From e8356bd6528c1fc66cfa83c70f4907f3d3640697 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
Date: Tue, 28 Aug 2018 16:43:24 +0200
Subject: [PATCH] Disable sessions tickets with OpenSSL 1.1.1
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
This works around an OpenSSL SIGIPE issue causing server crash or
SSL_accept() failure.
CPAN RT#126976
Signed-off-by: Petr Písař <ppisar@redhat.com>
---
lib/POE/Component/SSLify.pm | 11 +++++++++++
1 file changed, 11 insertions(+)
diff --git a/lib/POE/Component/SSLify.pm b/lib/POE/Component/SSLify.pm
index a12e7a9..d41bc8e 100644
--- a/lib/POE/Component/SSLify.pm
+++ b/lib/POE/Component/SSLify.pm
@@ -396,6 +396,17 @@ sub _createSSLcontext {
die_if_ssl_error( 'certificate' ) if ! $IGNORE_SSL_ERRORS;
}
+ # TLS 1.3 server sends session tickets after a handshake as part of
+ # the SSL_accept(). If a client finishes all its job including closing
+ # TCP connectino before a server sends the tickets, SSL_accept() fails
+ # with SSL_ERROR_SYSCALL and EPIPE errno and the server receives
+ # SIGPIPE signal. <https://github.com/openssl/openssl/issues/6904>,
+ # CPAN RT#126976.
+ if ( &Net::SSLeay::OPENSSL_VERSION_NUMBER >= 0x1010100f ) {
+ Net::SSLeay::CTX_set_num_tickets( $context, 0 );
+ die_if_ssl_error( 'disabling session tickets' ) if $IGNORE_SSL_ERRORS;
+ }
+
# All done!
return $context;
}
--
2.14.4