summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--CHANGES7
-rw-r--r--NEWS4
-rw-r--r--doc/man3/SSL_get_error.pod12
3 files changed, 22 insertions, 1 deletions
diff --git a/CHANGES b/CHANGES
index ac6777eae8..bfd072965f 100644
--- a/CHANGES
+++ b/CHANGES
@@ -9,6 +9,13 @@
Changes between 1.1.1e and 1.1.1f [xx XXX xxxx]
+ *) Revert the change of EOF detection while reading in libssl to avoid
+ regressions in applications depending on the current way of reporting
+ the EOF. As the existing method is not fully accurate the change to
+ reporting the EOF via SSL_ERROR_SSL is kept on the current development
+ branch and will be present in the 3.0 release.
+ [Tomas Mraz]
+
*) Revised BN_generate_prime_ex to not avoid factors 3..17863 in p-1
when primes for RSA keys are computed.
Since we previously always generated primes == 2 (mod 3) for RSA keys,
diff --git a/NEWS b/NEWS
index 64722d5e92..056e46d137 100644
--- a/NEWS
+++ b/NEWS
@@ -7,12 +7,14 @@
Major changes between OpenSSL 1.1.1e and OpenSSL 1.1.1f [under development]
- o
+ o Revert the unexpected EOF reporting via SSL_ERROR_SSL
Major changes between OpenSSL 1.1.1d and OpenSSL 1.1.1e [17 Mar 2020]
o Fixed an overflow bug in the x64_64 Montgomery squaring procedure
used in exponentiation with 512-bit moduli (CVE-2019-1551)
+ o Properly detect unexpected EOF while reading in libssl and report
+ it via SSL_ERROR_SSL
Major changes between OpenSSL 1.1.1c and OpenSSL 1.1.1d [10 Sep 2019]
diff --git a/doc/man3/SSL_get_error.pod b/doc/man3/SSL_get_error.pod
index 97320a6c15..6ef6f7d4c5 100644
--- a/doc/man3/SSL_get_error.pod
+++ b/doc/man3/SSL_get_error.pod
@@ -155,6 +155,18 @@ connection and SSL_shutdown() must not be called.
=back
+=head1 BUGS
+
+The B<SSL_ERROR_SYSCALL> with B<errno> value of 0 indicates unexpected EOF from
+the peer. This will be properly reported as B<SSL_ERROR_SSL> with reason
+code B<SSL_R_UNEXPECTED_EOF_WHILE_READING> in the OpenSSL 3.0 release because
+it is truly a TLS protocol error to terminate the connection without
+a SSL_shutdown().
+
+The issue is kept unfixed in OpenSSL 1.1.1 releases because many applications
+which choose to ignore this protocol error depend on the existing way of
+reporting the error.
+
=head1 SEE ALSO
L<ssl(7)>
generated by cgit v1.2.3 (git 2.25.1) at 2024-07-02 14:25:52 +0000