diff options
| author | Ted Hess <thess@kitschensync.net> | 2023-08-17 18:20:54 -0400 |
|---|---|---|
| committer | Ted Hess <thess@kitschensync.net> | 2023-08-21 16:01:11 -0400 |
| commit | 2a71e17ca12341682430e587889d8fb7af58ae30 (patch) | |
| tree | d948c65f26c90839eb1f081c75f0555c160b4434 /net | |
| parent | 9c63068154a1d4ee22e9ae775546308f120b2ba2 (diff) | |
Unbound: Silence SSL unexpected eof messages
Refs: https://github.com/NLnetLabs/unbound/issues/812
https://github.com/NLnetLabs/unbound/issues/846
This is a backport of: https://github.com/NLnetLabs/unbound/commit/d7e7761
and can be removed with the next release/update of the Unbound package
Signed-off-by: Ted Hess <thess@kitschensync.net>
Diffstat (limited to 'net')
| -rw-r--r-- | net/unbound/Makefile | 2 | ||||
| -rw-r--r-- | net/unbound/patches/200-remove-SSL-unexpected-eof-messages.patch | 37 |
2 files changed, 38 insertions, 1 deletions
diff --git a/net/unbound/Makefile b/net/unbound/Makefile index 0620944cf..9626c4e29 100644 --- a/net/unbound/Makefile +++ b/net/unbound/Makefile @@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=unbound PKG_VERSION:=1.17.1 -PKG_RELEASE:=1 +PKG_RELEASE:=2 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://nlnetlabs.nl/downloads/unbound diff --git a/net/unbound/patches/200-remove-SSL-unexpected-eof-messages.patch b/net/unbound/patches/200-remove-SSL-unexpected-eof-messages.patch new file mode 100644 index 000000000..3f7d62b40 --- /dev/null +++ b/net/unbound/patches/200-remove-SSL-unexpected-eof-messages.patch @@ -0,0 +1,37 @@ +--- a/util/net_help.c ++++ b/util/net_help.c +@@ -1005,6 +1005,16 @@ listen_sslctx_setup(void* ctxt) + log_crypto_err("could not set cipher list with SSL_CTX_set_cipher_list"); + } + #endif ++#if defined(SSL_OP_IGNORE_UNEXPECTED_EOF) ++ /* ignore errors when peers do not send the mandatory close_notify ++ * alert on shutdown. ++ * Relevant for openssl >= 3 */ ++ if((SSL_CTX_set_options(ctx, SSL_OP_IGNORE_UNEXPECTED_EOF) & ++ SSL_OP_IGNORE_UNEXPECTED_EOF) != SSL_OP_IGNORE_UNEXPECTED_EOF) { ++ log_crypto_err("could not set SSL_OP_IGNORE_UNEXPECTED_EOF"); ++ return 0; ++ } ++#endif + + if((SSL_CTX_set_options(ctx, SSL_OP_CIPHER_SERVER_PREFERENCE) & + SSL_OP_CIPHER_SERVER_PREFERENCE) != +@@ -1233,6 +1243,17 @@ void* connect_sslctx_create(char* key, c + SSL_CTX_free(ctx); + return 0; + } ++#endif ++#if defined(SSL_OP_IGNORE_UNEXPECTED_EOF) ++ /* ignore errors when peers do not send the mandatory close_notify ++ * alert on shutdown. ++ * Relevant for openssl >= 3 */ ++ if((SSL_CTX_set_options(ctx, SSL_OP_IGNORE_UNEXPECTED_EOF) & ++ SSL_OP_IGNORE_UNEXPECTED_EOF) != SSL_OP_IGNORE_UNEXPECTED_EOF) { ++ log_crypto_err("could not set SSL_OP_IGNORE_UNEXPECTED_EOF"); ++ SSL_CTX_free(ctx); ++ return 0; ++ } + #endif + if(key && key[0]) { + if(!SSL_CTX_use_certificate_chain_file(ctx, pem)) { |