OpenSSL 1.1.1e brought a change in behavior when reaching EOF in SSL_read(). Previous versions returned SSL_ERROR_SYSCALL but errno would be 0. New behavior returns SSL_ERROR_SSL and adds an error to the stack.
This breaks session resumption in nginx, and has the potential to break other apps as well. (https://github.com/openssl/openssl/issues/10880) It is a bug, and it affects security--they're talking about a possible truncation attack. There's an issue open in https://github.com/openssl/openssl/issues/11378 where they're discussing what to do. Apparently they are leaning towards reverting the change in 1.1.1, but keeping it for the next release. I imagine affected software will eventually adapt, so this revert may be temporary. I'm not sure what to do in this case. My initial idea is to wait for openssl/openssl#11378 closure, and see what they decide. If they keep the change (don't revert), then we should probably revert this now, and take the patches out once most/all affected apps have adapted. Since this might cause trouble right away, and it was applied to 19.07, I decided to post this now, as RFC. This was tested in mvebx, WRT3200ACM, using nginx. Eneas U de Queiroz (1): openssl: revert EOF detection change in 1.1.1 package/libs/openssl/Makefile | 2 +- ...t-Detect-EOF-while-reading-in-libssl.patch | 112 ++++++++++++++++++ ...more-BIOs-how-to-handle-BIO_CTRL_EOF.patch | 71 +++++++++++ 3 files changed, 184 insertions(+), 1 deletion(-) create mode 100644 package/libs/openssl/patches/200-Revert-Detect-EOF-while-reading-in-libssl.patch create mode 100644 package/libs/openssl/patches/210-Revert-Teach-more-BIOs-how-to-handle-BIO_CTRL_EOF.patch _______________________________________________ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel