OpenSSL 3: Support of SSL_OP_IGNORE_UNEXPECTED_EOF context option

[nrueckmann]

Description

OpenSSL became more strict about unexpected EOF (not sending close notify) in 1.1.1e but reverted that change in 1.1.1f due to the huge amount of non-compliant servers. With the new major release 3.0.0 it came back. See openssl/openssl#11378 for more details.

Unfortunately, the situation of non-compliant servers did not change. And with OpenSSL 3 being the default version of Ubuntu 22.04 (and other distributions) the issue will raise more frequently.

I propose to add a new SSL context option ignore_unexpected_eof to set the SSL_OP_IGNORE_UNEXPECTED_EOF bit.

Documentation: https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_options.html#SSL_OP_IGNORE_UNEXPECTED_EOF

[nrueckmann]

Example of an non-compliant server:

www-data@4e07da05c0ce:~/html$ php -r "echo file_get_contents('https://chromedriver.storage.googleapis.com/LATEST_RELEASE', false, stream_context_create());"
PHP Warning:  file_get_contents(): SSL operation failed with code 1. OpenSSL Error messages:
error:0A000126:SSL routines::unexpected eof while reading in Command line code on line 1
PHP Warning:  file_get_contents(): SSL: Success in Command line code on line 1

[cmb69]

Yeah, this issue already came up as https://bugs.php.net/bug.php?id=79589, and needs to be addressed.

@bukka, thoughts?

[nrueckmann]

Thank you for your response. Sorry for not checking bugs.php.net. I've only searched github for this issue.

[cmb69]

Sorry for not checking bugs.php.net.

That's totally fine. :)

[kocoten1992]

upgraded to ubuntu 22.04 today and run into this error 👍

file_put_contents(): SSL operation failed with code 1. OpenSSL Error messages:  
  error:0A000126:SSL routines::unexpected eof while reading

[bukka]

I have got this quite high on my TODO list so hopefully it won't take me too long to pick this up. I think that flag might be the best option but it will also need a test which will be probably hardest part on this fix.

[bukka]

Although maybe not the best idea to always add that option as it can potentially lead to the truncation attack so we might just make it optional somehow. Will need to think about it when I get to it.

[nrueckmann]

Although maybe not the best idea to always add that option as it can potentially lead to the truncation attack so we might just make it optional somehow. Will need to think about it when I get to it.

That's the feature request i've tried to describe. Having an option which can be (optionally) passed to the context. Same like we are doing with all other options (https://www.php.net/manual/en/context.ssl.php).