I've narrowed down my problem down to the same commit as Tomek Gacek -
c2aae74f010f97a3415542fe649198a5d3be1ea8 (MEDIUM: ssl: Handle early data
with OpenSSL 1.1.1), so I guess it may be related. In my case, since
upgrade to 1.8, some responses from some backends (not sure what exactly
triggers the bug) do not have their headers modified (despite
http-response add-header and http-response del-header being set).
Applying patch part-by-part, I got to a point where it seems that that
was caused by changes to ssl_sock_to_buf function in src/ssl_sock.c
Code at out_error label behave a bit differently from part removed in
this commit - namely, it sets conn->flags |= CO_FL_ERROR
unconditionally, while previously there was an additional check
(skipping error flag setting if errno was set to EAGAIN). My problems
went straight away when I've changed out_error to match old code.
There is also another issue with this commit - it seems that one "1" got
lost in OPENSSL_VERSION_NUMBER comparison (line 267):
Throughout this commit all additions of similar ifdefs use 0x10101000L,
which translates to OpenSSL 1.1.1 - and this one oddly translates to
Hope this helps!