Hello! On Tue, Jul 08, 2025 at 11:50:53PM +0300, Maxim Dounin wrote:
> Hello! > > On Tue, Jul 08, 2025 at 06:43:46PM +0200, Christoph Liebender via nginx wrote: > > > Hello, > > > > I am the maintainer of the somewhat niche Arch Linux PKGBUILD of > > freenginx-libressl [1], and the upgrade to 1.29.0 causes tests to fail when > > built against LibreSSL 4.1.0: > > > > ===( 5030;59 3/11 1/11 4/7 5/8 4/8 0/9 1/8 0/? )=========== > > # Failed test 'ssl server name empty' > > # at ./stream_ssl_variables.t line 137. > > # got: undef > > # expected: '' > > ./stream_ssl_realip.t ...................... ok > > ===( 5043;59 3/11 1/11 5/7 5/8 1/9 8/8 0/? )================# > > Looks like you failed 1 test of 8. > > ./stream_ssl_variables.t ................... Dubious, test returned 1 (wstat > > 256, 0x100) > > Failed 1/8 subtests > > ./stream_proxy.t ........................... ok > > ===( 5048;59 3/11 1/11 5/8 3/9 1/12 0/? 0/? 0/? )========= > > # Failed test 'no cert' > > # at ./stream_ssl_verify_client.t line 114. > > # got: undef > > # expected: '' > > > > # Failed test 'bad optional cert' > > # at ./stream_ssl_verify_client.t line 115. > > # got: undef > > # expected: '' > > ===( 5060;59 3/11 1/11 5/8 6/9 9/12 0/8 1/4 0/11 )=======# > > Looks like you failed 2 tests of 12. > > ./stream_ssl_verify_client.t ............... Dubious, test returned 2 (wstat > > 512, 0x200) > > Failed 2/12 subtests > > > > Do these errors tell you anything? I don't have the PKGBUILD for 1.29.0 > > commited, but the respective diff only increments the version as well as the > > tests' commit. > > All the errors seems to be reported for test cases when an SSL > connection is closed by the server without sending anything. > The client is expected to see a clean connection close, yet > instead an error is returned (hence "undef"). > > I'm able to reproduce exactly the same errors on Arch Linux with > previous freenginx mainline version, 1.27.6 (which is exactly the > same as stable 1.28.0). > > And I don't see such errors with LibreSSL 4.1.0 neither on FreeBSD > nor on Alpine Linux. > > Further, I observe exactly the same errors on Arch Linux with > freenginx compiled with OpenSSL library, OpenSSL 3.5.1. > > That is, LibreSSL is certainly not the problem here. > > And likely it's something in IO::Socket::SSL (2.094) and/or > Net::SSLeay (1.94) and/or OpenSSL 3.5.1 it uses. > > Given IO::Socket::SSL changes, I tend to think it's IO::Socket::SSL > (https://metacpan.org/dist/IO-Socket-SSL/changes): > > 2.094 2025/06/18 > - fixed memory leak introduced in 2.092 > 2.093 2025/06/17 > - Another rework for one-sided SSL shutdown, to a) implement a useful and > secure > behavior and b) without affecting existing applications. 2.092 had still > unwanted side effects > 2.092 2025/06/16 > - rework implementation and behavior for one-sided SSL shutdown. > Implementation > in 2.091 lead to some problems with Net::FTP and others. > 2.091 2025/06/11 > - fix behavior on one-sided SSL shutdown. If the application continued > to read after half-closing the SSL connection this could result in reading > encrypted data (i.e. close notify, SSL session tickets ...). > See documentation of stop_SSL for detailed description of handling > half-closed SSL connections. > > Both on FreeBSD and Alpine IO::Socket::SSL is at version 2.089, > which predates all this "one-sided SSL shutdown" hassle. > > Quick test with IO::Socket::SSL manually downgraded to 2.089 > suggests it's indeed the case: with IO::Socket::SSL 2.089 > everything works. For the record: https://github.com/noxxi/p5-io-socket-ssl/issues/171 -- Maxim Dounin http://mdounin.ru/
