From: Steffen Nurpmeso Date: Thu, 19 Jan 2023 21:04:46 +0000 (+0100) Subject: SSL_conf_cmd: add support for IgnoreUnexpectedEOF X-Git-Tag: openssl-3.2.0-alpha1~1362 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=51cf034433d528876f3c235c5150c5acfe88f24d;p=thirdparty%2Fopenssl.git SSL_conf_cmd: add support for IgnoreUnexpectedEOF CLA: trivial Reviewed-by: Matt Caswell Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/20089) --- diff --git a/doc/man3/SSL_CONF_cmd.pod b/doc/man3/SSL_CONF_cmd.pod index 3717c202bd6..b7555b54bf3 100644 --- a/doc/man3/SSL_CONF_cmd.pod +++ b/doc/man3/SSL_CONF_cmd.pod @@ -569,6 +569,11 @@ B. This option only applies to Linux. KTLS sendfile on FreeBSD doesn't offer an option to disable zerocopy and always runs in this mode. +B: Equivalent to B. +You should only enable this option if the protocol running over TLS can detect +a truncation attack itself, and that the application is checking for that +truncation attack. + =item B The B argument is a comma separated list of flags to set. diff --git a/ssl/ssl_conf.c b/ssl/ssl_conf.c index b46b5f15d93..45c74119076 100644 --- a/ssl/ssl_conf.c +++ b/ssl/ssl_conf.c @@ -401,6 +401,7 @@ static int cmd_Options(SSL_CONF_CTX *cctx, const char *value) SSL_FLAG_TBL_INV("TxCertificateCompression", SSL_OP_NO_TX_CERTIFICATE_COMPRESSION), SSL_FLAG_TBL_INV("RxCertificateCompression", SSL_OP_NO_RX_CERTIFICATE_COMPRESSION), SSL_FLAG_TBL("KTLSTxZerocopySendfile", SSL_OP_ENABLE_KTLS_TX_ZEROCOPY_SENDFILE), + SSL_FLAG_TBL("IgnoreUnexpectedEOF", SSL_OP_IGNORE_UNEXPECTED_EOF), }; if (value == NULL) return -3;