From: Ted Hess <thess@kitschensync.net>
Date: Thu, 17 Aug 2023 22:20:54 +0000 (-0400)
Subject: Unbound: Silence SSL unexpected eof messages
X-Git-Url: http://git.openwrt.org/?p=feed%2Fpackages.git;a=commitdiff_plain;h=2a71e17ca12341682430e587889d8fb7af58ae30

Unbound: Silence SSL unexpected eof messages

Refs: https://github.com/NLnetLabs/unbound/issues/812
      https://github.com/NLnetLabs/unbound/issues/846

This is a backport of: https://github.com/NLnetLabs/unbound/commit/d7e7761
and can be removed with the next release/update of the Unbound package

Signed-off-by: Ted Hess <thess@kitschensync.net>
---

diff --git a/net/unbound/Makefile b/net/unbound/Makefile
index 0620944cfa..9626c4e298 100644
--- a/net/unbound/Makefile
+++ b/net/unbound/Makefile
@@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=unbound
 PKG_VERSION:=1.17.1
-PKG_RELEASE:=1
+PKG_RELEASE:=2
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL:=https://nlnetlabs.nl/downloads/unbound
diff --git a/net/unbound/patches/200-remove-SSL-unexpected-eof-messages.patch b/net/unbound/patches/200-remove-SSL-unexpected-eof-messages.patch
new file mode 100644
index 0000000000..3f7d62b401
--- /dev/null
+++ b/net/unbound/patches/200-remove-SSL-unexpected-eof-messages.patch
@@ -0,0 +1,37 @@
+--- a/util/net_help.c
++++ b/util/net_help.c
+@@ -1005,6 +1005,16 @@ listen_sslctx_setup(void* ctxt)
+ 			log_crypto_err("could not set cipher list with SSL_CTX_set_cipher_list");
+ 	}
+ #endif
++#if defined(SSL_OP_IGNORE_UNEXPECTED_EOF)
++	/* ignore errors when peers do not send the mandatory close_notify
++	 * alert on shutdown.
++	 * Relevant for openssl >= 3 */
++	if((SSL_CTX_set_options(ctx, SSL_OP_IGNORE_UNEXPECTED_EOF) &
++		SSL_OP_IGNORE_UNEXPECTED_EOF) != SSL_OP_IGNORE_UNEXPECTED_EOF) {
++		log_crypto_err("could not set SSL_OP_IGNORE_UNEXPECTED_EOF");
++		return 0;
++	}
++#endif
+ 
+ 	if((SSL_CTX_set_options(ctx, SSL_OP_CIPHER_SERVER_PREFERENCE) &
+ 		SSL_OP_CIPHER_SERVER_PREFERENCE) !=
+@@ -1233,6 +1243,17 @@ void* connect_sslctx_create(char* key, c
+ 		SSL_CTX_free(ctx);
+ 		return 0;
+ 	}
++#endif
++#if defined(SSL_OP_IGNORE_UNEXPECTED_EOF)
++	/* ignore errors when peers do not send the mandatory close_notify
++	 * alert on shutdown.
++	 * Relevant for openssl >= 3 */
++	if((SSL_CTX_set_options(ctx, SSL_OP_IGNORE_UNEXPECTED_EOF) &
++		SSL_OP_IGNORE_UNEXPECTED_EOF) != SSL_OP_IGNORE_UNEXPECTED_EOF) {
++		log_crypto_err("could not set SSL_OP_IGNORE_UNEXPECTED_EOF");
++		SSL_CTX_free(ctx);
++		return 0;
++	}
+ #endif
+ 	if(key && key[0]) {
+ 		if(!SSL_CTX_use_certificate_chain_file(ctx, pem)) {