On 3/27/20 7:24 PM, Steffen wrote:
>
> A discussion started on Apachelounge about an possible issue with OpenSSL
> 1.1.1e
> ( https://www.apachelounge.com/viewtopic.php?p=38941#38941 )
>
> This is the introduced new EOF in 1.1.1e :
> https://github.com/openssl/openssl/commit/db943f43a60d1b5b1277e4b5317e8f288e7a0a3a
>
>
> Discussion on OpenSSL is at https://github.com/openssl/openssl/issues/11378
>
> I dot understand what is going on, but Daniel Stenberg (Curl) states : The
> "poorly-implemented HTTP/1.1 servers" are still out
> there and are being used. How common? Impossible to say.
>
>
> OpenSSL has a Patch with description :
> ... possible application breakage caused by a change in behavior introduced
> in 1.1.1e. It affects at least nginx, which logs
> error messages such as:
> nginx[16652]: [crit] 16675#0: *358 SSL_read() failed (SSL: error:
> 4095126:SSL routines:ssl3_read_n:unexpected eof while reading) while
> keepalive, client: xxxx, server: [::]:443
>
> So looks that nginx is effected.
>
> My question is :
> *Is Apache effected ? * Looks not, because till now: Apachelounge has more
> then a week 2.4.41 available with 1.1.1e, which is
> downloaded over 50.000 times and no issues reported like this.
>From a quick look at the code I would say that we are not affected. Unless
>ssl-unclean-shutdown
(http://httpd.apache.org/docs/2.4/ssl/ssl_faq.html) is set and we did not
detect a closed socket we sent a close_notify alert via
modssl_smart_shutdown.
Regards
Rüdiger