rpms/nginx
6
0
Fork 1
Code Issues Pull Requests Releases Activity

Debrand for AlmaLinux

Browse Source
This commit is contained in:
Eduard Abdullin 2025-09-15 11:36:44 +00:00 committed by root
commit 457a17c92e
2 changed files with 48 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

39
SOURCES/0011-SSL-use-of-the-SSL_OP_IGNORE_UNEXPECTED_EOF-option.patch Normal file
View File

@ -0,0 +1,39 @@
From 633b8f4026a068f9fe30703469d1cdccdf14269c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= <luhliari@redhat.com>
Date: Thu, 24 Apr 2025 15:10:34 +0200
Subject: [PATCH] SSL: use of the SSL_OP_IGNORE_UNEXPECTED_EOF option.
A new behaviour was introduced in OpenSSL 1.1.1e, when a peer does not send
close_notify before closing the connection. Previously, it was to return
SSL_ERROR_SYSCALL with errno 0, known since at least OpenSSL 0.9.7, and is
handled gracefully in nginx. Now it returns SSL_ERROR_SSL with a distinct
reason SSL_R_UNEXPECTED_EOF_WHILE_READING ("unexpected eof while reading").
This leads to critical errors seen in nginx within various routines such as
SSL_do_handshake(), SSL_read(), SSL_shutdown(). The behaviour was restored
in OpenSSL 1.1.1f, but presents in OpenSSL 3.0 by default.
Use of the SSL_OP_IGNORE_UNEXPECTED_EOF option added in OpenSSL 3.0 allows
to set a compatible behaviour to return SSL_ERROR_ZERO_RETURN:
https://git.openssl.org/?p=openssl.git;a=commitdiff;h=09b90e0
---
src/event/ngx_event_openssl.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
index 61ff868..fe6bd08 100644
--- a/src/event/ngx_event_openssl.c
+++ b/src/event/ngx_event_openssl.c
@@ -394,6 +394,10 @@ ngx_ssl_create(ngx_ssl_t *ssl, ngx_uint_t protocols, void *data)
SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_CLIENT_RENEGOTIATION);
#endif
+#ifdef SSL_OP_IGNORE_UNEXPECTED_EOF
+ SSL_CTX_set_options(ssl->ctx, SSL_OP_IGNORE_UNEXPECTED_EOF);
+#endif
+
#ifdef SSL_MODE_RELEASE_BUFFERS
SSL_CTX_set_mode(ssl->ctx, SSL_MODE_RELEASE_BUFFERS);
#endif
--
2.44.0

11
SPECS/nginx.spec
View File

@ -41,7 +41,7 @@
Name: nginx Name: nginx
Epoch: 2 Epoch: 2
Version: 1.20.1 Version: 1.20.1
Release: 22%{?dist}.alma.1 Release: 23%{?dist}.alma.1
Summary: A high performance web server and reverse proxy server Summary: A high performance web server and reverse proxy server
# BSD License (two clause) # BSD License (two clause)
@ -104,6 +104,9 @@ Patch9: 0010-Optimized-chain-link-usage.patch
# upstream patch - https://issues.redhat.com/browse/RHEL-78236 # upstream patch - https://issues.redhat.com/browse/RHEL-78236
Patch10: nginx-1.20.1-CVE-2025-23419.patch Patch10: nginx-1.20.1-CVE-2025-23419.patch
# upstream patch - https://issues.redhat.com/browse/RHEL-6786
Patch11: 0011-SSL-use-of-the-SSL_OP_IGNORE_UNEXPECTED_EOF-option.patch
BuildRequires: make BuildRequires: make
BuildRequires: gcc BuildRequires: gcc
BuildRequires: gnupg2 BuildRequires: gnupg2
@ -613,9 +616,13 @@ fi
%changelog %changelog
* Tue Mar 11 2025 Eduard Abdullin <eabdullin@almalinux.org> - 2:1.20.1-22.alma.1 * Mon Sep 15 2025 Eduard Abdullin <eabdullin@almalinux.org> - 2:1.20.1-23.alma.1
- Debrand for AlmaLinux - Debrand for AlmaLinux
* Thu Apr 24 2025 Luboš Uhliarik <luhliari@redhat.com> - 2:1.20.1-23
- Resolves: RHEL-6786 - SSL-errors 0A000126 / NS_NET_ERROR_PARTIAL_TRANSFER
at nginx with reverse-proxy
* Thu Feb 13 2025 Luboš Uhliarik <luhliari@redhat.com> - 2:1.20.1-22 * Thu Feb 13 2025 Luboš Uhliarik <luhliari@redhat.com> - 2:1.20.1-22
- Resolves: RHEL-78236 - nginx: TLS Session Resumption - Resolves: RHEL-78236 - nginx: TLS Session Resumption
Vulnerability (CVE-2025-23419) Vulnerability (CVE-2025-23419)