SSL Library Error: error:0A000126:SSL routines::unexpected eof while reading #22690
Replies: 15 comments 1 reply
-
This usually happens when the remote peer abruptly shuts down the connection without sending a "close_notify" alert which is what you are supposed to do. 1.1.1 and earlier treated this incorrectly. In such a case SSL_read() would fail and So, this behaviour on behalf of the peer has probably always been there, but you are just noticing it now because how OpenSSL reacts to it has changed. One option for dealing with this is to set the https://www.openssl.org/docs/man3.1/man3/SSL_set_options.html This causes OpenSSL to treat an unexpected eof as if the peer had closed down gracefully - but make sure you read the docs above around truncation attacks. If you have control over the remote peer, then another option is to change the remote peer so that it closes down connections gracefully. |
Beta Was this translation helpful? Give feedback.
-
Thanks Matt for your response. Where is this setting required. is it in any of the config files? Please suggest. Thanks and regards, Vinay9008855944
|
Beta Was this translation helpful? Give feedback.
-
If this is in your own application, then you can modify it to call Otherwise it is possible to set this via the OpenSSL config file. A minimal OpenSSL config file to turn this option on might look like this (untested):
|
Beta Was this translation helpful? Give feedback.
-
Thanks Matt. I changed the file openssl-3.1.2/apps/openssl.cnf . the other .cnf files were in demo and test dir’s and I ignored them. I added the options line as below. I’ve built the rpm and testing in progress.i think this is what you suggested. I’ll keep you posted . Thanks again for your guidance.
|
Beta Was this translation helpful? Give feedback.
-
Better is just to modify the installed config file rather than change it in the source. Or create a whole new OpenSSL config file specific for your application. Before starting your application ensure the |
Beta Was this translation helpful? Give feedback.
-
Hi Matt, we tried the changes in the installed config file, restarted the httpd service which uses this openssl and getting the same errors. We added these as suggested.
````
openssl_conf = default_conf
[ default_conf ]
ssl_conf = ssl_sect
[ssl_sect] system_default = ssl_default_sect
[ssl_default_sect]
Options = SSL_OP_IGNORE_UNEXPECTED_EOF
````
The .cnf file also has this entry # Use this in order to automatically load providers.openssl_conf = openssl_init we tried with both openssl_init, default_conf values for openssl_conf. is there any way we can echo the value used for options to confirm that out settings are taken into account? please suggest thanks,Vinay9008855944
|
Beta Was this translation helpful? Give feedback.
-
If you are still seeing the errors then the config option did not take effect. This could be for one of three reasons that I can think of:
For (1) you can zip the config file and attach it here if you like. I can take a look to see if it seems sane. For (2) I am assuming you are using the "system" OpenSSL installation and you are modifying the system OpenSSL config file. You should check whether the application is using the system OpenSSL or its own one. You might also want to check whether the application has some custom For (3) you would have to raise an issue with whoever supplied your application. |
Beta Was this translation helpful? Give feedback.
-
I’ve attached the cnf file. The changes are from line 39.Pls note that line 17 I’ve commented the “openssl_conf = “ line as it’s repeated after line 39 This is overview of our current appln. I generate the openssl rpm, with changes related to our app path. I then generate the apache httpd related rpm pointing to this new openssl. When the httpd service is started for our webservices framework, the errors are noted. Pls let me know if you need any more details. Thanks-- Vinay9008855944
|
Beta Was this translation helpful? Give feedback.
-
Hi Matt, Did you get a chance to review the .cnf file. pls suggest corrections if possible. We’ve noted this additional error in the log.Additional InformationErrors : index="ent" "SSL library error 1 in handshake" "ws. auth.com:443"Customre getting following errorsTC_HttpCommunication::process()[TC_HttpCommunication.cpp:934]:## Error : The connection with the server has been reset or terminated, or an incompatible SSL protocol was encountered. For example, WinHTTP version 5.1 does not support SSL2 unless the client specifically enables it Thanks, Vinay9008855944
|
Beta Was this translation helpful? Give feedback.
-
@vinay-mummadi-digicert unfortunately your two last comments which you posted by e-mail are practically illegible due to formatting issues. Please do not use e-mail or possibly this particular e-mail client as it completely messes up the formatting and it is completely unclear what is the new text you've posted and what is the original comment you're replying to. |
Beta Was this translation helpful? Give feedback.
-
understood. i'll start posting in the ticket. i've added both 1,2 mails here. part 1: I’ve attached the cnf file. part 2: We’ve noted this additional error in the log.Additional InformationErrors : index="ent" "SSL library error 1 in handshake" "ws. auth.com:443"Customre getting following errorsTC_HttpCommunication::process()[TC_HttpCommunication.cpp:934]:## Error : The connection with the server has been reset or terminated, or an incompatible SSL protocol was encountered. For example, WinHTTP version 5.1 does not support SSL2 unless the client specifically enables it Thanks-- Vinay |
Beta Was this translation helpful? Give feedback.
-
The config file is not quite right. You've pasted the "openssl_conf =" line into the "[ new_oids ]" section - so it won't get noticed. You need to move all the stuff you pasted in from line 39 to be at line 32 instead. |
Beta Was this translation helpful? Give feedback.
-
i moved the content to above "[ new_oids ]" . we're observing the same error. any other changes to try, please suggest. |
Beta Was this translation helpful? Give feedback.
-
Having a similar issue connecting to a sql server from a dockerized container with Debian 12 and OpenSSL 3.0.11 |
Beta Was this translation helpful? Give feedback.
-
I'm having the same issue on Ubuntu 22.04 openssl version -aOpenSSL 3.0.2 15 Mar 2022 (Library: OpenSSL 3.0.2 15 Mar 2022) It seems like the I tried to run this from the command line: this fails as well: from what I can tell, at least for me, this only happens connecting to github. Any ideas/help would be GREATLY appreciated. |
Beta Was this translation helpful? Give feedback.
-
hi team, have been facing this error after upgrading to openssl 3.1.2. earlier we were on openssl 1.1.1u and it was stable. this is the details from the log.
as we're struck , i'm posting it in the QnA section
please suggest . please let me know if you need any additional information on this . thanks.
Beta Was this translation helpful? Give feedback.
All reactions