TclTLS
Ticket Change Details
Login
HomeTimelineDownloadBrowse SourceBranchesTagsTicketsWiki
History Page Plaintext Raw Timeline
Overview

Artifact ID: ca3faf101af249f91d79bd34e25b9428cf55e0db24b629918237c8fc22369ad2
Ticket: c5811f0d433d34ca16ccecdec10fb61e2f3ba657
Unexpected EOF's treated as errors by openssl 3.0
User & Date: azazel on 2023-11-10 18:31:52
Changes

  1. foundin changed to: "1.7.22"
  2. icomment: 
    OpenSSL 3.0 introduced a new ssl option `SSL_OP_IGNORE_UNEXPECTED_EOF`.  If this is not set, and OpenSSL receives an unexpected EOF, it is treated as a fatal error.  TclTLS does not set this, which can lead do unexpected errors.  For example:

	$ cat /space/azazel/tmp/test/tlstest.tcl
	#!/bin/sh
	#\
	exec tclsh8.6 "$0" ${1+"$@"}

	package require tls

	proc main host {

	    global done

	    set req [subst {
	GET / HTTP/1.1
	Host: $host
	Connection: close    

	}]

	    set s [socket $host 443]

	    tls::import $s -require 0 -ssl2 0 -ssl3 0 -tls1 1 -servername $host

	    tls::handshake $s

	    fconfigure $s -translation crlf -blocking 0 -buffering none

	    puts -nonewline $s $req

	    set done 0

	    fileevent $s readable [list read_response $s]

	    vwait done

	    close $s

	}

	proc read_response s {

	    global done

	    while 1 {

	        if { [eof $s] } {
	            puts stderr "read_response: got EOF"
	            set done 1
	            break
	        }

	        if { [catch { set resp [read $s] } error] } {
	            puts stderr "read_response: error = $error"
	            set done 1
	            break
	        }

	        puts stderr "read_response: $resp"

	        if { [fblocked $s] } {
	            break
	        }

	    }

	    if { $done } {
	        fileevent $s readable [list]
	    }

	}

	main [lindex $argv 0]
	$ /space/azazel/tmp/test/tlstest.tcl google.com
	read_response: HTTP/1.1 301 Moved Permanently
	Location: https://www.google.com/
	Content-Type: text/html; charset=UTF-8
	Content-Security-Policy-Report-Only: object-src 'none';base-uri 'self';script-src 'nonce-RriZ0vurw26vE_UywsmQQg' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp
	Date: Fri, 10 Nov 2023 18:16:14 GMT
	Expires: Fri, 10 Nov 2023 18:16:14 GMT
	Cache-Control: private, max-age=2592000
	Server: gws
	Content-Length: 220
	X-XSS-Protection: 0
	X-Frame-Options: SAMEORIGIN
	Set-Cookie: CONSENT=PENDING+895; expires=Sun, 09-Nov-2025 18:16:14 GMT; path=/; domain=.google.com; Secure
	P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
	Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
	Connection: close

	<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
	<TITLE>301 Moved</TITLE></HEAD><BODY>
	<H1>301 Moved</H1>
	The document has moved
	<A HREF="https://www.google.com/">here</A>.
	</BODY></HTML>

	read_response: error = error reading "sock560f01ccd5c0": software caused connection abort

Setting the option:

	$ fossil diff
	Index: tls.c
	==================================================================
	--- tls.c
	+++ tls.c
	@@ -1212,10 +1212,13 @@
	 #endif
	     
	     SSL_CTX_set_app_data( ctx, (VOID*)interp); /* remember the interpreter */
	     SSL_CTX_set_options( ctx, SSL_OP_ALL);     /* all SSL bug workarounds */
	     SSL_CTX_set_options( ctx, off);    /* all SSL bug workarounds */
	+#ifdef SSL_OP_IGNORE_UNEXPECTED_EOF
	+    SSL_CTX_set_options( ctx, SSL_OP_IGNORE_UNEXPECTED_EOF);
	+#endif
	     SSL_CTX_sess_set_cache_size( ctx, 128);
	 
	     if (ciphers != NULL)
	        SSL_CTX_set_cipher_list(ctx, ciphers);
	 

causes the EOF to be handled as expected:

	$ /space/azazel/tmp/test/tlstest.tcl google.com
	read_response: HTTP/1.1 301 Moved Permanently
	Location: https://www.google.com/
	Content-Type: text/html; charset=UTF-8
	Content-Security-Policy-Report-Only: object-src 'none';base-uri 'self';script-src 'nonce-GtEz85sCnLQF8adC4dzohw' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp
	Date: Fri, 10 Nov 2023 18:24:57 GMT
	Expires: Fri, 10 Nov 2023 18:24:57 GMT
	Cache-Control: private, max-age=2592000
	Server: gws
	Content-Length: 220
	X-XSS-Protection: 0
	X-Frame-Options: SAMEORIGIN
	Set-Cookie: CONSENT=PENDING+011; expires=Sun, 09-Nov-2025 18:24:57 GMT; path=/; domain=.google.com; Secure
	P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
	Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
	Connection: close

	<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
	<TITLE>301 Moved</TITLE></HEAD><BODY>
	<H1>301 Moved</H1>
	The document has moved
	<A HREF="https://www.google.com/">here</A>.
	</BODY></HTML>

	read_response: 
	read_response: got EOF
  3. login: "azazel"
  4. mimetype: "text/x-markdown"
  5. private_contact changed to: "9d965027c1a2010214d27bd515f0b83d3d8fa951"
  6. severity changed to: "Important"
  7. status changed to: "Open"
  8. title changed to: "Unexpected EOF's treated as errors by openssl 3.0"
  9. type changed to: "Code Defect"
Powered by Fossil · RSS