https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=295942
Bug ID: 295942
Summary: SSL_OP_ENABLE_KTLS_TX_ZEROCOPY_SENDFILE data
corruption on files > 128KB
Product: Base System
Version: 15.0-RELEASE
Hardware: Any
OS: Any
Status: New
Severity: Affects Some People
Priority: ---
Component: kern
Assignee: [email protected]
Reporter: [email protected]
Setup:
lighttpd 1.4.82 running on FreeBSD-15.0
with OpenSSL 3.5.4 from base or with OpenSSL 3.5.6 from ports
Network driver: igb0
Serving static files with plain http and https using mod_openssl
Problem:
I got reports that a source packages fetched from my server where corrupted.
I was able to reproduce this on multiple servers.
Even with the default lighttpd config and adding:
ssl.engine = "enable".
Steps to reproduce:
The file must be > 128 kbyte to become corrupted.
Fetching the files and running sha256sum an the result showed:
6ef4e286... 20260601.tgz.curl.http
6ef4e286... 20260601.tgz.curl.https
6ef4e286... 20260601.tgz.fetch.http
a717baa2... 20260601.tgz.fetch.https
6ef4e286... 20260601.tgz.wget.http
347d964a... 20260601.tgz.wget.https
6ef4e286... is the correct checksum
The error log reports:
lighttpd-1.4.82/src/mod_openssl.c.4808) SSL: addr:2***:****::*** ssl_err:5
ret:-1 errno:35: Resource temporarily unavailable
I was unable to reproduce the problem
on servers running FreeBSD-14.4.
14.4-RELEASE-p5 ssl=openssl35 mod_openssl OK
14.4-RELEASE-p5 ssl=openssl35 mod_openssl OK
15.0-RELEASE-p9 ssl=openssl35 mod_openssl broken
15.0-RELEASE-p9 ssl=base mod_openssl broken
15.0-RELEASE-p9 ssl=openssl35 mod_wolfssl OK
sysctl kern.ipc.tls.stats | grep -v ': 0'
FreeBSD-14: all values zero
FreeBSD-15:
kern.ipc.tls.stats.ocf.separate_output: 2114
kern.ipc.tls.stats.ocf.inplace: 12982513
kern.ipc.tls.stats.ocf.tls13_chacha20_encrypts: 232
kern.ipc.tls.stats.ocf.tls13_chacha20_decrypts: 191
kern.ipc.tls.stats.ocf.tls13_gcm_encrypts: 12984395
kern.ipc.tls.stats.ocf.tls13_gcm_decrypts: 6557803
kern.ipc.tls.stats.enable_calls: 3204921
kern.ipc.tls.stats.offload_total: 3204921
kern.ipc.tls.stats.threads: 4
Workaround: Disable KTLS in lighttpd.conf:
ssl.openssl.ssl-conf-cmd += ("Options" => "-KTLS")
--
You are receiving this mail because:
You are the assignee for the bug.