Created attachment 1480774 [details]
Reproducer

OpenSSL with TLS < 1.3 allows terminating a TLS connection with one-side TCP shutdown: Client performs SSL_connect(), SSL_write(), SSL_shutdown() and finishes with TCP shutdown(socket, SHUT_RDWR). Server performes SSL_accept, SSL_read() and finishes with SSL_read() returning SSL_ERROR_ZERO_RETURN.

This idiom does not work with OpenSSL 1.1.1 that defaults to TLSv1.3 because SSL_accept() also sends session tickets (see attached reproducer, nondeterministic):

$ ./a.out 
Client
TCP connected.
Server
TCP accepted.
SSL connected.
Client SSL_write returned 6
Client write finished.
Client shut down TLS session.
Client shut down TCP.
Server received 13 signal
SSL_accept failed ssl_err=5 errno=Broken pipe: 
Server process terminated normally with 1 exit code

This was reported in <https://github.com/openssl/openssl/issues/6904> and finally fixed with <https://github.com/openssl/openssl/commit/f273ff953abfafbb5fc4d68904469f862fbeae8a>:

commit f273ff953abfafbb5fc4d68904469f862fbeae8a (HEAD)
Author: Matt Caswell <matt>
Date:   Mon Aug 13 20:18:32 2018 +0100

    Ignore EPIPE when sending NewSessionTickets in TLSv1.3
    
    If a client sends data to a server and then immediately closes without
    waiting to read the NewSessionTickets then the server can receive EPIPE
    when trying to write the tickets and never gets the opportunity to read
    the data that was sent. Therefore we ignore EPIPE when writing out the
    tickets in TLSv1.3
    
    Fixes #6904
    
    Reviewed-by: Tim Hudson <tjh>
    (Merged from https://github.com/openssl/openssl/pull/6944)

Please apply the patch to Fedora's openssl package.

(We managed to work around it by disabling session tickets on server-side in various Perl tests, but a lot of unpatched code exists in wild. Also the workaround effectively kills session resumption and thus has performance impact. As such we do not consider the workaround as a final solution and we demand for applying the OpenSSL fix.)