nginx: src/event/ngx_event_openssl.c comparison

comparison src/event/ngx_event_openssl.c @ 7706:61011bfcdb49

SSL: workaround for incorrect SSL_write() errors in OpenSSL 1.1.1. OpenSSL 1.1.1 fails to return SSL_ERROR_SYSCALL if an error happens during SSL_write() after close_notify alert from the peer, and returns SSL_ERROR_ZERO_RETURN instead. Broken by this commit, which removes the "i == 0" check around the SSL_RECEIVED_SHUTDOWN one: https://git.openssl.org/?p=openssl.git;a=commitdiff;h=8051ab2 In particular, if a client closed the connection without reading the response but with properly sent close_notify alert, this resulted in unexpected "SSL_write() failed while ..." critical log message instead of correct "SSL_write() failed (32: Broken pipe)" at the info level. Since SSL_ERROR_ZERO_RETURN cannot be legitimately returned after SSL_write(), the fix is to convert all SSL_ERROR_ZERO_RETURN errors after SSL_write() to SSL_ERROR_SYSCALL.

author	Maxim Dounin <mdounin@mdounin.ru>
date	Wed, 16 Sep 2020 18:26:22 +0300
parents	09fb2135a589
children	adaec579a967

comparison

equal deleted inserted replaced

-:3781de64e747
+:61011bfcdb49
 return n;
 }
 sslerr = SSL_get_error(c->ssl->connection, n);
+if (sslerr == SSL_ERROR_ZERO_RETURN) {
+/*
+* OpenSSL 1.1.1 fails to return SSL_ERROR_SYSCALL if an error
+* happens during SSL_write() after close_notify alert from the
+* peer, and returns SSL_ERROR_ZERO_RETURN instead,
+* https://git.openssl.org/?p=openssl.git;a=commitdiff;h=8051ab2
+*/
+sslerr = SSL_ERROR_SYSCALL;
+}
 err = (sslerr == SSL_ERROR_SYSCALL) ? ngx_errno : 0;
 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_get_error: %d", sslerr);

Mercurial > hg > nginx

comparison src/event/ngx_event_openssl.c @ 7706:61011bfcdb49