Re: mod_ssl SSL_OP_IGNORE_UNEXPECTED_EOF: "unexpected eof while reading"
> Am 07.09.2023 um 18:46 schrieb Yann Ylavic : > > On Thu, Sep 7, 2023 at 6:09 PM Yann Ylavic wrote: >> >> On Wed, Aug 30, 2023 at 1:22 PM Rainer Jung wrote: >>> >>> OpenSSL 3 flags some abortive shutdowns as an error different to what >>> 1.1.1 did. This results in info log output in httpd: >>> >>> [Tue Aug 29 12:33:06.787210 2023] [ssl:info] [pid 1994673:tid 1994737] >>> SSL Library Error: error:0A000126:SSL routines::unexpected eof while reading >>> [Tue Aug 29 12:33:06.787374 2023] [ssl:info] [pid 1994673:tid 1994737] >>> [client 1.2.3.4:54790] AH01998: Connection closed to child 215 with >>> abortive shutdown (server myserver:443) >> >> The info looks legit to me (someone closed the connection with no >> close_notify), possibly we want to log it at APLOG_DEBUG/TRACEx still >> if it happens too often? >> We don't do that though for SSL_ERROR_ZERO_RETURN in openssl < 3, but >> maybe we should too like in the attached patch (instead of r1912015)? > > Scratch that patch, SSL_ERROR_ZERO_RETURN is actually when > close_notify was received, we'd rather need to test SSL_ERROR_SYSCALL > && errno == 0 with openssl < 0, which is more tricky in httpd with the > EOS bucket vs APR_EOF. > Hm, not sure we want to complicate this more.. I never understood the use for this in http/1.1 or newer. request and responses have their own termination and do not need anything for that from TLS. And if a server send a complete response, there is no guarantee that the client received it in full. Think intermediaries. Am I missing something? Cheers, Stefan >> >> Regards; >> Yann.
Re: mod_ssl SSL_OP_IGNORE_UNEXPECTED_EOF: "unexpected eof while reading"
On Thu, Sep 7, 2023 at 6:09 PM Yann Ylavic wrote: > > On Wed, Aug 30, 2023 at 1:22 PM Rainer Jung wrote: > > > > OpenSSL 3 flags some abortive shutdowns as an error different to what > > 1.1.1 did. This results in info log output in httpd: > > > > [Tue Aug 29 12:33:06.787210 2023] [ssl:info] [pid 1994673:tid 1994737] > > SSL Library Error: error:0A000126:SSL routines::unexpected eof while reading > > [Tue Aug 29 12:33:06.787374 2023] [ssl:info] [pid 1994673:tid 1994737] > > [client 1.2.3.4:54790] AH01998: Connection closed to child 215 with > > abortive shutdown (server myserver:443) > > The info looks legit to me (someone closed the connection with no > close_notify), possibly we want to log it at APLOG_DEBUG/TRACEx still > if it happens too often? > We don't do that though for SSL_ERROR_ZERO_RETURN in openssl < 3, but > maybe we should too like in the attached patch (instead of r1912015)? Scratch that patch, SSL_ERROR_ZERO_RETURN is actually when close_notify was received, we'd rather need to test SSL_ERROR_SYSCALL && errno == 0 with openssl < 0, which is more tricky in httpd with the EOS bucket vs APR_EOF. Hm, not sure we want to complicate this more.. > > Regards; > Yann.
Re: mod_ssl SSL_OP_IGNORE_UNEXPECTED_EOF: "unexpected eof while reading"
On Wed, Aug 30, 2023 at 1:22 PM Rainer Jung wrote:
>
> OpenSSL 3 flags some abortive shutdowns as an error different to what
> 1.1.1 did. This results in info log output in httpd:
>
> [Tue Aug 29 12:33:06.787210 2023] [ssl:info] [pid 1994673:tid 1994737]
> SSL Library Error: error:0A000126:SSL routines::unexpected eof while reading
> [Tue Aug 29 12:33:06.787374 2023] [ssl:info] [pid 1994673:tid 1994737]
> [client 1.2.3.4:54790] AH01998: Connection closed to child 215 with
> abortive shutdown (server myserver:443)
The info looks legit to me (someone closed the connection with no
close_notify), possibly we want to log it at APLOG_DEBUG/TRACEx still
if it happens too often?
We don't do that though for SSL_ERROR_ZERO_RETURN in openssl < 3, but
maybe we should too like in the attached patch (instead of r1912015)?
Regards;
Yann.
Index: modules/ssl/ssl_engine_io.c
===
--- modules/ssl/ssl_engine_io.c (revision 1911906)
+++ modules/ssl/ssl_engine_io.c (working copy)
@@ -721,6 +721,19 @@ static apr_status_t ssl_io_input_read(bio_filter_i
ssl_err = SSL_get_error(inctx->filter_ctx->pssl, rc);
c = (conn_rec*)SSL_get_app_data(inctx->filter_ctx->pssl);
+#ifdef SSL_R_UNEXPECTED_EOF_WHILE_READING
+if (ERR_GET_LIB(ERR_peek_error()) == ERR_LIB_SSL &&
+ERR_GET_REASON(ERR_peek_error()) == SSL_R_UNEXPECTED_EOF_WHILE_READING) {
+ssl_err = SSL_ERROR_ZERO_RETURN;
+}
+#endif
+if (ssl_err == SSL_ERROR_ZERO_RETURN) {
+ap_log_cerror(APLOG_MARK, APLOG_TRACE1, inctx->rc, c,
+ "SSL input filter at EOF with no close_notify.");
+inctx->rc = APR_EOF;
+break;
+}
+
if (ssl_err == SSL_ERROR_WANT_READ) {
/*
* If OpenSSL wants to read more, and we were nonblocking,
@@ -741,7 +754,8 @@ static apr_status_t ssl_io_input_read(bio_filter_i
}
continue; /* Blocking and nothing yet? Try again. */
}
-else if (ssl_err == SSL_ERROR_SYSCALL) {
+
+if (ssl_err == SSL_ERROR_SYSCALL) {
if (APR_STATUS_IS_EAGAIN(inctx->rc)
|| APR_STATUS_IS_EINTR(inctx->rc)) {
/* Already read something, return APR_SUCCESS instead. */
@@ -763,10 +777,6 @@ static apr_status_t ssl_io_input_read(bio_filter_i
"SSL input filter read failed.");
}
}
-else if (rc == 0 && ssl_err == SSL_ERROR_ZERO_RETURN) {
-inctx->rc = APR_EOF;
-break;
-}
else /* if (ssl_err == SSL_ERROR_SSL) */ {
/*
* Log SSL errors and any unexpected conditions.
@@ -1413,17 +1423,8 @@ static apr_status_t ssl_io_filter_handshake(ssl_fi
apr_status_t rc = inctx->rc ? inctx->rc : outctx->rc ;
ssl_err = SSL_get_error(filter_ctx->pssl, n);
-if (ssl_err == SSL_ERROR_ZERO_RETURN) {
+if (ssl_err == SSL_ERROR_WANT_READ) {
/*
- * The case where the connection was closed before any data
- * was transferred. That's not a real error and can occur
- * sporadically with some clients.
- */
-ap_log_cerror(APLOG_MARK, APLOG_INFO, rc, c, APLOGNO(02006)
- "SSL handshake stopped: connection was closed");
-}
-else if (ssl_err == SSL_ERROR_WANT_READ) {
-/*
* This is in addition to what was present earlier. It is
* borrowed from openssl_state_machine.c [mod_tls].
* TBD.
@@ -1431,8 +1432,9 @@ static apr_status_t ssl_io_filter_handshake(ssl_fi
outctx->rc = APR_EAGAIN;
return APR_EAGAIN;
}
-else if (ERR_GET_LIB(ERR_peek_error()) == ERR_LIB_SSL &&
- ERR_GET_REASON(ERR_peek_error()) == SSL_R_HTTP_REQUEST) {
+
+if (ERR_GET_LIB(ERR_peek_error()) == ERR_LIB_SSL &&
+ERR_GET_REASON(ERR_peek_error()) == SSL_R_HTTP_REQUEST) {
/*
* The case where OpenSSL has recognized a HTTP request:
* This means the client speaks plain HTTP on our HTTPS port.
@@ -1441,6 +1443,22 @@ static apr_status_t ssl_io_filter_handshake(ssl_fi
*/
return MODSSL_ERROR_HTTP_ON_HTTPS;
}
+
+#ifdef SSL_R_UNEXPECTED_EOF_WHILE_READING
+if (ERR_GET_LIB(ERR_peek_error()) == ERR_LIB_SSL &&
+ERR_GET_REASON(ERR_peek_error()) == SSL_R_UNEXPECTED_EOF_WHILE_READING) {
+ssl_err = SSL_ERROR_ZERO_RETURN;
+}
+#endif
+if (ssl_err == SSL_ERROR_ZERO_RETURN) {
+/*
+ * The case where the connection was closed before any data
+ * was transferred. That's not a real error and can
Re: mod_ssl SSL_OP_IGNORE_UNEXPECTED_EOF: "unexpected eof while reading"
Am 07.09.23 um 14:58 schrieb Joe Orton: On Wed, Aug 30, 2023 at 01:21:11PM +0200, Rainer Jung wrote: Hi there, OpenSSL 3 flags some abortive shutdowns as an error different to what 1.1.1 did. This results in info log output in httpd: [Tue Aug 29 12:33:06.787210 2023] [ssl:info] [pid 1994673:tid 1994737] SSL Library Error: error:0A000126:SSL routines::unexpected eof while reading [Tue Aug 29 12:33:06.787374 2023] [ssl:info] [pid 1994673:tid 1994737] [client 1.2.3.4:54790] AH01998: Connection closed to child 215 with abortive shutdown (server myserver:443) Some background is given in https://github.com/openssl/openssl/issues/18866 They introduced a new context option "SSL_OP_IGNORE_UNEXPECTED_EOF" to suppress this. Some other software now sets it with SSL_CTX_set_options(): Interesting! Just wondering, is there a reason why we'd only want to enable this for server-side operation (mctx->pkp == NULL) not also for client-side/proxy operation? Seems like it might be better to enable it unconditionally. Regards, Joe Hi Joe, I just wanted to be a bit cautious. I had observed it on the server side and have no real knowledge about the client side. But I am OK, to enable this "compatibility" flag in both cases. I'll wait abit for more feedback and then adjust trunk and the backport proposal. Thanks for the feedback, Rainer
Re: mod_ssl SSL_OP_IGNORE_UNEXPECTED_EOF: "unexpected eof while reading"
On Wed, Aug 30, 2023 at 01:21:11PM +0200, Rainer Jung wrote: > Hi there, > > OpenSSL 3 flags some abortive shutdowns as an error different to what 1.1.1 > did. This results in info log output in httpd: > > [Tue Aug 29 12:33:06.787210 2023] [ssl:info] [pid 1994673:tid 1994737] SSL > Library Error: error:0A000126:SSL routines::unexpected eof while reading > [Tue Aug 29 12:33:06.787374 2023] [ssl:info] [pid 1994673:tid 1994737] > [client 1.2.3.4:54790] AH01998: Connection closed to child 215 with abortive > shutdown (server myserver:443) > > Some background is given in > > https://github.com/openssl/openssl/issues/18866 > > They introduced a new context option "SSL_OP_IGNORE_UNEXPECTED_EOF" to > suppress this. Some other software now sets it with SSL_CTX_set_options(): Interesting! Just wondering, is there a reason why we'd only want to enable this for server-side operation (mctx->pkp == NULL) not also for client-side/proxy operation? Seems like it might be better to enable it unconditionally. Regards, Joe
Re: balancers bybusyness, bytraffic and byrequest thread/process safe issues
On 9/6/23 18:40, Yann Ylavic wrote: On Wed, Sep 6, 2023 at 6:29 PM Yann Ylavic wrote: As for the memory orders on success/failure, they have nothing to do with the likeliness of success/failure Well the memory orderings specified can certainly influence the likeliness of success/failure since a weaker ordering implies less synchronization thus probably more concurrency, what I meant is that they don't influence *correctness* of the returned values! OK thanks for your help. Regards; Yann. -- Cheers Jean-Frederic
