[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: h2 broken in 2.4.36 with OpenSSL 1.1.1? Related to SSL_MODE_AUTO_RETRY?

Hi Stefan, Joe and all,

Am 16.10.2018 um 11:15 schrieb Joe Orton:
On Mon, Oct 15, 2018 at 12:55:45PM +0200, Rainer Jung wrote:
I'm currently testing the following patch which looks OK wrt. test suite
results. Need to run more combinations (OpenSSL version client versus
server) though. Server with 1.1.1 and with 1.0.2p both look OK (including
the h2 tests). Maybe some cases could be folded together or be dropped, but
I tried to make the logic changes not to big. The SSL_ERROR_ZERO_RETURN part
is new, because without that we get an ssl:info log line AH01992 with error
6 (SSL_ERROR_ZERO_RETURN) at the end of the response (at least with 1.1.1).

Thanks a lot Rainer & Stefan, sorry I didn't follow through on that
ticket/issue far enough.  Strike it down as another way that 1.1.1
really is ABI-incompatible with <1.1.1 :(

The change committed to ssl_engine_io.c makes sense to me. I wonder if
mod_ssl should also handle SSL_ERROR_WANT_WRITE here as well. It will be
clearly logged if that happens ("SSL library error 3 reading data") so
we should find out anyway.

Thanks to you both for double checking.

I tried to keep behavior change restricted to the observed problem but yes, it might be, that a more complete approach would cover more cases, that we are just not aware right now. It is just that I don't feel myself in a position for that more complete approach.

I will propose the current trunk change for 2.4 but any suggestions for improvements would be highly welcome. My testing currently at least shows no problems with the httpd test suite.