Details

    • Bug
    • Status: Stalled (View Workflow)
    • Minor
    • Resolution: Unresolved
    • 10.6.12
    • 10.4(EOL)
    • SSL, Tests
    • Anolis OS 23, OpenSSL-3.0.7

    Description

      When compiling mariadb 10.6.12 under Anolis OS (Fedora rawhide based), nine tests failed with "TLS/SSL error: unexpected eof while reading".

      Build/test log of 10.6.12:
      https://build.openanolis.cn/taskinfo?taskID=527534

      Attachments

        Issue Links

          Activity

            danblack Daniel Black added a comment -

            From openssl issue 18866:

            Has the OpenSSL version been updated? OpenSSL 3 (a major release) changed some behaviour compared to 1.1.1 with respect to peers that fail to shutdown a TLS connection cleanly.

            Previously, if a peer unexpectedly shutdown a connection an OpenSSL IO function (such as SSL_read()) would report an error and SSL_get_error() would report SSL_ERROR_SYSCALL and errno would be 0. This was considered a bug in 1.1.1 (you should never get SSL_ERROR_SYSCALL but with errno as 0). However fixing it in 1.1.1 broke some apps. We delayed the fix until the next major version (OpenSSL 3.0).

            In OpenSSL 3.0 this error is now reported from SSL_get_error() as SSL_ERROR_SSL and the unexpeced eof while reading error is put on the OpenSSL error stack. We also added a new option SSL_OP_IGNORE_UNEXPECTED_EOF which treats an unexpected EOF from the peer as if they had performed an orderly shutdown. See:

            https://www.openssl.org/docs/man3.0/man3/SSL_set_options.html

            danblack Daniel Black added a comment - From openssl issue 18866 : Has the OpenSSL version been updated? OpenSSL 3 (a major release) changed some behaviour compared to 1.1.1 with respect to peers that fail to shutdown a TLS connection cleanly. Previously, if a peer unexpectedly shutdown a connection an OpenSSL IO function (such as SSL_read()) would report an error and SSL_get_error() would report SSL_ERROR_SYSCALL and errno would be 0. This was considered a bug in 1.1.1 (you should never get SSL_ERROR_SYSCALL but with errno as 0). However fixing it in 1.1.1 broke some apps. We delayed the fix until the next major version (OpenSSL 3.0). In OpenSSL 3.0 this error is now reported from SSL_get_error() as SSL_ERROR_SSL and the unexpeced eof while reading error is put on the OpenSSL error stack. We also added a new option SSL_OP_IGNORE_UNEXPECTED_EOF which treats an unexpected EOF from the peer as if they had performed an orderly shutdown. See: https://www.openssl.org/docs/man3.0/man3/SSL_set_options.html
            danblack Daniel Black added a comment -

            9EOR9, this appears as the Connector/C set SSL_set_quiet_shutdown(ssl, 1); in ma_tls_close (libmariadb/secure/openssl.c) as well as the server (vio/viossl.c).

            vio/viossl.c describes us a immune to truncation attacks, so maybe we just need to add the option to both client and server.

            danblack Daniel Black added a comment - 9EOR9 , this appears as the Connector/C set SSL_set_quiet_shutdown(ssl, 1); in ma_tls_close (libmariadb/secure/openssl.c) as well as the server (vio/viossl.c). vio/viossl.c describes us a immune to truncation attacks, so maybe we just need to add the option to both client and server.
            danblack Daniel Black added a comment -

            Odd that our Debian sid builders use openssl-3.0.7 and run the same tests without error. Default security level maybe as I cautiously look at Debian patches.

            danblack Daniel Black added a comment - Odd that our Debian sid builders use openssl-3.0.7 and run the same tests without error. Default security level maybe as I cautiously look at Debian patches .
            fundawang Funda Wang added a comment -

            No, I don't think the problem comes from openssl side. Because mariadb 10.6.8 w/openssl3 patch tests pased without any problems.

            fundawang Funda Wang added a comment - No, I don't think the problem comes from openssl side. Because mariadb 10.6.8 w/openssl3 patch tests pased without any problems.
            danblack Daniel Black added a comment - Its only when --ssl is added to the mtr options that this shows up. https://github.com/mariadb-corporation/mariadb-connector-c/pull/222 https://github.com/MariaDB/server/pull/2662

            People

              danblack Daniel Black
              fundawang Funda Wang
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.