On Sat, Feb 10, 2018 at 06:26:42PM +0100, Mateusz Małek wrote:
> Hi everyone,
> I've narrowed down my problem down to the same commit as Tomek Gacek -
> c2aae74f010f97a3415542fe649198a5d3be1ea8 (MEDIUM: ssl: Handle early data
> with OpenSSL 1.1.1), so I guess it may be related. In my case, since upgrade
> to 1.8, some responses from some backends (not sure what exactly triggers
> the bug) do not have their headers modified (despite http-response
> add-header and http-response del-header being set).
> Applying patch part-by-part, I got to a point where it seems that that was
> caused by changes to ssl_sock_to_buf function in src/ssl_sock.c (lines
> Code at out_error label behave a bit differently from part removed in this
> commit - namely, it sets conn->flags |= CO_FL_ERROR unconditionally, while
> previously there was an additional check (skipping error flag setting if
> errno was set to EAGAIN). My problems went straight away when I've changed
> out_error to match old code.
Thanks a lot for the detailed analyze, and sorry for the late answer.
You're probably right, SSL_ERROR_SYSCALL shouldn't be treated as an
So, what you basically did was something equivalent to the patch attached ?
Thanks a lot !
>From b423f94273be2c7040ce0861bd4a21617b4c5c2b Mon Sep 17 00:00:00 2001
From: Olivier Houchard <ohouch...@haproxy.com>
Date: Tue, 13 Feb 2018 15:17:23 +0100
Subject: [PATCH] MINOR/BUG: ssl: Don't always treat SSL_ERROR_SYSCALL as
SSL_Raad() might return <= 0, and SSL_get_erro() return SSL_ERROR_SYSCALL,
without meaning the connection is gone. Before flagging the conection
as in error, check the errno value.
This should be backported to 1.8.
src/ssl_sock.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index aee3cd965..687133b0d 100644
@@ -5452,7 +5452,9 @@ static int ssl_sock_to_buf(struct connection *conn,
struct buffer *buf, int coun
- conn->flags |= CO_FL_ERROR;
+ if ((ret != SSL_ERROR_SYSCALL) ||
+ (errno && errno != EAGAIN))
+ conn->flags |= CO_FL_ERROR;