Comment 14 for bug 1981457

My biggest concern was that the value of SSL_OP_IGNORE_UNEXPECTED_EOF might change from OpenSSL 1.1.x to 3.0.x but it looks like it has the same value in all our packages (at least according to whatever I've got checked out at the moment):

$ rg 'define.*SSL_OP_IGNORE_UNEXPECTED_EOF'
openssl_3.0.3-0ubuntu1/include/openssl/ssl.h.in
335:# define SSL_OP_IGNORE_UNEXPECTED_EOF SSL_OP_BIT(7)

openssl_3.0.0-1ubuntu1/include/openssl/ssl.h.in
335:# define SSL_OP_IGNORE_UNEXPECTED_EOF SSL_OP_BIT(7)

openssl_3.0.2-0ubuntu1/include/openssl/ssl.h.in
335:# define SSL_OP_IGNORE_UNEXPECTED_EOF SSL_OP_BIT(7)

openssl_3.0.0-1ubuntu2/include/openssl/ssl.h.in
335:# define SSL_OP_IGNORE_UNEXPECTED_EOF SSL_OP_BIT(7)

openssl_3.0.1-0ubuntu1/include/openssl/ssl.h.in
335:# define SSL_OP_IGNORE_UNEXPECTED_EOF SSL_OP_BIT(7)

openssl_3.0.2-0ubuntu1.2/include/openssl/ssl.h.in
335:# define SSL_OP_IGNORE_UNEXPECTED_EOF SSL_OP_BIT(7)

openssl_3.0.3-5ubuntu2/include/openssl/ssl.h.in
335:# define SSL_OP_IGNORE_UNEXPECTED_EOF SSL_OP_BIT(7)

openssl_3.0.2-0ubuntu1.1/include/openssl/ssl.h.in
335:# define SSL_OP_IGNORE_UNEXPECTED_EOF SSL_OP_BIT(7)

It makes sense to me. A general-purpose webserver can't realistically know whatever every hosted application it runs will do with an improperly-terminated tls session: some might care a *lot*, some might not care at all, and most people just serve files with it and really don't care.

If upstream doesn't care to pass this along to the hosted applications, that's a strong vote for us doing the same.

Thanks