Anolis OS 23, OpenSSL-3.0.7

From openssl issue 18866:

Has the OpenSSL version been updated? OpenSSL 3 (a major release) changed some behaviour compared to 1.1.1 with respect to peers that fail to shutdown a TLS connection cleanly.

Previously, if a peer unexpectedly shutdown a connection an OpenSSL IO function (such as SSL_read()) would report an error and SSL_get_error() would report SSL_ERROR_SYSCALL and errno would be 0. This was considered a bug in 1.1.1 (you should never get SSL_ERROR_SYSCALL but with errno as 0). However fixing it in 1.1.1 broke some apps. We delayed the fix until the next major version (OpenSSL 3.0).

In OpenSSL 3.0 this error is now reported from SSL_get_error() as SSL_ERROR_SSL and the unexpeced eof while reading error is put on the OpenSSL error stack. We also added a new option SSL_OP_IGNORE_UNEXPECTED_EOF which treats an unexpected EOF from the peer as if they had performed an orderly shutdown. See:

https://www.openssl.org/docs/man3.0/man3/SSL_set_options.html

9EOR9, this appears as the Connector/C set SSL_set_quiet_shutdown(ssl, 1); in ma_tls_close (libmariadb/secure/openssl.c) as well as the server (vio/viossl.c).

vio/viossl.c describes us a immune to truncation attacks, so maybe we just need to add the option to both client and server.

Odd that our Debian sid builders use openssl-3.0.7 and run the same tests without error. Default security level maybe as I cautiously look at Debian patches.

No, I don't think the problem comes from openssl side. Because mariadb 10.6.8 w/openssl3 patch tests pased without any problems.

Its only when --ssl is added to the mtr options that this shows up.

https://github.com/mariadb-corporation/mariadb-connector-c/pull/222

https://github.com/MariaDB/server/pull/2662