SSL_conf_cmd: add support for IgnoreUnexpectedEOF

CLA: trivial

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20089)

diff --git a/doc/man3/SSL_CONF_cmd.pod b/doc/man3/SSL_CONF_cmd.pod
index 3717c202bd6017898587317c230cef518f53d18f..b7555b54bf329f76d5b94c00a25e3958ca56aaa0 100644 (file)
--- a/doc/man3/SSL_CONF_cmd.pod
+++ b/doc/man3/SSL_CONF_cmd.pod
@@ -569,6 +569,11 @@ B<SSL_OP_ENABLE_KTLS_TX_ZEROCOPY_SENDFILE>. This option only applies to Linux.
 KTLS sendfile on FreeBSD doesn't offer an option to disable zerocopy and
 always runs in this mode.
 
+B<IgnoreUnexpectedEOF>: Equivalent to B<SSL_OP_IGNORE_UNEXPECTED_EOF>.
+You should only enable this option if the protocol running over TLS can detect
+a truncation attack itself, and that the application is checking for that
+truncation attack.
+
 =item B<VerifyMode>
 
 The B<value> argument is a comma separated list of flags to set.

diff --git a/ssl/ssl_conf.c b/ssl/ssl_conf.c
index b46b5f15d934f2ea1f51ffb4cea379fd4184993b..45c74119076a7fdb2f89998bf33e495db6e0ac39 100644 (file)
--- a/ssl/ssl_conf.c
+++ b/ssl/ssl_conf.c
@@ -401,6 +401,7 @@ static int cmd_Options(SSL_CONF_CTX *cctx, const char *value)
         SSL_FLAG_TBL_INV("TxCertificateCompression", SSL_OP_NO_TX_CERTIFICATE_COMPRESSION),
         SSL_FLAG_TBL_INV("RxCertificateCompression", SSL_OP_NO_RX_CERTIFICATE_COMPRESSION),
         SSL_FLAG_TBL("KTLSTxZerocopySendfile", SSL_OP_ENABLE_KTLS_TX_ZEROCOPY_SENDFILE),
+        SSL_FLAG_TBL("IgnoreUnexpectedEOF", SSL_OP_IGNORE_UNEXPECTED_EOF),
     };
     if (value == NULL)
         return -3;