James, Thanks for the bug report. For reference, the upstream OpenSSL commit looks to be:
https://github.com/openssl/openssl/commit/d924dbf4ae127c68463bcbece04b6e06abc58928 I strongly suspect that the patch on our side (against 1.3.x) is something akin to below. I'm having trouble getting a test environment up with the latest OpenSSL to reproduce, so if anyone can test in the interim, that'd be appreciated. If not, I'll try again as time (and kiddo) permit. Cheers. -- justin Index: buckets/ssl_buckets.c =================================================================== --- buckets/ssl_buckets.c (revision 1875631) +++ buckets/ssl_buckets.c (working copy) @@ -807,6 +807,11 @@ if (ctx->pending_err) { status = ctx->pending_err; ctx->pending_err = 0; + } else if (ctx->decrypt.status == SSL_R_UNEXPECTED_EOF_WHILE_READING) { + serf__log(SSL_VERBOSE, __FILE__, + "ssl_decrypt: SSL read error: server" + " shut down connection!\n"); + status = APR_EOF; } else { ctx->fatal_err = status = SERF_ERROR_SSL_COMM_FAILED; } On Mon, Mar 23, 2020 at 8:08 PM James McCoy <james...@debian.org> wrote: > Looping in upstream: > > On Sun, Mar 22, 2020 at 02:57:54PM +0100, Lucas Nussbaum wrote: > > Version: 1.3.9-8 > > This is the same version of the serf package that's been in Debian since > 2019/12/31, so something else seems to have changed. > > > [...] > > During a rebuild of all packages in sid, your package failed to build > > on amd64. > > > > Relevant part (hopefully): > > > [...] > > > Trailer-Test: f > > > 140691743627136:error:14095126:SSL routines:ssl3_read_n:unexpected eof > while reading:../ssl/record/rec_layer_s3.c:302: > > > ..........................F....................................... > > > > > > There was 1 failure: > > > 1) test_ssltunnel_basic_auth_server_has_keepalive_off: > test/test_context.c:2138: expected <0> but was <120199> > > Running a bisect against what's changed in the archive, shows that the > test started failing when OpenSSL's version changed from 1.1.1d-2 to > 1.1.1e-1. > > Looking at OpenSSL's changelog, it seems this was a change on their end > that's affecting serf. > > Changes between 1.1.1d and 1.1.1e [17 Mar 2020] > *) Properly detect EOF while reading in libssl. Previously if we hit an > EOF > while reading in libssl then we would report an error back to the > application (SSL_ERROR_SYSCALL) but errno would be 0. We now add > an error to the stack (which means we instead return SSL_ERROR_SSL) > and > therefore give a hint as to what went wrong. > [Matt Caswell] > > I guess serf needs to adapt to this change in behavior. > > Cheers, > -- > James > GPG Key: 4096R/91BF BF4D 6956 BD5D F7B7 2D23 DFE6 91AE 331B A3DB >
