Welcome! Log In Create A New Profile

Advanced

Re: openssl 1.1.1e 14095126:SSL routines:ssl3_read_n

Maxim Dounin
March 23, 2020 08:36AM
Hello!

On Mon, Mar 23, 2020 at 02:04:36PM +0300, Sergey Kandaurov wrote:

>
> > On 22 Mar 2020, at 21:39, itpp2012 <nginx-forum@forum.nginx.org> wrote:
> >
> > How about this as this catches all 3 while conditions:
> >
> > +++ src/event/ngx_event_openssl.c
> > @@ -2318,
> >
> > c->ssl->no_wait_shutdown = 1;
> > c->ssl->no_send_shutdown = 1;
> >
> > if (sslerr == SSL_ERROR_ZERO_RETURN || ERR_peek_error() == 0) {
> > ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0,
> > "peer shutdown SSL cleanly");
> > return NGX_DONE;
> > }
> >
> > + /* https://forum.nginx.org/read.php?2,287377 */
> > + /* https://github.com/openssl/openssl/issues/11381 */
> > +#ifdef SSL_R_UNEXPECTED_EOF_WHILE_READING
> > + if (sslerr == SSL_ERROR_SSL && ERR_GET_REASON(ERR_peek_error())
> > + == SSL_R_UNEXPECTED_EOF_WHILE_READING) {
> > + ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0,
> > + "ssl3_read_n:unexpected eof while reading");
> > + return NGX_DONE;
> > + }
> > +#endif
> > +
> > ngx_ssl_connection_error(c, sslerr, err, "SSL_read() failed");
>
> How would this catch the reported error in SSL_do_handshake() ?
> I'd replicate this check in ngx_ssl_handshake().
> And probably for SSL_read_early_data, SSL_shutdown, SSL_peak,
> (ok, we don't use SSL_peak), but this is a moot point.

Given the session resumption issue[1], I tend to think the best
solution for now is to recommend to avoid using OpenSSL 1.1.1e.

[1] https://github.com/openssl/openssl/issues/11378

--
Maxim Dounin
http://mdounin.ru/
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Subject Author Posted

openssl 1.1.1e 14095126:SSL routines:ssl3_read_n

itpp2012 March 18, 2020 07:17AM

Re: openssl 1.1.1e 14095126:SSL routines:ssl3_read_n

J.R. March 18, 2020 09:32AM

Re: openssl 1.1.1e 14095126:SSL routines:ssl3_read_n

itpp2012 March 18, 2020 09:52AM

RE: openssl 1.1.1e 14095126:SSL routines:ssl3_read_n

Reinis Rozitis March 19, 2020 05:54PM

Re: openssl 1.1.1e 14095126:SSL routines:ssl3_read_n

Sergey Kandaurov March 20, 2020 03:42AM

Re: openssl 1.1.1e 14095126:SSL routines:ssl3_read_n

Maxim Dounin March 20, 2020 09:00AM

Re: openssl 1.1.1e 14095126:SSL routines:ssl3_read_n

itpp2012 March 20, 2020 09:54AM

Re: openssl 1.1.1e 14095126:SSL routines:ssl3_read_n

Maxim Dounin March 20, 2020 06:14PM

Re: openssl 1.1.1e 14095126:SSL routines:ssl3_read_n

itpp2012 March 21, 2020 04:49PM

Re: openssl 1.1.1e 14095126:SSL routines:ssl3_read_n

itpp2012 March 22, 2020 02:39PM

Re: openssl 1.1.1e 14095126:SSL routines:ssl3_read_n

Sergey Kandaurov March 23, 2020 07:06AM

Re: openssl 1.1.1e 14095126:SSL routines:ssl3_read_n

itpp2012 March 23, 2020 07:41AM

Re: openssl 1.1.1e 14095126:SSL routines:ssl3_read_n

Maxim Dounin March 23, 2020 08:36AM

Re: openssl 1.1.1e 14095126:SSL routines:ssl3_read_n

Thomas Stephen Lee April 02, 2020 01:46AM

Re: openssl 1.1.1e 14095126:SSL routines:ssl3_read_n

itpp2012 April 02, 2020 03:24AM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 204
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 500 on July 15, 2024
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready