** Description changed: - [Impact]Ubuntu Jammy (22.04) is using OpenSSL 3.0 which changed the - behavior when closing encrypted connections. Certain clients close - their connections improperly and thus trigger an error message in the - server logs. These messages bloat the error logs.[Test case]0) apt-get - install nginx-full ssl-cert1) edit /etc/nginx/sites-enabled/default and - uncomment both "listen" lines for 443, and the "include" line for - snakeoil.conf2) restart nginx3) from a client machine, send many - requests and abort some of them abruptly #!/bin/bash - URL="https://localhost"; while :; do timeout -s KILL 0.2s curl -v - -K <(echo verbose;for i in {1..2000}; do echo url = "$URL"; echo -o - /dev/null; done) done4) In another terminal, check the error logs for - "unexpected eof while reading" and SSL_READ() errors tail -f - /var/log/nginx/error.logWith the fixed version, there should be no - "unexpected eof while reading" error when a connection is aborted by the - timeout command. With the unfixed version, the error should present - itself many times fairly quickly.[Fix]Ubuntu Kinetic ships a newer - version of nginx that includes a fix for this problem. This SRU - backports that patch to Jammy. Earlier versions of Ubuntu don't carry - OpenSSL 3.0 so are not presenting the altered closure behavior.[Where - problems may occur]The patch changes behavior at point of connection - termination, so a regression most likely would involve some form of - misbehavior associated with connection state change. This also depends - on spec'd OpenSSL definitions; if these happened to be incorrectly - implemented in certain clients, those clients could exhibit odd - behaviors, but such a non-compliant client would likely have problems - with a lot of other web servers.[Original description]Ubuntu Jammy - (22.04) is using OpenSSL 3.0 which changed the behaviour when closing - encrypted connections. Hence, nginx upstream patched its versions >= - 1.21.2 with a flag to remain compatible with clients still closing - connections improperly. Details can be found in - https://github.com/nginx/nginx/commit/5155845ce4453a07d60e2ce43946c9181bc311faCan - this patch please be backported to nginx on Jammy as - well?```'lsb_release -rd':Description: Ubuntu 22.04 LTSRelease: - 22.04'apt-cache policy nginx':nginx: Installed: - 1.18.0-6ubuntu14.1 Candidate: 1.18.0-6ubuntu14.1...```[Fix Replacement - for this section][Fix Ubuntu Kinetic ships a newer version of nginx that - includes a fix for this problem. This SRU backports that patch to - Jammy. Earlier versions of Ubuntu don't carry OpenSSL 3.0 so are not - presenting the altered closure behavior.] + [Impact] + + Ubuntu Jammy (22.04) is using OpenSSL 3.0 which changed the behavior + when closing encrypted connections. Certain clients close their + connections improperly and thus trigger an error message in the server + logs. These messages bloat the error logs. + + [Test case] + + 0) apt-get install nginx-full ssl-cert + + 1) edit /etc/nginx/sites-enabled/default and uncomment both "listen" + lines for 443, and the "include" line for snakeoil.conf + + 2) restart nginx + + 3) from a client machine, send many requests and abort some of them abruptly + #!/bin/bash + URL="https://localhost"; + while :; do + timeout -s KILL 0.2s curl -v -K <(echo verbose;for i in {1..2000}; do echo url = "$URL"; echo -o /dev/null; done) + done + + 4) In another terminal, check the error logs for "unexpected eof while + reading" and SSL_READ() errors + + tail -f /var/log/nginx/error.log + + With the fixed version, there should be no "unexpected eof while + reading" error when a connection is aborted by the timeout command. + With the unfixed version, the error should present itself many times + fairly quickly. + + [Fix] + + Ubuntu Kinetic ships a newer version of nginx that includes a fix for + this problem. This SRU backports that patch to Jammy. Earlier versions + of Ubuntu don't carry OpenSSL 3.0 so are not presenting the altered + closure behavior. + + [Where problems may occur] + + The patch changes behavior at point of connection termination, so a + regression most likely would involve some form of misbehavior associated + with connection state change. This also depends on spec'd OpenSSL + definitions; if these happened to be incorrectly implemented in certain + clients, those clients could exhibit odd behaviors, but such a non- + compliant client would likely have problems with a lot of other web + servers. + + [Original description] + + Ubuntu Jammy (22.04) is using OpenSSL 3.0 which changed the behaviour + when closing encrypted connections. Hence, nginx upstream patched its + versions >= 1.21.2 with a flag to remain compatible with clients still + closing connections improperly. Details can be found in + https://github.com/nginx/nginx/commit/5155845ce4453a07d60e2ce43946c9181bc311fa + + Can this patch please be backported to nginx on Jammy as well? + + ``` + 'lsb_release -rd': + Description: Ubuntu 22.04 LTS + Release: 22.04 + + 'apt-cache policy nginx': + nginx: + Installed: 1.18.0-6ubuntu14.1 + Candidate: 1.18.0-6ubuntu14.1 + ... + ``` + + [Fix Replacement for this section] + + [Fix Ubuntu Kinetic ships a newer version of nginx that includes a fix + for this problem. This SRU backports that patch to Jammy. Earlier + versions of Ubuntu don't carry OpenSSL 3.0 so are not presenting the + altered closure behavior.]
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1981457 Title: Backport: SSL: use of the SSL_OP_IGNORE_UNEXPECTED_EOF option. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nginx/+bug/1981457/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
