Ubuntu
nginx package

Merge ~bryce/ubuntu/+source/nginx:fix-lp1981457-jammy into ubuntu/+source/nginx:ubuntu/jammy-devel

  1. Git
  2. lp:~bryce/ubuntu/+source/nginx
  3. fix-lp1981457-jammy
  4. Merge into ubuntu/jammy-devel
Proposed by Bryce Harrington
Status: Merged
Approved by: git-ubuntu bot
Approved revision: not available
Merged at revision: b77769fb2df154e358026cac3952511cf7794701
Proposed branch: ~bryce/ubuntu/+source/nginx:fix-lp1981457-jammy
Merge into: ubuntu/+source/nginx:ubuntu/jammy-devel
Diff against target: 77 lines (+55/-0)
3 files modified
debian/changelog (+8/-0)
debian/patches/series (+1/-0)
debian/patches/ssl-op-ignore-unexpected-eof-option.patch (+46/-0)
Reviewer Review Type Date Requested Status
git-ubuntu bot Approve
Andreas Hasenack Approve
Canonical Server Reporter Pending
Review via email: mp+429173@code.launchpad.net

Description of the change

SRUs a fix for an SSL bug for nginx that users are seeing often in production system nginx error logs. See LP #191457 for details.

PPA: https://launchpad.net/~bryce/+archive/ubuntu/nginx-fix-lp1981457

To post a comment you must log in.
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

I'll look at this.

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

+1

patch is ok, headers are ok (bug is against openssl, not nginx, but it has the info we need)

In the changelog, I just wouldn't say "older clients". It's any client really that misbehaves. So perhaps just say "for clients that don't close ...". Totally up to you.

I was able to confirm the fix even, with the test case from the SRU.

I would just suggest to clarify that a bit. Here is what I did:

- install nginx-full and ssl-cert
- edit /etc/nginx/sites-enabled/default and uncomment both "listen" lines for 443, and the "include" line for snakeoil.conf
- restart nginx
- run the script:
#!/bin/bash
URL="https://localhost"
while :; do
  timeout -s KILL 0.2s curl -v -k -K <(echo verbose;for i in {1..2000}; do echo url = "$URL"; echo -o /dev/null; done)
done

- in another terminal, tail -f /var/log/nginx/error.log and observe tons of SSL_READ() errors.
- with the updated package, these errors are gone

review: Approve
Revision history for this message
git-ubuntu bot (git-ubuntu-bot) wrote :

Approvers: bryce, ahasenack
Uploaders: bryce, ahasenack
MP auto-approved

review: Approve
Revision history for this message
Bryce Harrington (bryce) wrote :

Thanks, I've made those updates to the test case

Revision history for this message
Bryce Harrington (bryce) wrote (last edit ):

$ grep "^Vcs-Git" "${changes_file}"
Vcs-Git: https://git.launchpad.net/~bryce/ubuntu/+source/nginx
Vcs-Git-Commit: b77769fb2df154e358026cac3952511cf7794701
Vcs-Git-Ref: refs/heads/fix-lp1981457-jammy
triage-jammy+22.04:~/pkg/Nginx/fix-lp1981457/nginx-gu-jammy$ dput ubuntu "${changes_file}"
D: Setting host argument.
Checking signature on .changes
gpg: ../nginx_1.18.0-6ubuntu14.2_source.changes: Valid signature from E603B2578FB8F0FB
Checking signature on .dsc
gpg: ../nginx_1.18.0-6ubuntu14.2.dsc: Valid signature from E603B2578FB8F0FB
Uploading to ubuntu (via ftp to upload.ubuntu.com):
  Uploading nginx_1.18.0-6ubuntu14.2.dsc: done.
  Uploading nginx_1.18.0-6ubuntu14.2.debian.tar.xz: done.
  Uploading nginx_1.18.0-6ubuntu14.2_source.buildinfo: done.
  Uploading nginx_1.18.0-6ubuntu14.2_source.changes: done.
Successfully uploaded packages.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/debian/changelog b/debian/changelog
2index 8ac1551..79b7f8c 100644
3--- a/debian/changelog
4+++ b/debian/changelog
5@@ -1,3 +1,11 @@
6+nginx (1.18.0-6ubuntu14.2) jammy; urgency=medium
7+
8+ * d/p/ssl-op-ignore-unexpected-eof-option.patch: Add compatibility
9+ flag for certain clients that don't close their connection properly.
10+ (LP: #1981457)
11+
12+ -- Bryce Harrington <bryce@canonical.com> Tue, 02 Aug 2022 15:24:53 -0700
13+
14 nginx (1.18.0-6ubuntu14.1) jammy-security; urgency=medium
15
16 * SECURITY UPDATE: ALPACA TLS issue
17diff --git a/debian/patches/series b/debian/patches/series
18index 66b5b62..9ed2cf9 100644
19--- a/debian/patches/series
20+++ b/debian/patches/series
21@@ -6,3 +6,4 @@ nginx-fix-pidfile.patch
22 CVE-2021-23017-1.patch
23 CVE-2021-23017-2.patch
24 CVE-2021-3618.patch
25+ssl-op-ignore-unexpected-eof-option.patch
26diff --git a/debian/patches/ssl-op-ignore-unexpected-eof-option.patch b/debian/patches/ssl-op-ignore-unexpected-eof-option.patch
27new file mode 100644
28index 0000000..5d4b99d
29--- /dev/null
30+++ b/debian/patches/ssl-op-ignore-unexpected-eof-option.patch
31@@ -0,0 +1,46 @@
32+From 5155845ce4453a07d60e2ce43946c9181bc311fa Mon Sep 17 00:00:00 2001
33+From: Sergey Kandaurov <pluknet@nginx.com>
34+Date: Tue, 10 Aug 2021 23:43:17 +0300
35+Subject: [PATCH] SSL: use of the SSL_OP_IGNORE_UNEXPECTED_EOF option.
36+
37+A new behaviour was introduced in OpenSSL 1.1.1e, when a peer does not send
38+close_notify before closing the connection. Previously, it was to return
39+SSL_ERROR_SYSCALL with errno 0, known since at least OpenSSL 0.9.7, and is
40+handled gracefully in nginx. Now it returns SSL_ERROR_SSL with a distinct
41+reason SSL_R_UNEXPECTED_EOF_WHILE_READING ("unexpected eof while reading").
42+This leads to critical errors seen in nginx within various routines such as
43+SSL_do_handshake(), SSL_read(), SSL_shutdown(). The behaviour was restored
44+in OpenSSL 1.1.1f, but presents in OpenSSL 3.0 by default.
45+
46+Use of the SSL_OP_IGNORE_UNEXPECTED_EOF option added in OpenSSL 3.0 allows
47+to set a compatible behaviour to return SSL_ERROR_ZERO_RETURN:
48+https://git.openssl.org/?p=openssl.git;a=commitdiff;h=09b90e0
49+
50+See for additional details: https://github.com/openssl/openssl/issues/11381
51+
52+Origin: upstream, https://github.com/nginx/nginx/commit/5155845ce4453a07d60e2ce43946c9181bc311fa
53+Applied-Upstream: 1.21.2, 5155845ce4453a07d60e2ce43946c9181bc311fa
54+Bug: https://github.com/openssl/openssl/issues/11381
55+Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/nginx/+bug/1981457
56+Reviewed-By: Bryce Harrington <bryce@canonical.com>
57+Last-Update: 2022-07-27
58+
59+---
60+ src/event/ngx_event_openssl.c | 4 ++++
61+ 1 file changed, 4 insertions(+)
62+
63+diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
64+index 72dd20649d..ce2a566cdd 100644
65+--- a/src/event/ngx_event_openssl.c
66++++ b/src/event/ngx_event_openssl.c
67+@@ -378,6 +378,10 @@ ngx_ssl_create(ngx_ssl_t *ssl, ngx_uint_t protocols, void *data)
68+ SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_CLIENT_RENEGOTIATION);
69+ #endif
70+
71++#ifdef SSL_OP_IGNORE_UNEXPECTED_EOF
72++ SSL_CTX_set_options(ssl->ctx, SSL_OP_IGNORE_UNEXPECTED_EOF);
73++#endif
74++
75+ #ifdef SSL_MODE_RELEASE_BUFFERS
76+ SSL_CTX_set_mode(ssl->ctx, SSL_MODE_RELEASE_BUFFERS);
77+ #endif

Subscribers

People subscribed via source and target branches