Artifacts Associated With Ticket c5811f0d433d34ca
Ticket change [ca3faf101a] (rid 1594) by azazel on 2023-11-10 18:31:52:
- foundin initialized to: "1.7.22"
- icomment:
OpenSSL 3.0 introduced a new ssl option `SSL_OP_IGNORE_UNEXPECTED_EOF`. If this is not set, and OpenSSL receives an unexpected EOF, it is treated as a fatal error. TclTLS does not set this, which can lead do unexpected errors. For example: $ cat /space/azazel/tmp/test/tlstest.tcl #!/bin/sh #\ exec tclsh8.6 "$0" ${1+"$@"} package require tls proc main host { global done set req [subst { GET / HTTP/1.1 Host: $host Connection: close }] set s [socket $host 443] tls::import $s -require 0 -ssl2 0 -ssl3 0 -tls1 1 -servername $host tls::handshake $s fconfigure $s -translation crlf -blocking 0 -buffering none puts -nonewline $s $req set done 0 fileevent $s readable [list read_response $s] vwait done close $s } proc read_response s { global done while 1 { if { [eof $s] } { puts stderr "read_response: got EOF" set done 1 break } if { [catch { set resp [read $s] } error] } { puts stderr "read_response: error = $error" set done 1 break } puts stderr "read_response: $resp" if { [fblocked $s] } { break } } if { $done } { fileevent $s readable [list] } } main [lindex $argv 0] $ /space/azazel/tmp/test/tlstest.tcl google.com read_response: HTTP/1.1 301 Moved Permanently Location: https://www.google.com/ Content-Type: text/html; charset=UTF-8 Content-Security-Policy-Report-Only: object-src 'none';base-uri 'self';script-src 'nonce-RriZ0vurw26vE_UywsmQQg' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp Date: Fri, 10 Nov 2023 18:16:14 GMT Expires: Fri, 10 Nov 2023 18:16:14 GMT Cache-Control: private, max-age=2592000 Server: gws Content-Length: 220 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Set-Cookie: CONSENT=PENDING+895; expires=Sun, 09-Nov-2025 18:16:14 GMT; path=/; domain=.google.com; Secure P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info." Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close <HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8"> <TITLE>301 Moved</TITLE></HEAD><BODY> <H1>301 Moved</H1> The document has moved <A HREF="https://www.google.com/">here</A>. </BODY></HTML> read_response: error = error reading "sock560f01ccd5c0": software caused connection abort Setting the option: $ fossil diff Index: tls.c ================================================================== --- tls.c +++ tls.c @@ -1212,10 +1212,13 @@ #endif SSL_CTX_set_app_data( ctx, (VOID*)interp); /* remember the interpreter */ SSL_CTX_set_options( ctx, SSL_OP_ALL); /* all SSL bug workarounds */ SSL_CTX_set_options( ctx, off); /* all SSL bug workarounds */ +#ifdef SSL_OP_IGNORE_UNEXPECTED_EOF + SSL_CTX_set_options( ctx, SSL_OP_IGNORE_UNEXPECTED_EOF); +#endif SSL_CTX_sess_set_cache_size( ctx, 128); if (ciphers != NULL) SSL_CTX_set_cipher_list(ctx, ciphers); causes the EOF to be handled as expected: $ /space/azazel/tmp/test/tlstest.tcl google.com read_response: HTTP/1.1 301 Moved Permanently Location: https://www.google.com/ Content-Type: text/html; charset=UTF-8 Content-Security-Policy-Report-Only: object-src 'none';base-uri 'self';script-src 'nonce-GtEz85sCnLQF8adC4dzohw' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp Date: Fri, 10 Nov 2023 18:24:57 GMT Expires: Fri, 10 Nov 2023 18:24:57 GMT Cache-Control: private, max-age=2592000 Server: gws Content-Length: 220 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Set-Cookie: CONSENT=PENDING+011; expires=Sun, 09-Nov-2025 18:24:57 GMT; path=/; domain=.google.com; Secure P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info." Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close <HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8"> <TITLE>301 Moved</TITLE></HEAD><BODY> <H1>301 Moved</H1> The document has moved <A HREF="https://www.google.com/">here</A>. </BODY></HTML> read_response: read_response: got EOF
- login: "azazel"
- mimetype: "text/x-markdown"
- private_contact initialized to: "9d965027c1a2010214d27bd515f0b83d3d8fa951"
- severity initialized to: "Important"
- status initialized to: "Open"
- title initialized to: "Unexpected EOF's treated as errors by openssl 3.0"
- type initialized to: "Code Defect"
Ticket change [07bdef3229] (rid 1595) by azazel on 2023-11-10 21:00:59:
- icomment:
This is a dup of https://core.tcl-lang.org/tcltls/tktview/88c0c84969
- login: "azazel"
- mimetype: "text/x-markdown"
- priority changed to: "Immediate"
- resolution changed to: "Duplicate"
- status changed to: "Closed"
- icomment: