[nginx] SSL: logging level of "application data after close notify".

Sergey Kandaurov pluknet at nginx.com
Wed Feb 9 13:58:27 UTC 2022


details:   https://hg.nginx.org/nginx/rev/a736a7a613ea
branches:  
changeset: 8009:a736a7a613ea
user:      Sergey Kandaurov <pluknet at nginx.com>
date:      Tue Feb 08 17:35:27 2022 +0300
description:
SSL: logging level of "application data after close notify".

Such fatal errors are reported by OpenSSL 1.1.1, and similarly by BoringSSL,
if application data is encountered during SSL shutdown, which started to be
observed on the second SSL_shutdown() call after SSL shutdown fixes made in
09fb2135a589 (1.19.2).  The error means that the client continues to send
application data after receiving the "close_notify" alert (ticket #2318).
Previously it was reported as SSL_shutdown() error of SSL_ERROR_SYSCALL.

diffstat:

 src/event/ngx_event_openssl.c |  6 ++++++
 1 files changed, 6 insertions(+), 0 deletions(-)

diffs (16 lines):

diff -r 1add55d23652 -r a736a7a613ea src/event/ngx_event_openssl.c
--- a/src/event/ngx_event_openssl.c	Fri Feb 04 13:29:31 2022 +0300
+++ b/src/event/ngx_event_openssl.c	Tue Feb 08 17:35:27 2022 +0300
@@ -3385,6 +3385,12 @@ ngx_ssl_connection_error(ngx_connection_
 #endif
             || n == SSL_R_WRONG_VERSION_NUMBER                       /*  267 */
             || n == SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC        /*  281 */
+#ifdef SSL_R_APPLICATION_DATA_AFTER_CLOSE_NOTIFY
+            || n == SSL_R_APPLICATION_DATA_AFTER_CLOSE_NOTIFY        /*  291 */
+#endif
+#ifdef SSL_R_APPLICATION_DATA_ON_SHUTDOWN
+            || n == SSL_R_APPLICATION_DATA_ON_SHUTDOWN               /*  291 */
+#endif
 #ifdef SSL_R_RENEGOTIATE_EXT_TOO_LONG
             || n == SSL_R_RENEGOTIATE_EXT_TOO_LONG                   /*  335 */
             || n == SSL_R_RENEGOTIATION_ENCODING_ERR                 /*  336 */



More information about the nginx-devel mailing list