Backport: SSL: use of the SSL_OP_IGNORE_UNEXPECTED_EOF option.

Bug #1981457 reported by Daniel
26
This bug affects 4 people
Affects Status Importance Assigned to Milestone
nginx (Ubuntu)
Status tracked in Kinetic
Jammy
Triaged
Undecided
Bryce Harrington
Kinetic
Triaged
Undecided
Bryce Harrington

Bug Description

Ubuntu Jammy (22.04) is using OpenSSL 3.0 which changed the behaviour when closing encrypted connections. Hence, nginx upstream patched its versions >= 1.21.2 with a flag to remain compatible with clients still closing connections improperly. Details can be found in https://github.com/nginx/nginx/commit/5155845ce4453a07d60e2ce43946c9181bc311fa

Can this patch please be backported to nginx on Jammy as well?

```
'lsb_release -rd':
Description: Ubuntu 22.04 LTS
Release: 22.04

'apt-cache policy nginx':
nginx:
  Installed: 1.18.0-6ubuntu14.1
  Candidate: 1.18.0-6ubuntu14.1
...
```

Tags: server-todo
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in nginx (Ubuntu):
status: New → Confirmed
Revision history for this message
Athos Ribeiro (athos-ribeiro) wrote :

Thanks for reporting this bug, Daniel.

We will also need to address this one for kinetic.

A similar issue was reported for php, which we are addressing in LP: #1975626

I added this to the server team backlog so someone can start working on it soon. In the meantime, would you be able to provide a simple reproducer for the bug?

Changed in nginx (Ubuntu):
status: Confirmed → Triaged
tags: added: server-todo
Bryce Harrington (bryce)
no longer affects: nginx
Revision history for this message
Daniel (shieldwed) wrote :

I think this can be reproduced with the following command (replace $URL with an HTTPS protected URL to the nginx in question):

```
timeout -s KILL 0.2s curl -v -K <(echo verbose;for i in {1..20}; do echo url = "$URL"; echo -o /dev/null; done)
```

At least I didn't get any "unexpected eof while reading" errors reported in the error log of nginx for an older version (1.14.0-0ubuntu1.9) on Ubuntu Bionic.

Bryce Harrington (bryce)
Changed in nginx (Ubuntu Jammy):
assignee: nobody → Bryce Harrington (bryce)
Bryce Harrington (bryce)
Changed in nginx (Ubuntu Kinetic):
assignee: nobody → Bryce Harrington (bryce)
Changed in nginx (Ubuntu Jammy):
status: New → Triaged
Revision history for this message
Bryce Harrington (bryce) wrote :

Hi Daniel,

Thanks for the reproducer.

I've packaged the patch and posted it to this PPA for testing:

    https://launchpad.net/~bryce/+archive/ubuntu/nginx-fix-lp1981457

I'd appreciate it if you could verify it does indeed fix the issue.

Also, if you're doing anything unusual with your https setup, it would also be super helpful if you could share your config snippets or outline the process you're using to set things up.

Bryce Harrington (bryce)
Changed in nginx (Ubuntu Jammy):
status: Triaged → Fix Committed
status: Fix Committed → Triaged
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers