From cf077e79450c1d00f41284f894ee2a5a32c208ab Mon Sep 17 00:00:00 2001 From: Ted Hess Date: Thu, 17 Aug 2023 18:20:54 -0400 Subject: [PATCH] Unbound: Silence SSL unexpected eof messages Refs: https://github.com/NLnetLabs/unbound/issues/812 https://github.com/NLnetLabs/unbound/issues/846 This is a backport of: https://github.com/NLnetLabs/unbound/commit/d7e7761 and can be removed with the next release/update of the Unbound package Signed-off-by: Ted Hess (cherry picked from commit 2a71e17ca12341682430e587889d8fb7af58ae30) --- net/unbound/Makefile | 2 +- ...0-remove-SSL-unexpected-eof-messages.patch | 37 +++++++++++++++++++ 2 files changed, 38 insertions(+), 1 deletion(-) create mode 100644 net/unbound/patches/200-remove-SSL-unexpected-eof-messages.patch diff --git a/net/unbound/Makefile b/net/unbound/Makefile index 0620944cfa..9626c4e298 100644 --- a/net/unbound/Makefile +++ b/net/unbound/Makefile @@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=unbound PKG_VERSION:=1.17.1 -PKG_RELEASE:=1 +PKG_RELEASE:=2 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://nlnetlabs.nl/downloads/unbound diff --git a/net/unbound/patches/200-remove-SSL-unexpected-eof-messages.patch b/net/unbound/patches/200-remove-SSL-unexpected-eof-messages.patch new file mode 100644 index 0000000000..3f7d62b401 --- /dev/null +++ b/net/unbound/patches/200-remove-SSL-unexpected-eof-messages.patch @@ -0,0 +1,37 @@ +--- a/util/net_help.c ++++ b/util/net_help.c +@@ -1005,6 +1005,16 @@ listen_sslctx_setup(void* ctxt) + log_crypto_err("could not set cipher list with SSL_CTX_set_cipher_list"); + } + #endif ++#if defined(SSL_OP_IGNORE_UNEXPECTED_EOF) ++ /* ignore errors when peers do not send the mandatory close_notify ++ * alert on shutdown. ++ * Relevant for openssl >= 3 */ ++ if((SSL_CTX_set_options(ctx, SSL_OP_IGNORE_UNEXPECTED_EOF) & ++ SSL_OP_IGNORE_UNEXPECTED_EOF) != SSL_OP_IGNORE_UNEXPECTED_EOF) { ++ log_crypto_err("could not set SSL_OP_IGNORE_UNEXPECTED_EOF"); ++ return 0; ++ } ++#endif + + if((SSL_CTX_set_options(ctx, SSL_OP_CIPHER_SERVER_PREFERENCE) & + SSL_OP_CIPHER_SERVER_PREFERENCE) != +@@ -1233,6 +1243,17 @@ void* connect_sslctx_create(char* key, c + SSL_CTX_free(ctx); + return 0; + } ++#endif ++#if defined(SSL_OP_IGNORE_UNEXPECTED_EOF) ++ /* ignore errors when peers do not send the mandatory close_notify ++ * alert on shutdown. ++ * Relevant for openssl >= 3 */ ++ if((SSL_CTX_set_options(ctx, SSL_OP_IGNORE_UNEXPECTED_EOF) & ++ SSL_OP_IGNORE_UNEXPECTED_EOF) != SSL_OP_IGNORE_UNEXPECTED_EOF) { ++ log_crypto_err("could not set SSL_OP_IGNORE_UNEXPECTED_EOF"); ++ SSL_CTX_free(ctx); ++ return 0; ++ } + #endif + if(key && key[0]) { + if(!SSL_CTX_use_certificate_chain_file(ctx, pem)) { -- 2.30.2