From 099749046c03c1c2ee8d7c83e0fb7f3a66f7c75e Mon Sep 17 00:00:00 2001
From: Remi Gacogne <remi.gacogne@powerdns.com>
Date: Fri, 25 Nov 2022 18:34:17 +0100
Subject: [PATCH] dnsdist: Ignore unclean TLS session shutdown

OpenSSL 3.0 "helpfully" treats an unclean TLS session shutdown as an
error, flooding our logs and killing TLS session resumption. We do
not care about a possible "truncation attack" since we already know
how many bytes we are supposed to get, so we can ignore this.
---
 pdns/libssl.cc       | 4 ++++
 pdns/tcpiohandler.cc | 3 +++
 2 files changed, 7 insertions(+)

diff --git a/pdns/libssl.cc b/pdns/libssl.cc
index df523dafa2..4e22a4ead6 100644
--- a/pdns/libssl.cc
+++ b/pdns/libssl.cc
@@ -766,6 +766,10 @@ std::unique_ptr<SSL_CTX, void(*)(SSL_CTX*)> libssl_init_server_context(const TLS
 #endif
   }
 
+#ifdef SSL_OP_IGNORE_UNEXPECTED_EOF
+  sslOptions |= SSL_OP_IGNORE_UNEXPECTED_EOF;
+#endif
+
   SSL_CTX_set_options(ctx.get(), sslOptions);
   if (!libssl_set_min_tls_version(ctx, config.d_minTLSVersion)) {
     throw std::runtime_error("Failed to set the minimum version to '" + libssl_tls_version_to_string(config.d_minTLSVersion));
diff --git a/pdns/tcpiohandler.cc b/pdns/tcpiohandler.cc
index 79236eaeba..2049dee37f 100644
--- a/pdns/tcpiohandler.cc
+++ b/pdns/tcpiohandler.cc
@@ -625,6 +625,9 @@ public:
       SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION |
       SSL_OP_SINGLE_DH_USE |
       SSL_OP_SINGLE_ECDH_USE |
+#ifdef SSL_OP_IGNORE_UNEXPECTED_EOF
+      SSL_OP_IGNORE_UNEXPECTED_EOF |
+#endif
       SSL_OP_CIPHER_SERVER_PREFERENCE;
     if (!params.d_enableRenegotiation) {
 #ifdef SSL_OP_NO_RENEGOTIATION
-- 
2.47.2