Bug 1625237 - openssl-1.1.1-0.pre8.2.fc29 regression in SSL_accept() with half-closed TCP connection
Summary: openssl-1.1.1-0.pre8.2.fc29 regression in SSL_accept() with half-closed TCP c...
Alias: None
Product: Fedora
Classification: Fedora
Component: openssl
Version: 29
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
Assignee: Tomas Mraz
QA Contact: Fedora Extras Quality Assurance
URL: https://github.com/openssl/openssl/co...
Depends On:
TreeView+ depends on / blocked
Reported: 2018-09-04 13:05 UTC by Petr Pisar
Modified: 2018-09-26 20:20 UTC (History)
2 users (show)

Fixed In Version: openssl-1.1.1-0.pre9.1.fc29 openssl-1.1.1-3.fc29
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2018-09-26 20:20:34 UTC
Type: Bug

Attachments (Terms of Use)
Reproducer (10.27 KB, text/plain)
2018-09-04 13:05 UTC, Petr Pisar
no flags Details

System ID Private Priority Status Summary Last Updated
Github openssl openssl issues 6904 0 None closed How can a client write and shutdown TLS 1.3 so that server reads the sent data? 2020-10-13 11:39:12 UTC

Description Petr Pisar 2018-09-04 13:05:24 UTC
Created attachment 1480774 [details]

OpenSSL with TLS < 1.3 allows terminating a TLS connection with one-side TCP shutdown: Client performs SSL_connect(), SSL_write(), SSL_shutdown() and finishes with TCP shutdown(socket, SHUT_RDWR). Server performes SSL_accept, SSL_read() and finishes with SSL_read() returning SSL_ERROR_ZERO_RETURN.

This idiom does not work with OpenSSL 1.1.1 that defaults to TLSv1.3 because SSL_accept() also sends session tickets (see attached reproducer, nondeterministic):

$ ./a.out 
TCP connected.
TCP accepted.
SSL connected.
Client SSL_write returned 6
Client write finished.
Client shut down TLS session.
Client shut down TCP.
Server received 13 signal
SSL_accept failed ssl_err=5 errno=Broken pipe: 
Server process terminated normally with 1 exit code

This was reported in <https://github.com/openssl/openssl/issues/6904> and finally fixed with <https://github.com/openssl/openssl/commit/f273ff953abfafbb5fc4d68904469f862fbeae8a>:

commit f273ff953abfafbb5fc4d68904469f862fbeae8a (HEAD)
Author: Matt Caswell <matt>
Date:   Mon Aug 13 20:18:32 2018 +0100

    Ignore EPIPE when sending NewSessionTickets in TLSv1.3
    If a client sends data to a server and then immediately closes without
    waiting to read the NewSessionTickets then the server can receive EPIPE
    when trying to write the tickets and never gets the opportunity to read
    the data that was sent. Therefore we ignore EPIPE when writing out the
    tickets in TLSv1.3
    Fixes #6904
    Reviewed-by: Tim Hudson <tjh>
    (Merged from https://github.com/openssl/openssl/pull/6944)

Please apply the patch to Fedora's openssl package.

(We managed to work around it by disabling session tickets on server-side in various Perl tests, but a lot of unpatched code exists in wild. Also the workaround effectively kills session resumption and thus has performance impact. As such we do not consider the workaround as a final solution and we demand for applying the OpenSSL fix.)

Comment 1 Tomas Mraz 2018-09-04 13:24:15 UTC
There already is openssl-1.1.1-pre9 in the current Fedora 29 repositories.

Comment 2 Petr Pisar 2018-09-04 13:30:55 UTC
But the commit is newer than 1.1.1-pre9.

Comment 3 Tomas Mraz 2018-09-04 13:44:43 UTC
Ah, sorry, the commit is older but it was merged only very recently, I was mislead by the Aug 13 date above. The 1.1.1 final release is imminent, I'll update to it as soon as it is released.

Comment 4 Fedora Update System 2018-09-20 16:13:51 UTC
openssl-1.1.1-3.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2018-5c0108a088

Comment 5 Fedora Update System 2018-09-26 20:20:34 UTC
openssl-1.1.1-3.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.