From e8356bd6528c1fc66cfa83c70f4907f3d3640697 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
Date: Tue, 28 Aug 2018 16:43:24 +0200
Subject: [PATCH] Disable sessions tickets with OpenSSL 1.1.1
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This works around an OpenSSL SIGIPE issue causing server crash or
SSL_accept() failure.

CPAN RT#126976

Signed-off-by: Petr Písař <ppisar@redhat.com>
---
 lib/POE/Component/SSLify.pm | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/lib/POE/Component/SSLify.pm b/lib/POE/Component/SSLify.pm
index a12e7a9..d41bc8e 100644
--- a/lib/POE/Component/SSLify.pm
+++ b/lib/POE/Component/SSLify.pm
@@ -396,6 +396,17 @@ sub _createSSLcontext {
 		die_if_ssl_error( 'certificate' ) if ! $IGNORE_SSL_ERRORS;
 	}
 
+	# TLS 1.3 server sends session tickets after a handshake as part of
+	# the SSL_accept(). If a client finishes all its job including closing
+	# TCP connectino before a server sends the tickets, SSL_accept() fails
+	# with SSL_ERROR_SYSCALL and EPIPE errno and the server receives
+	# SIGPIPE signal. <https://github.com/openssl/openssl/issues/6904>,
+	# CPAN RT#126976.
+	if ( &Net::SSLeay::OPENSSL_VERSION_NUMBER >= 0x1010100f ) {
+	    Net::SSLeay::CTX_set_num_tickets( $context, 0 );
+	    die_if_ssl_error( 'disabling session tickets' ) if $IGNORE_SSL_ERRORS;
+	}
+
 	# All done!
 	return $context;
 }
-- 
2.14.4