ssl->ctx, SSL_MODE_RELEASE_BUFFERS);
383 #endif 387 #endif