Am 27.03.2020 um 19:24 schrieb Steffen:
A discussion started on Apachelounge about an possible issue with
OpenSSL 1.1.1e ( https://www.apachelounge.com/viewtopic.php?p=38941#38941 )
This is the introduced new EOF in 1.1.1e :
https://github.com/openssl/openssl/commit/db943f43a60d1b5b1277e4b5317e8f288e7a0a3a
Discussion on OpenSSL is at https://github.com/openssl/openssl/issues/11378
I dot understand what is going on, but Daniel Stenberg (Curl) states
: The "poorly-implemented HTTP/1.1 servers" are still out there and are
being used. How common? Impossible to say.
OpenSSL has a Patch with description :
... possible application breakage caused by a change in behavior
introduced in 1.1.1e. It affects at least nginx, which logs error
messages such as:
nginx[16652]: [crit] 16675#0: *358 SSL_read() failed (SSL: error:
4095126:SSL routines:ssl3_read_n:unexpected eof while reading) while
keepalive, client: xxxx, server: [::]:443
So looks that nginx is effected.
My question is :
*Is Apache effected ? * Looks not, because till now: Apachelounge has
more then a week 2.4.41 available with 1.1.1e, which is downloaded over
50.000 times and no issues reported like this.
I did a few hundred test suite runs on 5 platforms for the 2.4.42
release candidate against OpenSSL 1.1.1e and noticed no special new ssl
related errors.
So either our tests do not detect it or httpd does not have that problem.
There will be a new OpenSSL 1.1.1f release next week.
Regards,
Rainer
