[prev in list] [next in list] [prev in thread] [next in thread] 

List:       apache-httpd-dev
Subject:    Re: mod_ssl SSL_OP_IGNORE_UNEXPECTED_EOF: "unexpected eof while reading"
From:       Joe Orton <jorton () redhat ! com>
Date:       2023-09-08 9:25:45
Message-ID: ZPromXCBFO0bf+/7 () redhat ! com
[Download RAW message or body]

On Thu, Sep 07, 2023 at 06:46:01PM +0200, Yann Ylavic wrote:
> On Thu, Sep 7, 2023 at 6:09 PM Yann Ylavic <ylavic.dev@gmail.com> wrote:
> >
> > On Wed, Aug 30, 2023 at 1:22 PM Rainer Jung <rainer.jung@kippdata.de> wrote:
> > >
> > > OpenSSL 3 flags some abortive shutdowns as an error different to what
> > > 1.1.1 did. This results in info log output in httpd:
> > >
> > > [Tue Aug 29 12:33:06.787210 2023] [ssl:info] [pid 1994673:tid 1994737]
> > > SSL Library Error: error:0A000126:SSL routines::unexpected eof while reading
> > > [Tue Aug 29 12:33:06.787374 2023] [ssl:info] [pid 1994673:tid 1994737]
> > > [client 1.2.3.4:54790] AH01998: Connection closed to child 215 with
> > > abortive shutdown (server myserver:443)
> >
> > The info looks legit to me (someone closed the connection with no
> > close_notify), possibly we want to log it at APLOG_DEBUG/TRACEx still
> > if it happens too often?
> > We don't do that though for SSL_ERROR_ZERO_RETURN in openssl < 3, but
> > maybe we should too like in the attached patch (instead of r1912015)?
> 
> Scratch that patch, SSL_ERROR_ZERO_RETURN is actually when
> close_notify was received, we'd rather need to test SSL_ERROR_SYSCALL
> && errno == 0 with openssl < 0, which is more tricky in httpd with the
> EOS bucket vs APR_EOF.
> Hm, not sure we want to complicate this more..

Yeah, I wondered about that too. Maybe we need some kind of "strict 
mode" in mod_ssl which does better/correct close_notify handling?

Regards, Joe

[prev in list] [next in list] [prev in thread] [next in thread]