Search
Items tagged with: OpenSSL
There are TLS servers that don't send the required close_notify alert message in certain conditions. #Google web servers do this if they think the that recipient isn't interested about the message body and no connection keep alive is set. Examples of such connections would be requests that end up with 0 byte message body while:
• HTTP/1.0 without "Connection: keep-alive" header or
• HTTP/1.1 with "Connection: close" header
This can cause some complications since #OpenSSL 3 defaults to erroring out if the close_notify is missing.
SSL_OP_IGNORE_UNEXPECTED_EOF option was added to enable talking to these non-compliant servers. Enabling this option removes truncation attack protection - so this option should really only be used when absolutely necessary. However, unless if you control the servers being talked to, you probably need to enable this option for now.
So why does Google terminate connections without close_notify? Likely it is done to save some resources when tearing down TLS connections. If you have billions of connections going on all the time, even some small savings add up quickly.
https://github.com/php/php-src/issues/8369
OpenSSL 3: Support of SSL_OP_IGNORE_UNEXPECTED_EOF context option · Issue #8369 · php/php-src
Description OpenSSL became more strict about unexpected EOF (not sending close notify) in 1.1.1e but reverted that change in 1.1.1f due to the huge amount of non-compliant servers. With the new maj...GitHub
Building #curl using #OpenSSL 3.2 #QUIC?
https://github.com/curl/curl/discussions/12425
Building libcurl using OpenSSL 3.2 QUIC? · curl/curl · Discussion #12425
Hello, are there any plans to build libcurl with OpenSSL v3.2's new QUIC API? OpenSSL v3.2 was officially released 11/23 (which supports QUIC client capabilities). In this way, libcurl doesn't need...GitHub
Quick set up guide for Encrypted Client Hello (ECH)
The Encrypted Client Hello (ECH) mechanism draft-spec is a way to plug a few privacy-holes that remain in the Transport Layer Security (TLS) protocol that’s used as the security layer for the web.jochensp (https://guardianproject.info)
The "#OpenSSL situation" will still make it tricky for ordinary people to enable HTTP/3.
As I blogged already two years ago: https://daniel.haxx.se/blog/2021/10/25/the-quic-api-openssl-will-not-provide/
"The #OpenSSL project really seems to be in a dead end for me, it's incompatible with #QUIC and unfixable performance-wise" / Willy Tarreau
https://mailarchive.ietf.org/arch/msg/quic/zur-ripWUGsbllG5UxZHUpUpWyM/
Re: QUIC (mostly) on top of OpenSSL without patches
Search IETF mail list archivesmailarchive.ietf.org
https://marc.info/?l=openbsd-ports-cvs&m=166731803502387&w=2
