Has the OpenSSL version been updated? OpenSSL 3 (a major release) changed some behaviour compared to 1.1.1 with respect to peers that fail to shutdown a TLS connection cleanly.

Previously, if a peer unexpectedly shutdown a connection an OpenSSL IO function (such as SSL_read()) would report an error and SSL_get_error() would report SSL_ERROR_SYSCALL and errno would be 0. This was considered a bug in 1.1.1 (you should never get SSL_ERROR_SYSCALL but with errno as 0). However fixing it in 1.1.1 broke some apps. We delayed the fix until the next major version (OpenSSL 3.0).

In OpenSSL 3.0 this error is now reported from SSL_get_error() as SSL_ERROR_SSL and the unexpeced eof while reading error is put on the OpenSSL error stack. We also added a new option SSL_OP_IGNORE_UNEXPECTED_EOF which treats an unexpected EOF from the peer as if they had performed an orderly shutdown. See:

https://www.openssl.org/docs/man3.0/man3/SSL_set_options.html

Hi,

Updating nginx resolve the problem for me. Ubuntu default nginx version 1.18 is old. The newest version is 1.22.

https://askubuntu.com/questions/1389719/install-nginx-1-20-2-on-ubuntu-20-04 http://nginx.org/en/CHANGES-1.22

Hope this may help you.

There really isn’t a solution, these are spammers/scammers/hackers trying to infiltrate your server by sending malformed connections. You need to look at a WAF / Web Application Firewall to filter and block these from even getting to your web server

I don’t follow, i mean we get this error when sending requests, not when receiving or something

I got theys errors with Apache2 …

[Sun Sep 04 13:44:07.303103 2022] [ssl:info] [pid 86541] (70014)End of file found: [client 213.216.205.177:60718] AH02008: SSL library error 1 in handshake (server thesite.fi:443) [Sun Sep 04 13:44:07.303116 2022] [ssl:info] [pid 86541] SSL Library Error: error:0A000126:SSL routines::unexpected eof while reading

openssl version -a

OpenSSL 3.0.2 15 Mar 2022 (Library: OpenSSL 3.0.2 15 Mar 2022) built on: Mon Jul 4 11:20:23 2022 UTC platform: debian-amd64 options: bn(64,64) compiler: gcc -fPIC -pthread -m64 -Wa,–noexecstack -Wall -Wa,–noexecstack -g -O2 -ffile-prefix-map=/build/openssl-Q8dQt3/openssl-3.0.2=. -flto=auto -ffat-lto-objects -flto=auto -ffat-lto-objects -fstack-protector-strong -Wformat -Werror=format-security -DOPENSSL_TLS_SECURITY_LEVEL=2 -DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_BUILDING_OPENSSL -DNDEBUG -Wdate-time -D_FORTIFY_SOURCE=2 OPENSSLDIR: “/usr/lib/ssl” ENGINESDIR: “/usr/lib/x86_64-linux-gnu/engines-3” MODULESDIR: “/usr/lib/x86_64-linux-gnu/ossl-modules” Seeding source: os-specific CPUINFO: OPENSSL_ia32cap=0x7ffaf3bfffebffff:0x29c67af

lsb_release -a

No LSB modules are available. Distributor ID: Ubuntu Description: Ubuntu 22.04 LTS Release: 22.04 Codename: jammy

apache2 -V

Server version: Apache/2.4.52 (Ubuntu) Server built: 2022-06-14T12:30:21 Server’s Module Magic Number: 20120211:121 Server loaded: APR 1.7.0, APR-UTIL 1.6.1 Compiled using: APR 1.7.0, APR-UTIL 1.6.1 Architecture: 64-bit Server MPM:
Server compiled with… -D APR_HAS_SENDFILE -D APR_HAS_MMAP -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled) -D APR_USE_PROC_PTHREAD_SERIALIZE -D APR_USE_PTHREAD_SERIALIZE -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT -D APR_HAS_OTHER_CHILD -D AP_HAVE_RELIABLE_PIPED_LOGS -D DYNAMIC_MODULE_LIMIT=256 -D HTTPD_ROOT=“/etc/apache2” -D SUEXEC_BIN=“/usr/lib/apache2/suexec” -D DEFAULT_PIDLOG=“/var/run/apache2.pid” -D DEFAULT_SCOREBOARD=“logs/apache_runtime_status” -D DEFAULT_ERRORLOG=“logs/error_log” -D AP_TYPES_CONFIG_FILE=“mime.types” -D SERVER_CONFIG_FILE=“apache2.conf”

I got letsencrypt’s certs, they are ok. Just updated by force.

i cant update to new version nginx 1.22 becasue passenger not support how i can solve it manualy