openssl 1.1.1e 14095126:SSL routines:ssl3_read_n

Thomas Stephen Lee lee.iitb at gmail.com
Thu Apr 2 05:45:11 UTC 2020


On Mon, Mar 23, 2020 at 6:05 PM Maxim Dounin <mdounin at mdounin.ru> wrote:

> Hello!
>
> On Mon, Mar 23, 2020 at 02:04:36PM +0300, Sergey Kandaurov wrote:
>
> >
> > > On 22 Mar 2020, at 21:39, itpp2012 <nginx-forum at forum.nginx.org>
> wrote:
> > >
> > > How about this as this catches all 3 while conditions:
> > >
> > > +++ src/event/ngx_event_openssl.c
> > > @@ -2318,
> > >
> > >    c->ssl->no_wait_shutdown = 1;
> > >    c->ssl->no_send_shutdown = 1;
> > >
> > >    if (sslerr == SSL_ERROR_ZERO_RETURN || ERR_peek_error() == 0) {
> > >        ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0,
> > >                       "peer shutdown SSL cleanly");
> > >        return NGX_DONE;
> > >    }
> > >
> > > +    /* https://forum.nginx.org/read.php?2,287377  */
> > > +    /* https://github.com/openssl/openssl/issues/11381  */
> > > +#ifdef SSL_R_UNEXPECTED_EOF_WHILE_READING
> > > +    if (sslerr == SSL_ERROR_SSL && ERR_GET_REASON(ERR_peek_error())
> > > +                   == SSL_R_UNEXPECTED_EOF_WHILE_READING) {
> > > +        ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0,
> > > +                       "ssl3_read_n:unexpected eof while reading");
> > > +        return NGX_DONE;
> > > +    }
> > > +#endif
> > > +
> > >    ngx_ssl_connection_error(c, sslerr, err, "SSL_read() failed");
> >
> > How would this catch the reported error in SSL_do_handshake() ?
> > I'd replicate this check in ngx_ssl_handshake().
> > And probably for SSL_read_early_data, SSL_shutdown, SSL_peak,
> > (ok, we don't use SSL_peak), but this is a moot point.
>
> Given the session resumption issue[1], I tend to think the best
> solution for now is to recommend to avoid using OpenSSL 1.1.1e.
>
> [1] https://github.com/openssl/openssl/issues/11378
>
> --
> Maxim Dounin
> http://mdounin.ru/
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>

Hi,

does

OpenSSL 1.1.1f.

fix the issue ?

thanks.

---
Lee
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20200402/34270644/attachment.htm>


More information about the nginx mailing list