** Description changed: - [Impact] - Ubuntu Jammy (22.04) is using OpenSSL 3.0 which changed the behavior when closing encrypted connections. Certain clients close their connections improperly and thus trigger an error message in the server logs. These messages bloat the error logs. - - [Test case] - - 0) apt-get install nginx-full ssl-cert - 1) edit /etc/nginx/sites-enabled/default and uncomment both "listen" lines for 443, and the "include" line for snakeoil.conf - 2) restart nginx - 3) from a client machine, send many requests and abort some of them abruptly - #!/bin/bash - URL="https://localhost"; - while :; do - timeout -s KILL 0.2s curl -v -K <(echo verbose;for i in {1..2000}; do echo url = "$URL"; echo -o /dev/null; done) - done - 4) In another terminal, check the error logs for "unexpected eof while reading" and SSL_READ() errors - tail -f /var/log/nginx/error.log - - With the fixed version, there should be no "unexpected eof while - reading" error when a connection is aborted by the timeout command. - With the unfixed version, the error should present itself many times - fairly quickly. - - [Fix] - Ubuntu Kinetic ships a newer version of nginx that includes a fix for this problem. This SRU backports that patch to Jammy. Earlier versions of Ubuntu don't carry OpenSSL 3.0 so are not presenting the altered closure behavior. - - [Where problems may occur] - - The patch changes behavior at point of connection termination, so a - regression most likely would involve some form of misbehavior associated - with connection state change. This also depends on spec'd OpenSSL - definitions; if these happened to be incorrectly implemented in certain - clients, those clients could exhibit odd behaviors, but such a non- - compliant client would likely have problems with a lot of other web - servers. - - [Original description] - - Ubuntu Jammy (22.04) is using OpenSSL 3.0 which changed the behaviour - when closing encrypted connections. Hence, nginx upstream patched its - versions >= 1.21.2 with a flag to remain compatible with clients still - closing connections improperly. Details can be found in - https://github.com/nginx/nginx/commit/5155845ce4453a07d60e2ce43946c9181bc311fa - - Can this patch please be backported to nginx on Jammy as well? - - ``` - 'lsb_release -rd': - Description: Ubuntu 22.04 LTS - Release: 22.04 - - 'apt-cache policy nginx': - nginx: - Installed: 1.18.0-6ubuntu14.1 - Candidate: 1.18.0-6ubuntu14.1 - ... - ``` + [Impact]Ubuntu Jammy (22.04) is using OpenSSL 3.0 which changed the + behavior when closing encrypted connections. Certain clients close + their connections improperly and thus trigger an error message in the + server logs. These messages bloat the error logs.[Test case]0) apt-get + install nginx-full ssl-cert1) edit /etc/nginx/sites-enabled/default and + uncomment both "listen" lines for 443, and the "include" line for + snakeoil.conf2) restart nginx3) from a client machine, send many + requests and abort some of them abruptly #!/bin/bash + URL="https://localhost"; while :; do timeout -s KILL 0.2s curl -v + -K <(echo verbose;for i in {1..2000}; do echo url = "$URL"; echo -o + /dev/null; done) done4) In another terminal, check the error logs for + "unexpected eof while reading" and SSL_READ() errors tail -f + /var/log/nginx/error.logWith the fixed version, there should be no + "unexpected eof while reading" error when a connection is aborted by the + timeout command. With the unfixed version, the error should present + itself many times fairly quickly.[Fix]Ubuntu Kinetic ships a newer + version of nginx that includes a fix for this problem. This SRU + backports that patch to Jammy. Earlier versions of Ubuntu don't carry + OpenSSL 3.0 so are not presenting the altered closure behavior.[Where + problems may occur]The patch changes behavior at point of connection + termination, so a regression most likely would involve some form of + misbehavior associated with connection state change. This also depends + on spec'd OpenSSL definitions; if these happened to be incorrectly + implemented in certain clients, those clients could exhibit odd + behaviors, but such a non-compliant client would likely have problems + with a lot of other web servers.[Original description]Ubuntu Jammy + (22.04) is using OpenSSL 3.0 which changed the behaviour when closing + encrypted connections. Hence, nginx upstream patched its versions >= + 1.21.2 with a flag to remain compatible with clients still closing + connections improperly. Details can be found in + https://github.com/nginx/nginx/commit/5155845ce4453a07d60e2ce43946c9181bc311faCan + this patch please be backported to nginx on Jammy as + well?```'lsb_release -rd':Description: Ubuntu 22.04 LTSRelease: + 22.04'apt-cache policy nginx':nginx: Installed: + 1.18.0-6ubuntu14.1 Candidate: 1.18.0-6ubuntu14.1...```[Fix Replacement + for this section]
** Description changed: [Impact]Ubuntu Jammy (22.04) is using OpenSSL 3.0 which changed the behavior when closing encrypted connections. Certain clients close their connections improperly and thus trigger an error message in the server logs. These messages bloat the error logs.[Test case]0) apt-get install nginx-full ssl-cert1) edit /etc/nginx/sites-enabled/default and uncomment both "listen" lines for 443, and the "include" line for snakeoil.conf2) restart nginx3) from a client machine, send many requests and abort some of them abruptly #!/bin/bash URL="https://localhost"; while :; do timeout -s KILL 0.2s curl -v -K <(echo verbose;for i in {1..2000}; do echo url = "$URL"; echo -o /dev/null; done) done4) In another terminal, check the error logs for "unexpected eof while reading" and SSL_READ() errors tail -f /var/log/nginx/error.logWith the fixed version, there should be no "unexpected eof while reading" error when a connection is aborted by the timeout command. With the unfixed version, the error should present itself many times fairly quickly.[Fix]Ubuntu Kinetic ships a newer version of nginx that includes a fix for this problem. This SRU backports that patch to Jammy. Earlier versions of Ubuntu don't carry OpenSSL 3.0 so are not presenting the altered closure behavior.[Where problems may occur]The patch changes behavior at point of connection termination, so a regression most likely would involve some form of misbehavior associated with connection state change. This also depends on spec'd OpenSSL definitions; if these happened to be incorrectly implemented in certain clients, those clients could exhibit odd behaviors, but such a non-compliant client would likely have problems with a lot of other web servers.[Original description]Ubuntu Jammy (22.04) is using OpenSSL 3.0 which changed the behaviour when closing encrypted connections. Hence, nginx upstream patched its versions >= 1.21.2 with a flag to remain compatible with clients still closing connections improperly. Details can be found in https://github.com/nginx/nginx/commit/5155845ce4453a07d60e2ce43946c9181bc311faCan this patch please be backported to nginx on Jammy as well?```'lsb_release -rd':Description: Ubuntu 22.04 LTSRelease: 22.04'apt-cache policy nginx':nginx: Installed: 1.18.0-6ubuntu14.1 Candidate: 1.18.0-6ubuntu14.1...```[Fix Replacement - for this section] + for this section][Fix Ubuntu Kinetic ships a newer version of nginx that + includes a fix for this problem. This SRU backports that patch to + Jammy. Earlier versions of Ubuntu don't carry OpenSSL 3.0 so are not + presenting the altered closure behavior.] -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1981457 Title: Backport: SSL: use of the SSL_OP_IGNORE_UNEXPECTED_EOF option. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nginx/+bug/1981457/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
