[Bug 2055304] Re: openssl 3.0.2 backport IgnoreUnexpectedEOF ssl config option from 3.2
Adrien Nader
2055304 at bugs.launchpad.net
Wed Feb 28 16:03:57 UTC 2024
Thanks for the report. I am reluctant to backport this as I'm not sure
it makes a lot of sense system-wide. Curl upstream didn't seem happy
with enabling this work-around even in 2021. It seems the reason to
integrate this would be to be able to ignore this despite curl not
ignoring it nor offering a way to ignore it.
I also don't like that it's the kind of configuration that will linger
on systems for years, if not decades. For the distribution, this also
means that once the patch is in, it needs to be supported for 15 years.
On the other hand, it will get in after 24.04/Noble is released since
upstream merged it...
Still, I can't make a compelling case in favor of this patch. This is
especially troublesome since a change to released versions needs exactly
that.
Which servers are you experiencing this issue with?
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/2055304
Title:
openssl 3.0.2 backport IgnoreUnexpectedEOF ssl config option from 3.2
Status in openssl package in Ubuntu:
New
Bug description:
I get "Closing connection 0 curl: (35) error:0A000126:SSL
routines::unexpected eof while reading" accessing some web servers.
AFAIS "SSL_OP_IGNORE_UNEXPECTED_EOF" can help here. With 3.2[0] it can
be configured in openssl.cnf, whereas 3.0[1] cannot. Would you mind to
backport the mini patch[2] to be configured with 3.0, too?
Example:
$ tail -n 3 /etc/ssl/openssl.cnf
[system_default_sect]
CipherString = DEFAULT:@SECLEVEL=2
Options = IgnoreUnexpectedEOF
[0] https://www.openssl.org/docs/man3.2/man3/SSL_CONF_cmd.html
[1] https://www.openssl.org/docs/man3.0/man3/SSL_CONF_cmd.html
[2] https://github.com/openssl/openssl/commit/51cf034433d528876f3c235c5150c5acfe88f24d
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/2055304/+subscriptions
More information about the foundations-bugs
mailing list