OpenSSL 3.0 enabled alerts for unexpected EOF by default. It supposed to alert the application whenever the connection terminated without a proper close_notify. And that should allow applications to take actions to protect themselves from potential TLS truncation attack. This is how it looks like in the log:
|stream_ssl|WARN|SSL_read: error:0A000126:SSL routines::unexpected eof while reading |jsonrpc|WARN|ssl:127.0.0.1:34288: receive error: Input/output error |reconnect|WARN|ssl:127.0.0.1:34288: connection dropped (Input/output error) The problem is that clients based on OVS libraries do not wait for the proper termination if it didn't happen right away. It means that chances to have alerts on the server side for every single disconnection are very high. None of the high level protocols supported by OVS daemons can carry state between re-connections, e.g., there are no session cookies or anything like that. So, the TLS truncation attack is no applicable. Disable the alert to avoid unnecessary warnings in the log. Signed-off-by: Ilya Maximets <i.maxim...@ovn.org> --- lib/stream-ssl.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/lib/stream-ssl.c b/lib/stream-ssl.c index 62da9febb..86747e58b 100644 --- a/lib/stream-ssl.c +++ b/lib/stream-ssl.c @@ -1075,7 +1075,13 @@ do_ssl_init(void) VLOG_ERR("SSL_CTX_new: %s", ERR_error_string(ERR_get_error(), NULL)); return ENOPROTOOPT; } - SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3); + + long options = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3; +#ifdef SSL_OP_IGNORE_UNEXPECTED_EOF + options |= SSL_OP_IGNORE_UNEXPECTED_EOF; +#endif + SSL_CTX_set_options(ctx, options); + #if OPENSSL_VERSION_NUMBER < 0x3000000fL SSL_CTX_set_tmp_dh_callback(ctx, tmp_dh_callback); #else -- 2.40.1 _______________________________________________ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev