[PATCH] SSL: logging level of client issue during TLSv1.3
Murilo Andrade
murilo.b.andrade at gmail.com
Wed Aug 10 22:15:29 UTC 2022
Hello Maxim!
> Are you seeing these errors in practice?
Yes, it's happening 310 times an hour. We are seeing in log like this:
2022/07/26 13:49:51 [crit] 1316#1316: *147702846 SSL_read() failed =
(SSL: error:1408F1BB:SSL routines:ssl3_get_record:bad record type) while =
waiting for request
> On 9 Aug 2022, at 17:34, Murilo Andrade <murilo.b.andrade at gmail.com> wrote:
>
> # HG changeset patch
> # User Murilo Andrade <murilo.b.andrade at gmail.com>
> # Date 1660076026 10800
> # Tue Aug 09 17:13:46 2022 -0300
> # Node ID 8b57fd5e8fac9d04cd286e2ad8a18a4030819234
> # Parent 069a4813e8d6d7ec662d282a10f5f7062ebd817f
> SSL: logging level of client issue during TLSv1.3
>
> Such fatal errors are reported by OpenSSL 1.1.1 during TLSv1.3,
> caused by client issue. For example: when the handshake is
> concluded, the client send a "change_cipher_spec(20)" followed
> by an unknown Content-Type, for example: 26; the OpenSSL library
> will fail with SSL_R_BAD_RECORD_TYPE ("bad record type"). This
> failure now are logged at the "info" level.
>
> diff -r 069a4813e8d6 -r 8b57fd5e8fac src/event/ngx_event_openssl.c
> --- a/src/event/ngx_event_openssl.c Tue Jul 19 17:05:27 2022 +0300
> +++ b/src/event/ngx_event_openssl.c Tue Aug 09 17:13:46 2022 -0300
> @@ -3423,6 +3423,9 @@
> #ifdef SSL_R_VERSION_TOO_LOW
> || n == SSL_R_VERSION_TOO_LOW /* 396 */
> #endif
> +#ifdef SSL_R_BAD_RECORD_TYPE
> + || n == SSL_R_BAD_RECORD_TYPE /* 443 */
> +#endif
> || n == 1000 /* SSL_R_SSLV3_ALERT_CLOSE_NOTIFY */
> #ifdef SSL_R_SSLV3_ALERT_UNEXPECTED_MESSAGE
> || n == SSL_R_SSLV3_ALERT_UNEXPECTED_MESSAGE /* 1010 */
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx-devel/attachments/20220810/75255f4c/attachment.htm>
More information about the nginx-devel
mailing list