My biggest concern was that the value of SSL_OP_IGNORE_UNEXPECTED_EOF might change from OpenSSL 1.1.x to 3.0.x but it looks like it has the same value in all our packages (at least according to whatever I've got checked out at the moment):
It makes sense to me. A general-purpose webserver can't realistically know whatever every hosted application it runs will do with an improperly-terminated tls session: some might care a *lot*, some might not care at all, and most people just serve files with it and really don't care.
If upstream doesn't care to pass this along to the hosted applications, that's a strong vote for us doing the same.
My biggest concern was that the value of SSL_OP_ IGNORE_ UNEXPECTED_ EOF might change from OpenSSL 1.1.x to 3.0.x but it looks like it has the same value in all our packages (at least according to whatever I've got checked out at the moment):
$ rg 'define. *SSL_OP_ IGNORE_ UNEXPECTED_ EOF' 3.0.3-0ubuntu1/ include/ openssl/ ssl.h.in IGNORE_ UNEXPECTED_ EOF SSL_OP_BIT(7)
openssl_
335:# define SSL_OP_
openssl_ 3.0.0-1ubuntu1/ include/ openssl/ ssl.h.in IGNORE_ UNEXPECTED_ EOF SSL_OP_BIT(7)
335:# define SSL_OP_
openssl_ 3.0.2-0ubuntu1/ include/ openssl/ ssl.h.in IGNORE_ UNEXPECTED_ EOF SSL_OP_BIT(7)
335:# define SSL_OP_
openssl_ 3.0.0-1ubuntu2/ include/ openssl/ ssl.h.in IGNORE_ UNEXPECTED_ EOF SSL_OP_BIT(7)
335:# define SSL_OP_
openssl_ 3.0.1-0ubuntu1/ include/ openssl/ ssl.h.in IGNORE_ UNEXPECTED_ EOF SSL_OP_BIT(7)
335:# define SSL_OP_
openssl_ 3.0.2-0ubuntu1. 2/include/ openssl/ ssl.h.in IGNORE_ UNEXPECTED_ EOF SSL_OP_BIT(7)
335:# define SSL_OP_
openssl_ 3.0.3-5ubuntu2/ include/ openssl/ ssl.h.in IGNORE_ UNEXPECTED_ EOF SSL_OP_BIT(7)
335:# define SSL_OP_
openssl_ 3.0.2-0ubuntu1. 1/include/ openssl/ ssl.h.in IGNORE_ UNEXPECTED_ EOF SSL_OP_BIT(7)
335:# define SSL_OP_
It makes sense to me. A general-purpose webserver can't realistically know whatever every hosted application it runs will do with an improperly- terminated tls session: some might care a *lot*, some might not care at all, and most people just serve files with it and really don't care.
If upstream doesn't care to pass this along to the hosted applications, that's a strong vote for us doing the same.
Thanks