On Thu, Sep 07, 2023 at 06:46:01PM +0200, Yann Ylavic wrote: > On Thu, Sep 7, 2023 at 6:09 PM Yann Ylavic <ylavic....@gmail.com> wrote: > > > > On Wed, Aug 30, 2023 at 1:22 PM Rainer Jung <rainer.j...@kippdata.de> wrote: > > > > > > OpenSSL 3 flags some abortive shutdowns as an error different to what > > > 1.1.1 did. This results in info log output in httpd: > > > > > > [Tue Aug 29 12:33:06.787210 2023] [ssl:info] [pid 1994673:tid 1994737] > > > SSL Library Error: error:0A000126:SSL routines::unexpected eof while > > > reading > > > [Tue Aug 29 12:33:06.787374 2023] [ssl:info] [pid 1994673:tid 1994737] > > > [client 1.2.3.4:54790] AH01998: Connection closed to child 215 with > > > abortive shutdown (server myserver:443) > > > > The info looks legit to me (someone closed the connection with no > > close_notify), possibly we want to log it at APLOG_DEBUG/TRACEx still > > if it happens too often? > > We don't do that though for SSL_ERROR_ZERO_RETURN in openssl < 3, but > > maybe we should too like in the attached patch (instead of r1912015)? > > Scratch that patch, SSL_ERROR_ZERO_RETURN is actually when > close_notify was received, we'd rather need to test SSL_ERROR_SYSCALL > && errno == 0 with openssl < 0, which is more tricky in httpd with the > EOS bucket vs APR_EOF. > Hm, not sure we want to complicate this more..
Yeah, I wondered about that too. Maybe we need some kind of "strict mode" in mod_ssl which does better/correct close_notify handling? Regards, Joe
