Patch-Source: https://github.com/nginx/unit/commit/8bd57347c835be885613e62cb05777ea9bb5291d From 8bd57347c835be885613e62cb05777ea9bb5291d Mon Sep 17 00:00:00 2001 From: Andy Postnikov Date: Thu, 24 Apr 2025 02:11:15 +0200 Subject: [PATCH] =?UTF-8?q?Treat=20a=20=E2=80=9Cbroken=20pipe=E2=80=9D=20o?= =?UTF-8?q?n=20SSL=5Fshutdown()=20as=20a=20normal=20close?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Starting with OpenSSL 3.4 errno is flowed up from tls_retry_write_records() which upon EPIPE results in the following log message 2025/04/23 17:12:47 [alert] 14322#14324 *16 SSL_shutdown(25) failed (32: Broken pipe) (32: [null]) (OpenSSL: error:80000020:system library::Broken pipe:tls_retry_write_records failure) Which is harmless except it trips up the test/test_tls.py::test_tls_certificate_change test due it to looking for "alert" log messages and failing if any are found. Now, I think the tests are wrong to do this (they also don't seem to be closing the TLS connection properly). But getting EPIPE when we're shutting down the connection is likely harmless so treat it the same as a clean shutdown which also gets rid of this log message. Link: Closes: https://github.com/nginx/unit/issues/1600 [ Commit message - Andrew ] Signed-off-by: Andrew Clayton --- src/nxt_openssl.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/nxt_openssl.c b/src/nxt_openssl.c index 8f66f45b3..4a1e91792 100644 --- a/src/nxt_openssl.c +++ b/src/nxt_openssl.c @@ -1586,7 +1586,8 @@ nxt_openssl_conn_test_error(nxt_task_t *task, nxt_conn_t *c, int ret, nxt_debug(task, "ERR_peek_error(): %l", lib_err); - if (sys_err != 0 || lib_err != 0) { + /* Treat a broken pipe on shutdown as a normal close */ + if (sys_err != NXT_EPIPE && (sys_err != 0 || lib_err != 0)) { c->socket.error = sys_err; return NXT_ERROR; }