[nginx] SSL: use of the SSL_OP_IGNORE_UNEXPECTED_EOF option.

Sergey Kandaurov pluknet at nginx.com
Tue Aug 10 21:46:39 UTC 2021


details:   https://hg.nginx.org/nginx/rev/1a03af395f44
branches:  
changeset: 7899:1a03af395f44
user:      Sergey Kandaurov <pluknet at nginx.com>
date:      Tue Aug 10 23:43:17 2021 +0300
description:
SSL: use of the SSL_OP_IGNORE_UNEXPECTED_EOF option.

A new behaviour was introduced in OpenSSL 1.1.1e, when a peer does not send
close_notify before closing the connection.  Previously, it was to return
SSL_ERROR_SYSCALL with errno 0, known since at least OpenSSL 0.9.7, and is
handled gracefully in nginx.  Now it returns SSL_ERROR_SSL with a distinct
reason SSL_R_UNEXPECTED_EOF_WHILE_READING ("unexpected eof while reading").
This leads to critical errors seen in nginx within various routines such as
SSL_do_handshake(), SSL_read(), SSL_shutdown().  The behaviour was restored
in OpenSSL 1.1.1f, but presents in OpenSSL 3.0 by default.

Use of the SSL_OP_IGNORE_UNEXPECTED_EOF option added in OpenSSL 3.0 allows
to set a compatible behaviour to return SSL_ERROR_ZERO_RETURN:
https://git.openssl.org/?p=openssl.git;a=commitdiff;h=09b90e0

See for additional details: https://github.com/openssl/openssl/issues/11381

diffstat:

 src/event/ngx_event_openssl.c |  4 ++++
 1 files changed, 4 insertions(+), 0 deletions(-)

diffs (14 lines):

diff -r 8f7107617550 -r 1a03af395f44 src/event/ngx_event_openssl.c
--- a/src/event/ngx_event_openssl.c	Tue Aug 10 23:43:16 2021 +0300
+++ b/src/event/ngx_event_openssl.c	Tue Aug 10 23:43:17 2021 +0300
@@ -378,6 +378,10 @@ ngx_ssl_create(ngx_ssl_t *ssl, ngx_uint_
     SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_CLIENT_RENEGOTIATION);
 #endif
 
+#ifdef SSL_OP_IGNORE_UNEXPECTED_EOF
+    SSL_CTX_set_options(ssl->ctx, SSL_OP_IGNORE_UNEXPECTED_EOF);
+#endif
+
 #ifdef SSL_MODE_RELEASE_BUFFERS
     SSL_CTX_set_mode(ssl->ctx, SSL_MODE_RELEASE_BUFFERS);
 #endif


More information about the nginx-devel mailing list