Net::HTTP doesn't allow to set SSL options

[casperisfine]

Context

Since OpenSSL 3.x, when a server close the TCP connection without first calling SSL_shutdown, the SSL client now error with SSL_read: unexpected eof while reading.

In OpenSSL 1.x, the client wouldn't mind and would behave like if the connection was cleanly closed.

To restore the 1.x behavior, you can set a specific options:

ssl_context = OpenSSL::SSL::SSLContext.new
ssl_context.options |= OpenSSL::SSL::OP_IGNORE_UNEXPECTED_EOF

Problem

The issue is that Net::HTTP only allow to set specific fields on the SSLContext object, and options is not one of them.

Workaround

The issue can be worked around by changing the default options globally:

if OpenSSL::SSL.const_defined?(:OP_IGNORE_UNEXPECTED_EOF)
  OpenSSL::SSL::SSLContext::DEFAULT_PARAMS[:options] |= OpenSSL::SSL::OP_IGNORE_UNEXPECTED_EOF
end

However this impact all SSL connections, not just the ones that need it.

Solution

Not sure what the best API would be. But it would be great if we could directly pass a SSLContext instance to Net::HTTP, so that we're not limited on the SSL configuration.

[adeherdt-r7]

Running into this same issue as well with the upgrade to OpenSSL 3 for our Ruby installation. As our client gems rely on net-http, this issue causes a lot of SSL_READ errors to appear in our client side, despite the server logs on the calling side show that the response has been sent to the client.

I can confirm that the workaround as a monkey patch definitely works and restores functionality, but setting this as a global option isn't ideal either. With the upgrades everywhere coming for OpenSSL 3, it would be nice to see net-http accomodate either the configuration options for this, or by default start handling this behavior.