Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. Apache>
  3. Dev
mod_ssl SSL_OP_IGNORE_UNEXPECTED_EOF: "unexpected eof while reading"
rainer.jung at kippdata
Aug 30, 2023, 4:21 AM
Post #1 of 9 (328 views)
Permalink
Hi there,

OpenSSL 3 flags some abortive shutdowns as an error different to what
1.1.1 did. This results in info log output in httpd:

[Tue Aug 29 12:33:06.787210 2023] [ssl:info] [pid 1994673:tid 1994737]
SSL Library Error: error:0A000126:SSL routines::unexpected eof while reading
[Tue Aug 29 12:33:06.787374 2023] [ssl:info] [pid 1994673:tid 1994737]
[client 1.2.3.4:54790] AH01998: Connection closed to child 215 with
abortive shutdown (server myserver:443)

Some background is given in

https://github.com/openssl/openssl/issues/18866

They introduced a new context option "SSL_OP_IGNORE_UNEXPECTED_EOF" to
suppress this. Some other software now sets it with SSL_CTX_set_options():

- nginx

https://github.com/nginx/nginx/commit/5155845ce4453a07d60e2ce43946c9181bc311fa

- PHP

https://github.com/php/php-src/pull/8558/commits/55be0f489e390d28892a07c32d45a404c62fc9f2

I suggest to adopt it, ie. set it if the option is available.

WDYT?

Best regards,

Rainer
Re: mod_ssl SSL_OP_IGNORE_UNEXPECTED_EOF: "unexpected eof while reading" [ In reply to ]
dev at httpd
Aug 30, 2023, 4:50 AM
Post #2 of 9 (328 views)
Permalink
> Am 30.08.2023 um 13:21 schrieb Rainer Jung <rainer.jung@kippdata.de>:
>
> Hi there,
>
> OpenSSL 3 flags some abortive shutdowns as an error different to what 1.1.1 did. This results in info log output in httpd:
>
> [Tue Aug 29 12:33:06.787210 2023] [ssl:info] [pid 1994673:tid 1994737] SSL Library Error: error:0A000126:SSL routines::unexpected eof while reading
> [Tue Aug 29 12:33:06.787374 2023] [ssl:info] [pid 1994673:tid 1994737] [client 1.2.3.4:54790] AH01998: Connection closed to child 215 with abortive shutdown (server myserver:443)
>
> Some background is given in
>
> https://github.com/openssl/openssl/issues/18866
>
> They introduced a new context option "SSL_OP_IGNORE_UNEXPECTED_EOF" to suppress this. Some other software now sets it with SSL_CTX_set_options():
>
> - nginx
>
> https://github.com/nginx/nginx/commit/5155845ce4453a07d60e2ce43946c9181bc311fa
>
> - PHP
>
> https://github.com/php/php-src/pull/8558/commits/55be0f489e390d28892a07c32d45a404c62fc9f2
>
> I suggest to adopt it, ie. set it if the option is available.
>
> WDYT?

+1 to setting this for our users sake. I withhold my opinion about this stupid OpenSSL change...oops.

>
> Best regards,
>
> Rainer
Re: mod_ssl SSL_OP_IGNORE_UNEXPECTED_EOF: "unexpected eof while reading" [ In reply to ]
rainer.jung at kippdata
Aug 30, 2023, 5:57 AM
Post #3 of 9 (328 views)
Permalink
Am 30.08.23 um 13:50 schrieb Stefan Eissing via dev:
>
>
>> Am 30.08.2023 um 13:21 schrieb Rainer Jung <rainer.jung@kippdata.de>:
>>
>> Hi there,
>>
>> OpenSSL 3 flags some abortive shutdowns as an error different to what 1.1.1 did. This results in info log output in httpd:
>>
>> [Tue Aug 29 12:33:06.787210 2023] [ssl:info] [pid 1994673:tid 1994737] SSL Library Error: error:0A000126:SSL routines::unexpected eof while reading
>> [Tue Aug 29 12:33:06.787374 2023] [ssl:info] [pid 1994673:tid 1994737] [client 1.2.3.4:54790] AH01998: Connection closed to child 215 with abortive shutdown (server myserver:443)
>>
>> Some background is given in
>>
>> https://github.com/openssl/openssl/issues/18866
>>
>> They introduced a new context option "SSL_OP_IGNORE_UNEXPECTED_EOF" to suppress this. Some other software now sets it with SSL_CTX_set_options():
>>
>> - nginx
>>
>> https://github.com/nginx/nginx/commit/5155845ce4453a07d60e2ce43946c9181bc311fa
>>
>> - PHP
>>
>> https://github.com/php/php-src/pull/8558/commits/55be0f489e390d28892a07c32d45a404c62fc9f2
>>
>> I suggest to adopt it, ie. set it if the option is available.
>>
>> WDYT?
>
> +1 to setting this for our users sake. I withhold my opinion about this stupid OpenSSL change...oops.

Thanks for your feedback. I committed it to trunk in r1912015 and can
revert if someone thinks its premature. Will propose for backport
probably tomorrow.

Best regards,

Rainer
Re: mod_ssl SSL_OP_IGNORE_UNEXPECTED_EOF: "unexpected eof while reading" [ In reply to ]
jorton at redhat
Sep 7, 2023, 5:58 AM
Post #4 of 9 (316 views)
Permalink
On Wed, Aug 30, 2023 at 01:21:11PM +0200, Rainer Jung wrote:
> Hi there,
>
> OpenSSL 3 flags some abortive shutdowns as an error different to what 1.1.1
> did. This results in info log output in httpd:
>
> [Tue Aug 29 12:33:06.787210 2023] [ssl:info] [pid 1994673:tid 1994737] SSL
> Library Error: error:0A000126:SSL routines::unexpected eof while reading
> [Tue Aug 29 12:33:06.787374 2023] [ssl:info] [pid 1994673:tid 1994737]
> [client 1.2.3.4:54790] AH01998: Connection closed to child 215 with abortive
> shutdown (server myserver:443)
>
> Some background is given in
>
> https://github.com/openssl/openssl/issues/18866
>
> They introduced a new context option "SSL_OP_IGNORE_UNEXPECTED_EOF" to
> suppress this. Some other software now sets it with SSL_CTX_set_options():

Interesting! Just wondering, is there a reason why we'd only want to
enable this for server-side operation (mctx->pkp == NULL) not also for
client-side/proxy operation? Seems like it might be better to enable it
unconditionally.

Regards, Joe
Re: mod_ssl SSL_OP_IGNORE_UNEXPECTED_EOF: "unexpected eof while reading" [ In reply to ]
rainer.jung at kippdata
Sep 7, 2023, 7:30 AM
Post #5 of 9 (315 views)
Permalink
Am 07.09.23 um 14:58 schrieb Joe Orton:
> On Wed, Aug 30, 2023 at 01:21:11PM +0200, Rainer Jung wrote:
>> Hi there,
>>
>> OpenSSL 3 flags some abortive shutdowns as an error different to what 1.1.1
>> did. This results in info log output in httpd:
>>
>> [Tue Aug 29 12:33:06.787210 2023] [ssl:info] [pid 1994673:tid 1994737] SSL
>> Library Error: error:0A000126:SSL routines::unexpected eof while reading
>> [Tue Aug 29 12:33:06.787374 2023] [ssl:info] [pid 1994673:tid 1994737]
>> [client 1.2.3.4:54790] AH01998: Connection closed to child 215 with abortive
>> shutdown (server myserver:443)
>>
>> Some background is given in
>>
>> https://github.com/openssl/openssl/issues/18866
>>
>> They introduced a new context option "SSL_OP_IGNORE_UNEXPECTED_EOF" to
>> suppress this. Some other software now sets it with SSL_CTX_set_options():
>
> Interesting! Just wondering, is there a reason why we'd only want to
> enable this for server-side operation (mctx->pkp == NULL) not also for
> client-side/proxy operation? Seems like it might be better to enable it
> unconditionally.
>
> Regards, Joe

Hi Joe,

I just wanted to be a bit cautious. I had observed it on the server side
and have no real knowledge about the client side. But I am OK, to enable
this "compatibility" flag in both cases.

I'll wait abit for more feedback and then adjust trunk and the backport
proposal.

Thanks for the feedback,

Rainer
Re: mod_ssl SSL_OP_IGNORE_UNEXPECTED_EOF: "unexpected eof while reading" [ In reply to ]
ylavic.dev at gmail
Sep 7, 2023, 9:09 AM
Post #6 of 9 (315 views)
Permalink
On Wed, Aug 30, 2023 at 1:22?PM Rainer Jung <rainer.jung@kippdata.de> wrote:
>
> OpenSSL 3 flags some abortive shutdowns as an error different to what
> 1.1.1 did. This results in info log output in httpd:
>
> [Tue Aug 29 12:33:06.787210 2023] [ssl:info] [pid 1994673:tid 1994737]
> SSL Library Error: error:0A000126:SSL routines::unexpected eof while reading
> [Tue Aug 29 12:33:06.787374 2023] [ssl:info] [pid 1994673:tid 1994737]
> [client 1.2.3.4:54790] AH01998: Connection closed to child 215 with
> abortive shutdown (server myserver:443)

The info looks legit to me (someone closed the connection with no
close_notify), possibly we want to log it at APLOG_DEBUG/TRACEx still
if it happens too often?
We don't do that though for SSL_ERROR_ZERO_RETURN in openssl < 3, but
maybe we should too like in the attached patch (instead of r1912015)?

Regards;
Yann.

Attached Files:

Re: mod_ssl SSL_OP_IGNORE_UNEXPECTED_EOF: "unexpected eof while reading" [ In reply to ]
ylavic.dev at gmail
Sep 7, 2023, 9:46 AM
Post #7 of 9 (315 views)
Permalink
On Thu, Sep 7, 2023 at 6:09?PM Yann Ylavic <ylavic.dev@gmail.com> wrote:
>
> On Wed, Aug 30, 2023 at 1:22?PM Rainer Jung <rainer.jung@kippdata.de> wrote:
> >
> > OpenSSL 3 flags some abortive shutdowns as an error different to what
> > 1.1.1 did. This results in info log output in httpd:
> >
> > [Tue Aug 29 12:33:06.787210 2023] [ssl:info] [pid 1994673:tid 1994737]
> > SSL Library Error: error:0A000126:SSL routines::unexpected eof while reading
> > [Tue Aug 29 12:33:06.787374 2023] [ssl:info] [pid 1994673:tid 1994737]
> > [client 1.2.3.4:54790] AH01998: Connection closed to child 215 with
> > abortive shutdown (server myserver:443)
>
> The info looks legit to me (someone closed the connection with no
> close_notify), possibly we want to log it at APLOG_DEBUG/TRACEx still
> if it happens too often?
> We don't do that though for SSL_ERROR_ZERO_RETURN in openssl < 3, but
> maybe we should too like in the attached patch (instead of r1912015)?

Scratch that patch, SSL_ERROR_ZERO_RETURN is actually when
close_notify was received, we'd rather need to test SSL_ERROR_SYSCALL
&& errno == 0 with openssl < 0, which is more tricky in httpd with the
EOS bucket vs APR_EOF.
Hm, not sure we want to complicate this more..

>
> Regards;
> Yann.
Re: mod_ssl SSL_OP_IGNORE_UNEXPECTED_EOF: "unexpected eof while reading" [ In reply to ]
dev at httpd
Sep 7, 2023, 11:14 AM
Post #8 of 9 (314 views)
Permalink
> Am 07.09.2023 um 18:46 schrieb Yann Ylavic <ylavic.dev@gmail.com>:
>
> On Thu, Sep 7, 2023 at 6:09?PM Yann Ylavic <ylavic.dev@gmail.com> wrote:
>>
>> On Wed, Aug 30, 2023 at 1:22?PM Rainer Jung <rainer.jung@kippdata.de> wrote:
>>>
>>> OpenSSL 3 flags some abortive shutdowns as an error different to what
>>> 1.1.1 did. This results in info log output in httpd:
>>>
>>> [Tue Aug 29 12:33:06.787210 2023] [ssl:info] [pid 1994673:tid 1994737]
>>> SSL Library Error: error:0A000126:SSL routines::unexpected eof while reading
>>> [Tue Aug 29 12:33:06.787374 2023] [ssl:info] [pid 1994673:tid 1994737]
>>> [client 1.2.3.4:54790] AH01998: Connection closed to child 215 with
>>> abortive shutdown (server myserver:443)
>>
>> The info looks legit to me (someone closed the connection with no
>> close_notify), possibly we want to log it at APLOG_DEBUG/TRACEx still
>> if it happens too often?
>> We don't do that though for SSL_ERROR_ZERO_RETURN in openssl < 3, but
>> maybe we should too like in the attached patch (instead of r1912015)?
>
> Scratch that patch, SSL_ERROR_ZERO_RETURN is actually when
> close_notify was received, we'd rather need to test SSL_ERROR_SYSCALL
> && errno == 0 with openssl < 0, which is more tricky in httpd with the
> EOS bucket vs APR_EOF.
> Hm, not sure we want to complicate this more..

I never understood the use for this in http/1.1 or newer. request and responses have their own termination and do not need anything for that from TLS.

And if a server send a complete response, there is no guarantee that the client received it in full. Think intermediaries.

Am I missing something?

Cheers,
Stefan

>>
>> Regards;
>> Yann.
Re: mod_ssl SSL_OP_IGNORE_UNEXPECTED_EOF: "unexpected eof while reading" [ In reply to ]
jorton at redhat
Sep 8, 2023, 2:25 AM
Post #9 of 9 (311 views)
Permalink
On Thu, Sep 07, 2023 at 06:46:01PM +0200, Yann Ylavic wrote:
> On Thu, Sep 7, 2023 at 6:09?PM Yann Ylavic <ylavic.dev@gmail.com> wrote:
> >
> > On Wed, Aug 30, 2023 at 1:22?PM Rainer Jung <rainer.jung@kippdata.de> wrote:
> > >
> > > OpenSSL 3 flags some abortive shutdowns as an error different to what
> > > 1.1.1 did. This results in info log output in httpd:
> > >
> > > [Tue Aug 29 12:33:06.787210 2023] [ssl:info] [pid 1994673:tid 1994737]
> > > SSL Library Error: error:0A000126:SSL routines::unexpected eof while reading
> > > [Tue Aug 29 12:33:06.787374 2023] [ssl:info] [pid 1994673:tid 1994737]
> > > [client 1.2.3.4:54790] AH01998: Connection closed to child 215 with
> > > abortive shutdown (server myserver:443)
> >
> > The info looks legit to me (someone closed the connection with no
> > close_notify), possibly we want to log it at APLOG_DEBUG/TRACEx still
> > if it happens too often?
> > We don't do that though for SSL_ERROR_ZERO_RETURN in openssl < 3, but
> > maybe we should too like in the attached patch (instead of r1912015)?
>
> Scratch that patch, SSL_ERROR_ZERO_RETURN is actually when
> close_notify was received, we'd rather need to test SSL_ERROR_SYSCALL
> && errno == 0 with openssl < 0, which is more tricky in httpd with the
> EOS bucket vs APR_EOF.
> Hm, not sure we want to complicate this more..

Yeah, I wondered about that too. Maybe we need some kind of "strict
mode" in mod_ssl which does better/correct close_notify handling?

Regards, Joe

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal