So we saw a lot of OpenSSL::SSL::SSLError SSL_read: unexpected eof while reading, when we upgraded our ruby alpine base container image. As far as I understand, the main reason behind our issue, is an included upgrade of openssl from 1.1 to 3. There was some time we downgraded to 1.1. I am not totally sure, how we did that, since it worked for a while - and then not anymore. Most probably at some point we upgraded the openssl gem itself, too. I did not dig deep enough into the "why did the downgrade work for some time and suddenly not anymore" (but this should not be relevant here anyway, since I normally take downgrade for a bad option and we only had chosen that, after our initial research did not give us any results fast enough).
After long digging into how to fix it with openssl 3 (gem and libs) I finally figured, I can get back to old behaviour by setting
OpenSSL::SSL::SSLContext::DEFAULT_PARAMS = OpenSSL::SSL::SSLContext::DEFAULT_PARAMS.merge(
options: OpenSSL::SSL::SSLContext::DEFAULT_PARAMS[:options] + OpenSSL::SSL::OP_IGNORE_UNEXPECTED_EOF
).freeze
(yeah, I should not be proud of overwriting that constant. I tried to do it the least invasive way I could imagine)
We are living with this now. But it feels wrong for me. So I digged into some of the specific problems. One was about an old custom social media validator, that checks the url for some given social media identifier - and this won't be accessible without oauth authorization anymore. So the unexpected eof there is happening because of authorization issues. That's one of the possible root causes I googled anyway.
But for one of our main issues I could not get nearby the root cause. So we are using active storage with google storage provider for image uploads. I see in our error tracker only a 5 steps deep backtrace that jumps from a middleware directly to openssl/buffering.rb line 80. But the issue seems to happen somewhere in between in ActiveStorage::Representations::RedirectController#show. I cannot imagine, that google still is responding with wrong ssl handling (as it was the reason, why openssl had to support ignoring unexpected EOF for so long). But I have no hunch, what we maybe are doing wrong here.
So: Has anyone experienced this issue with active storage + google storage and knows some possible root cause and how I can fix it appropriately (instead of overwriting the default params of SSLContext)?
thanks so far
You can add to config/initializers something like ssl_patch.rb
if OpenSSL::SSL.const_defined?(:OP_IGNORE_UNEXPECTED_EOF)
OpenSSL::SSL::SSLContext::DEFAULT_PARAMS[:options] |= OpenSSL::SSL::OP_IGNORE_UNEXPECTED_EOF
end