From 6cfa1c397005dc9b2904da2934120d98fe451079 Mon Sep 17 00:00:00 2001
From: Sergey Kandaurov <pluknet@nginx.com>
Date: Thu, 12 May 2022 12:04:54 +0400
Subject: [PATCH] Using SSL_OP_IGNORE_UNEXPECTED_EOF.

A new behaviour was introduced in OpenSSL 1.1.1e, when a peer does not send
close_notify before closing the connection.  Previously, it was to return
SSL_ERROR_SYSCALL with errno 0, known since at least OpenSSL 0.9.7, and is
handled gracefully in unitd.  Now it returns SSL_ERROR_SSL with a distinct
reason SSL_R_UNEXPECTED_EOF_WHILE_READING ("unexpected eof while reading").
This leads to critical errors seen in nginx within various routines such as
SSL_do_handshake(), SSL_read(), SSL_shutdown().  The behaviour was restored
in OpenSSL 1.1.1f, but presents in OpenSSL 3.0 by default.

Use of the SSL_OP_IGNORE_UNEXPECTED_EOF option added in OpenSSL 3.0 allows
setting a compatible behaviour to return SSL_ERROR_ZERO_RETURN:
https://git.openssl.org/?p=openssl.git;a=commitdiff;h=09b90e0

See for additional details: https://github.com/openssl/openssl/issues/11381
---
 src/nxt_openssl.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/src/nxt_openssl.c b/src/nxt_openssl.c
index 38cf652d..e19b1381 100644
--- a/src/nxt_openssl.c
+++ b/src/nxt_openssl.c
@@ -326,6 +326,11 @@ nxt_openssl_server_init(nxt_task_t *task, nxt_mp_t *mp,
     SSL_CTX_set_options(ctx, SSL_OP_NO_COMPRESSION);
 #endif
 
+#ifdef SSL_OP_IGNORE_UNEXPECTED_EOF
+    /* Request SSL_ERROR_ZERO_RETURN on EOF. */
+    SSL_CTX_set_options(ctx, SSL_OP_IGNORE_UNEXPECTED_EOF);
+#endif
+
 #ifdef SSL_MODE_RELEASE_BUFFERS
 
     if (nxt_openssl_version >= 10001078) {