Debrand for AlmaLinux

2025-09-15 11:36:44 +00:00 · 2025-09-15 11:36:44 +00:00 · 457a17c92e
commit 457a17c92e
parent df858a5768 2f6d0963ab
2 changed files with 48 additions and 2 deletions
--- a/SOURCES/0011-SSL-use-of-the-SSL_OP_IGNORE_UNEXPECTED_EOF-option.patch
+++ b/SOURCES/0011-SSL-use-of-the-SSL_OP_IGNORE_UNEXPECTED_EOF-option.patch
@ -0,0 +1,39 @@
+From 633b8f4026a068f9fe30703469d1cdccdf14269c Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= <luhliari@redhat.com>
+Date: Thu, 24 Apr 2025 15:10:34 +0200
+Subject: [PATCH] SSL: use of the SSL_OP_IGNORE_UNEXPECTED_EOF option.
+
+A new behaviour was introduced in OpenSSL 1.1.1e, when a peer does not send
+close_notify before closing the connection.  Previously, it was to return
+SSL_ERROR_SYSCALL with errno 0, known since at least OpenSSL 0.9.7, and is
+handled gracefully in nginx.  Now it returns SSL_ERROR_SSL with a distinct
+reason SSL_R_UNEXPECTED_EOF_WHILE_READING ("unexpected eof while reading").
+This leads to critical errors seen in nginx within various routines such as
+SSL_do_handshake(), SSL_read(), SSL_shutdown().  The behaviour was restored
+in OpenSSL 1.1.1f, but presents in OpenSSL 3.0 by default.
+
+Use of the SSL_OP_IGNORE_UNEXPECTED_EOF option added in OpenSSL 3.0 allows
+to set a compatible behaviour to return SSL_ERROR_ZERO_RETURN:
+https://git.openssl.org/?p=openssl.git;a=commitdiff;h=09b90e0
+---
+ src/event/ngx_event_openssl.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
+index 61ff868..fe6bd08 100644
+--- a/src/event/ngx_event_openssl.c
+++ b/src/event/ngx_event_openssl.c
+@@ -394,6 +394,10 @@ ngx_ssl_create(ngx_ssl_t *ssl, ngx_uint_t protocols, void *data)
+     SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_CLIENT_RENEGOTIATION);
+ #endif
+ 
+#ifdef SSL_OP_IGNORE_UNEXPECTED_EOF
+    SSL_CTX_set_options(ssl->ctx, SSL_OP_IGNORE_UNEXPECTED_EOF);
+#endif
+
+ #ifdef SSL_MODE_RELEASE_BUFFERS
+     SSL_CTX_set_mode(ssl->ctx, SSL_MODE_RELEASE_BUFFERS);
+ #endif
+-- 
+2.44.0
+
--- a/SPECS/nginx.spec
+++ b/SPECS/nginx.spec
@ -41,7 +41,7 @@
 Name:              nginx
 Epoch:             2
 Version:           1.20.1
-Release:           22%{?dist}.alma.1
+Release:           23%{?dist}.alma.1

 Summary:           A high performance web server and reverse proxy server
 # BSD License (two clause)
@ -104,6 +104,9 @@ Patch9:            0010-Optimized-chain-link-usage.patch
 # upstream patch - https://issues.redhat.com/browse/RHEL-78236
 Patch10:           nginx-1.20.1-CVE-2025-23419.patch

+# upstream patch - https://issues.redhat.com/browse/RHEL-6786
+Patch11:           0011-SSL-use-of-the-SSL_OP_IGNORE_UNEXPECTED_EOF-option.patch
+
 BuildRequires:     make
 BuildRequires:     gcc
 BuildRequires:     gnupg2
@ -613,9 +616,13 @@ fi


 %changelog
-* Tue Mar 11 2025 Eduard Abdullin <eabdullin@almalinux.org> - 2:1.20.1-22.alma.1
+* Mon Sep 15 2025 Eduard Abdullin <eabdullin@almalinux.org> - 2:1.20.1-23.alma.1
 - Debrand for AlmaLinux

+* Thu Apr 24 2025 Luboš Uhliarik <luhliari@redhat.com> - 2:1.20.1-23
+- Resolves: RHEL-6786 - SSL-errors 0A000126 / NS_NET_ERROR_PARTIAL_TRANSFER
+  at nginx with reverse-proxy
+
 * Thu Feb 13 2025 Luboš Uhliarik <luhliari@redhat.com> - 2:1.20.1-22
 - Resolves: RHEL-78236 - nginx: TLS Session Resumption
  Vulnerability (CVE-2025-23419)