History Of Ticket c5811f0d43

Artifacts Associated With Ticket c5811f0d43

  1. Ticket change [ca3faf101a] (rid 1594) by azazel on 2023-11-10 18:31:52:

    1. foundin initialized to: "1.7.22"
    2. icomment:
      OpenSSL 3.0 introduced a new ssl option `SSL_OP_IGNORE_UNEXPECTED_EOF`.  If this is not set, and OpenSSL receives an unexpected EOF, it is treated as a fatal error.  TclTLS does not set this, which can lead do unexpected errors.  For example:
      
      	$ cat /space/azazel/tmp/test/tlstest.tcl
      	#!/bin/sh
      	#\
      	exec tclsh8.6 "$0" ${1+"$@"}
      
      	package require tls
      
      	proc main host {
      
      	    global done
      
      	    set req [subst {
      	GET / HTTP/1.1
      	Host: $host
      	Connection: close    
      
      	}]
      
      	    set s [socket $host 443]
      
      	    tls::import $s -require 0 -ssl2 0 -ssl3 0 -tls1 1 -servername $host
      
      	    tls::handshake $s
      
      	    fconfigure $s -translation crlf -blocking 0 -buffering none
      
      	    puts -nonewline $s $req
      
      	    set done 0
      
      	    fileevent $s readable [list read_response $s]
      
      	    vwait done
      
      	    close $s
      
      	}
      
      	proc read_response s {
      
      	    global done
      
      	    while 1 {
      
      	        if { [eof $s] } {
      	            puts stderr "read_response: got EOF"
      	            set done 1
      	            break
      	        }
      
      	        if { [catch { set resp [read $s] } error] } {
      	            puts stderr "read_response: error = $error"
      	            set done 1
      	            break
      	        }
      
      	        puts stderr "read_response: $resp"
      
      	        if { [fblocked $s] } {
      	            break
      	        }
      
      	    }
      
      	    if { $done } {
      	        fileevent $s readable [list]
      	    }
      
      	}
      
      	main [lindex $argv 0]
      	$ /space/azazel/tmp/test/tlstest.tcl google.com
      	read_response: HTTP/1.1 301 Moved Permanently
      	Location: https://www.google.com/
      	Content-Type: text/html; charset=UTF-8
      	Content-Security-Policy-Report-Only: object-src 'none';base-uri 'self';script-src 'nonce-RriZ0vurw26vE_UywsmQQg' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp
      	Date: Fri, 10 Nov 2023 18:16:14 GMT
      	Expires: Fri, 10 Nov 2023 18:16:14 GMT
      	Cache-Control: private, max-age=2592000
      	Server: gws
      	Content-Length: 220
      	X-XSS-Protection: 0
      	X-Frame-Options: SAMEORIGIN
      	Set-Cookie: CONSENT=PENDING+895; expires=Sun, 09-Nov-2025 18:16:14 GMT; path=/; domain=.google.com; Secure
      	P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
      	Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
      	Connection: close
      
      	<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
      	<TITLE>301 Moved</TITLE></HEAD><BODY>
      	<H1>301 Moved</H1>
      	The document has moved
      	<A HREF="https://www.google.com/">here</A>.
      	</BODY></HTML>
      
      	read_response: error = error reading "sock560f01ccd5c0": software caused connection abort
      
      Setting the option:
      
      	$ fossil diff
      	Index: tls.c
      	==================================================================
      	--- tls.c
      	+++ tls.c
      	@@ -1212,10 +1212,13 @@
      	 #endif
      	     
      	     SSL_CTX_set_app_data( ctx, (VOID*)interp); /* remember the interpreter */
      	     SSL_CTX_set_options( ctx, SSL_OP_ALL);     /* all SSL bug workarounds */
      	     SSL_CTX_set_options( ctx, off);    /* all SSL bug workarounds */
      	+#ifdef SSL_OP_IGNORE_UNEXPECTED_EOF
      	+    SSL_CTX_set_options( ctx, SSL_OP_IGNORE_UNEXPECTED_EOF);
      	+#endif
      	     SSL_CTX_sess_set_cache_size( ctx, 128);
      	 
      	     if (ciphers != NULL)
      	        SSL_CTX_set_cipher_list(ctx, ciphers);
      	 
      
      causes the EOF to be handled as expected:
      
      	$ /space/azazel/tmp/test/tlstest.tcl google.com
      	read_response: HTTP/1.1 301 Moved Permanently
      	Location: https://www.google.com/
      	Content-Type: text/html; charset=UTF-8
      	Content-Security-Policy-Report-Only: object-src 'none';base-uri 'self';script-src 'nonce-GtEz85sCnLQF8adC4dzohw' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp
      	Date: Fri, 10 Nov 2023 18:24:57 GMT
      	Expires: Fri, 10 Nov 2023 18:24:57 GMT
      	Cache-Control: private, max-age=2592000
      	Server: gws
      	Content-Length: 220
      	X-XSS-Protection: 0
      	X-Frame-Options: SAMEORIGIN
      	Set-Cookie: CONSENT=PENDING+011; expires=Sun, 09-Nov-2025 18:24:57 GMT; path=/; domain=.google.com; Secure
      	P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
      	Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
      	Connection: close
      
      	<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
      	<TITLE>301 Moved</TITLE></HEAD><BODY>
      	<H1>301 Moved</H1>
      	The document has moved
      	<A HREF="https://www.google.com/">here</A>.
      	</BODY></HTML>
      
      	read_response: 
      	read_response: got EOF
      
    3. login: "azazel"
    4. mimetype: "text/x-markdown"
    5. private_contact initialized to: "9d965027c1a2010214d27bd515f0b83d3d8fa951"
    6. severity initialized to: "Important"
    7. status initialized to: "Open"
    8. title initialized to: "Unexpected EOF's treated as errors by openssl 3.0"
    9. type initialized to: "Code Defect"
  2. Ticket change [07bdef3229] (rid 1595) by azazel on 2023-11-10 21:00:59:

    1. icomment:
      This is a dup of https://core.tcl-lang.org/tcltls/tktview/88c0c84969
      
    2. login: "azazel"
    3. mimetype: "text/x-markdown"
    4. priority changed to: "Immediate"
    5. resolution changed to: "Duplicate"
    6. status changed to: "Closed"