If you want to beat up your server in unusual ways, a good way to do this is to run it against https://www.ssllabs.com/ssltest/ from Qualsys with debug logging level throughout. I think you'll find we already sanitize all error results.
On Fri, Mar 27, 2020 at 1:24 PM Steffen <i...@apachelounge.com> wrote: > > A discussion started on Apachelounge about an possible issue with OpenSSL > 1.1.1e ( https://www.apachelounge.com/viewtopic.php?p=38941#38941 ) > > This is the introduced new EOF in 1.1.1e : > https://github.com/openssl/openssl/commit/db943f43a60d1b5b1277e4b5317e8f288e7a0a3a > > > Discussion on OpenSSL is at > https://github.com/openssl/openssl/issues/11378 > > I dot understand what is going on, but Daniel Stenberg (Curl) states > : The "poorly-implemented HTTP/1.1 servers" are still out there and are > being used. How common? Impossible to say. > > > OpenSSL has a Patch with description : > ... possible application breakage caused by a change in behavior > introduced in 1.1.1e. It affects at least nginx, which logs error messages > such as: > nginx[16652]: [crit] 16675#0: *358 SSL_read() failed (SSL: error: > 4095126:SSL routines:ssl3_read_n:unexpected eof while reading) while > keepalive, client: xxxx, server: [::]:443 > > So looks that nginx is effected. > > My question is : > *Is Apache effected ? * Looks not, because till now: Apachelounge has > more then a week 2.4.41 available with 1.1.1e, which is downloaded over > 50.000 times and no issues reported like this. > > Steffen >