dnsdist: Ignore unclean TLS session shutdown

OpenSSL 3.0 "helpfully" treats an unclean TLS session shutdown as an
error, flooding our logs and killing TLS session resumption. We do
not care about a possible "truncation attack" since we already know
how many bytes we are supposed to get, so we can ignore this.

diff --git a/pdns/libssl.cc b/pdns/libssl.cc
index df523dafa28ac61c8a2053624d8da727f7a4f94c..4e22a4ead6f2160cbeaa79b0757c2149891b159a 100644 (file)
--- a/pdns/libssl.cc
+++ b/pdns/libssl.cc
@@ -766,6 +766,10 @@ std::unique_ptr<SSL_CTX, void(*)(SSL_CTX*)> libssl_init_server_context(const TLS
 #endif
   }
 
+#ifdef SSL_OP_IGNORE_UNEXPECTED_EOF
+  sslOptions |= SSL_OP_IGNORE_UNEXPECTED_EOF;
+#endif
+
   SSL_CTX_set_options(ctx.get(), sslOptions);
   if (!libssl_set_min_tls_version(ctx, config.d_minTLSVersion)) {
     throw std::runtime_error("Failed to set the minimum version to '" + libssl_tls_version_to_string(config.d_minTLSVersion));

diff --git a/pdns/tcpiohandler.cc b/pdns/tcpiohandler.cc
index 79236eaeba579d72847d75728c8adfc87fcb72be..2049dee37f9e06e7bd4fd4b4ddd2046b2a026980 100644 (file)
--- a/pdns/tcpiohandler.cc
+++ b/pdns/tcpiohandler.cc
@@ -625,6 +625,9 @@ public:
       SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION |
       SSL_OP_SINGLE_DH_USE |
       SSL_OP_SINGLE_ECDH_USE |
+#ifdef SSL_OP_IGNORE_UNEXPECTED_EOF
+      SSL_OP_IGNORE_UNEXPECTED_EOF |
+#endif
       SSL_OP_CIPHER_SERVER_PREFERENCE;
     if (!params.d_enableRenegotiation) {
 #ifdef SSL_OP_NO_RENEGOTIATION