openssl 1.1.1e 14095126:SSL routines:ssl3_read_n

Sergey Kandaurov pluknet at nginx.com
Mon Mar 23 11:04:36 UTC 2020


> On 22 Mar 2020, at 21:39, itpp2012 <nginx-forum at forum.nginx.org> wrote:
> 
> How about this as this catches all 3 while conditions:
> 
> +++ src/event/ngx_event_openssl.c
> @@ -2318,
> 
>    c->ssl->no_wait_shutdown = 1;
>    c->ssl->no_send_shutdown = 1;
> 
>    if (sslerr == SSL_ERROR_ZERO_RETURN || ERR_peek_error() == 0) {
>        ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0,
>                       "peer shutdown SSL cleanly");
>        return NGX_DONE;
>    }
> 
> +    /* https://forum.nginx.org/read.php?2,287377  */
> +    /* https://github.com/openssl/openssl/issues/11381  */
> +#ifdef SSL_R_UNEXPECTED_EOF_WHILE_READING
> +    if (sslerr == SSL_ERROR_SSL && ERR_GET_REASON(ERR_peek_error())
> +                   == SSL_R_UNEXPECTED_EOF_WHILE_READING) {
> +        ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0,
> +                       "ssl3_read_n:unexpected eof while reading");
> +        return NGX_DONE;
> +    }
> +#endif
> +
>    ngx_ssl_connection_error(c, sslerr, err, "SSL_read() failed");

How would this catch the reported error in SSL_do_handshake() ?
I'd replicate this check in ngx_ssl_handshake().
And probably for SSL_read_early_data, SSL_shutdown, SSL_peak,
(ok, we don't use SSL_peak), but this is a moot point.

-- 
Sergey Kandaurov



More information about the nginx mailing list