Make it possible for ignore unexpected EOFs in SSL connections
What does this MR do and why?
GitLab 17.7 upgraded to OpenSSL 3. With this upgrade, some GitLab
users encountered unexpected eof while reading errors with
third-party services, such as NetApp StorageGRID. This error occurs
because OpenSSL 3 requires the server to send a close_notify signal
before shutting down the connection.
This commit adds the ability to disable this check with the
SSL_IGNORE_UNEXPECTED_EOF environment variable. Note that this is
not recommended as a default, but we're providing the ability to work
around non-compliant services.
References
Many discussions have surfaced around the OpenSSL 3 behavior:
- https://github.com/ruby/openssl/pull/730
- https://github.com/redis/redis-rb/issues/1106
- https://bugs.python.org/issue43794
- https://github.com/openssl/openssl/discussions/24810
Relates to https://gitlab.com/gitlab-com/request-for-help/-/issues/2356
MR acceptance checklist
Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
Screenshots or screen recordings
Screenshots are required for UI changes, and strongly recommended for all other merge requests.
| Before | After |
|---|---|
How to set up and validate locally
Without SSL_IGNORE_UNEXPECTED_EOF set:
% bin/rails c
DEPRECATION WARNING: Support for Rails versions < 7.1 is deprecated and will be removed from ViewComponent 4.0.0 (ViewComponent v4 will remove support for Rails versions < 7.1 no earlier than April 1, 2025) (called from <main> at /Users/stanhu/gdk-ee/gitlab/config/environment.rb:7)
--------------------------------------------------------------------------------
Ruby: ruby 3.3.7 (2025-01-15 revision be31f993d7) +YJIT [arm64-darwin24]
GitLab: 17.9.0-pre (184d19e6bd9) EE
GitLab Shell: 14.40.0
PostgreSQL: 14.9
--------------------------------------------------------------------------------
Loading development environment (Rails 7.0.8.7)
[1] pry(main)> OpenSSL::SSL::SSLContext::DEFAULT_PARAMS[:options]
=> 2147614800With SSL_IGNORE_UNEXPECTED_EOF set:
% SSL_IGNORE_UNEXPECTED_EOF=true bin/rails c
DEPRECATION WARNING: Support for Rails versions < 7.1 is deprecated and will be removed from ViewComponent 4.0.0 (ViewComponent v4 will remove support for Rails versions < 7.1 no earlier than April 1, 2025) (called from <main> at /Users/stanhu/gdk-ee/gitlab/config/environment.rb:7)
--------------------------------------------------------------------------------
Ruby: ruby 3.3.7 (2025-01-15 revision be31f993d7) +YJIT [arm64-darwin24]
GitLab: 17.9.0-pre (184d19e6bd9) EE
GitLab Shell: 14.40.0
PostgreSQL: 14.9
--------------------------------------------------------------------------------
Loading development environment (Rails 7.0.8.7)
[1] pry(main)> OpenSSL::SSL::SSLContext::DEFAULT_PARAMS[:options]
=> 2147614928