[nginx] SSL: logging levels of various errors added in OpenSSL 1.1.1.

Tue Jul 12 15:15:58 UTC 2022

details:   https://hg.nginx.org/nginx/rev/cac164d0807e
branches:  
changeset: 8054:cac164d0807e
user:      Maxim Dounin <mdounin at mdounin.ru>
date:      Tue Jul 12 15:55:22 2022 +0300
description:
SSL: logging levels of various errors added in OpenSSL 1.1.1.

Starting with OpenSSL 1.1.1, various additional errors can be reported
by OpenSSL in case of client-related issues, most notably during TLSv1.3
handshakes.  In particular, SSL_R_BAD_KEY_SHARE ("bad key share"),
SSL_R_BAD_EXTENSION ("bad extension"), SSL_R_BAD_CIPHER ("bad cipher"),
SSL_R_BAD_ECPOINT ("bad ecpoint").  These are now logged at the "info"
level.

diffstat:

 src/event/ngx_event_openssl.c |  12 ++++++++++++
 1 files changed, 12 insertions(+), 0 deletions(-)

diffs (36 lines):

diff -r 9d98d524bd02 -r cac164d0807e src/event/ngx_event_openssl.c

--- a/src/event/ngx_event_openssl.c	Wed Jun 29 02:47:45 2022 +0300
+++ b/src/event/ngx_event_openssl.c	Tue Jul 12 15:55:22 2022 +0300
@@ -3343,6 +3343,12 @@ ngx_ssl_connection_error(ngx_connection_
 #ifdef SSL_R_NO_SUITABLE_KEY_SHARE
             || n == SSL_R_NO_SUITABLE_KEY_SHARE                      /*  101 */
 #endif
+#ifdef SSL_R_BAD_KEY_SHARE
+            || n == SSL_R_BAD_KEY_SHARE                              /*  108 */
+#endif
+#ifdef SSL_R_BAD_EXTENSION
+            || n == SSL_R_BAD_EXTENSION                              /*  110 */
+#endif
 #ifdef SSL_R_NO_SUITABLE_SIGNATURE_ALGORITHM
             || n == SSL_R_NO_SUITABLE_SIGNATURE_ALGORITHM            /*  118 */
 #endif
@@ -3357,6 +3363,9 @@ ngx_ssl_connection_error(ngx_connection_
             || n == SSL_R_NO_CIPHERS_PASSED                          /*  182 */
 #endif
             || n == SSL_R_NO_CIPHERS_SPECIFIED                       /*  183 */
+#ifdef SSL_R_BAD_CIPHER
+            || n == SSL_R_BAD_CIPHER                                 /*  186 */
+#endif
             || n == SSL_R_NO_COMPRESSION_SPECIFIED                   /*  187 */
             || n == SSL_R_NO_SHARED_CIPHER                           /*  193 */
             || n == SSL_R_RECORD_LENGTH_MISMATCH                     /*  213 */
@@ -3391,6 +3400,9 @@ ngx_ssl_connection_error(ngx_connection_
 #ifdef SSL_R_APPLICATION_DATA_ON_SHUTDOWN
             || n == SSL_R_APPLICATION_DATA_ON_SHUTDOWN               /*  291 */
 #endif
+#ifdef SSL_R_BAD_ECPOINT
+            || n == SSL_R_BAD_ECPOINT                                /*  306 */
+#endif
 #ifdef SSL_R_RENEGOTIATE_EXT_TOO_LONG
             || n == SSL_R_RENEGOTIATE_EXT_TOO_LONG                   /*  335 */
             || n == SSL_R_RENEGOTIATION_ENCODING_ERR                 /*  336 */

