[patch] Logging: raise severity level for logged messages

Maxim Dounin mdounin at mdounin.ru
Mon Dec 30 23:37:36 UTC 2013


Hello!

On Tue, Dec 31, 2013 at 10:10:32AM +1100, Sergei Turchanov wrote:

> Okay, maybe. But what about at least this part:
> 
> @@ -1801,7 +1801,7 @@ ngx_http_process_request(ngx_http_reques
>              if (rc != X509_V_OK
>                  && (sscf->verify != 3 ||
> !ngx_ssl_verify_error_optional(rc)))
>              {
> -                ngx_log_error(NGX_LOG_INFO, c->log, 0,
> +                ngx_log_error(NGX_LOG_ERR, c->log, 0,
>                                "client SSL certificate verify error:
> (%l:%s)",
>                                rc, X509_verify_cert_error_string(rc));
> 
> @@ -1816,7 +1816,7 @@ ngx_http_process_request(ngx_http_reques
>                  cert = SSL_get_peer_certificate(c->ssl->connection);
> 
>                  if (cert == NULL) {
> -                    ngx_log_error(NGX_LOG_INFO, c->log, 0,
> +                    ngx_log_error(NGX_LOG_ERR, c->log, 0,
>                                    "client sent no required SSL
> certificate");
> 
>                      ngx_ssl_remove_cached_session(sscf->ssl.ctx,
> 
> 
> We use client certificate	s and having ability to see client ssl
> certificates errors
> without setting error_log to 'info' level helps a lot. And these error are
> not just
> as easily triggered as plain client http errors. Don't you agree?

They are easily triggered by clients, even assuming non-malicious 
clients.  Moreover, e.g., Safari on OS X used to supply arbitrary 
certificates in a response to a certificate request, see here:

http://trac.nginx.org/nginx/ticket/472

If you want to trace such problems without using the 'info' 
logging level, adding the $ssl_client_verify variable to access 
logs might be a good idea, see here:

http://nginx.org/en/docs/http/ngx_http_ssl_module.html#variables

Additionally, there are special status codes available for these 
conditions, to facilitate automatic detection and hanlding of 
these errors, see here:

http://nginx.org/en/docs/http/ngx_http_ssl_module.html#errors

-- 
Maxim Dounin
http://nginx.org/



More information about the nginx-devel mailing list