QUIC: add error code for handshake failed.
Sergey Kandaurov
pluknet at nginx.com
Tue Feb 21 13:54:42 UTC 2023
> On 17 Feb 2023, at 16:53, Sergey Kandaurov <pluknet at nginx.com> wrote:
>
>>
>> On 17 Feb 2023, at 09:17, Jiuzhou Cui <jiuzhoucui at 163.com> wrote:
>>
>> Maybe NGX_QUIC_ERR_CRYPTO(sslerr) is not suitable here.
>>
>> I think error and error_reason should be set together.
>>
>> My scenes is error_reason is "handshake failed", but error is 8 set by parse TRANSPORT_PARAMETER failed before. My actual problem is parse transport parameter failed, so maybe error_reason "failed to process transport parameters" is useful for me to positioning problem. What do you think about this?
>>
>
> Actually, both error and error_reason are usually set together.
> The problem is in overwriting error_reason that was previously set
> specifically for transport parameters parsing error, during handshake,
> with a generic "handshake failed" phrase. Please see the patch.
>
> # HG changeset patch
> # User Sergey Kandaurov <pluknet at nginx.com>
> # Date 1676638271 -14400
> # Fri Feb 17 16:51:11 2023 +0400
> # Branch quic
> # Node ID 09c7414487aa82b40d4ab33738dc578363fe3273
> # Parent 2fcd590d85da9c3a0205a18cb295ec316c03f18e
> QUIC: using most specific handshake error reasons.
>
> A QUIC handshake may fail for a variety of reasons. Some of them arise
> from our own checks and have a knownledge to set a suitable reason phrase.
> Previously, it was overridden with a generic "handshake failed" phrase.
> The latter is used for handshake errors generated in the SSL library and
> reported with the send_alert callback. Now a specific phrase is preserved.
>
> Reported by Jiuzhou Cui.
>
> diff --git a/src/event/quic/ngx_event_quic_ssl.c b/src/event/quic/ngx_event_quic_ssl.c
> --- a/src/event/quic/ngx_event_quic_ssl.c
> +++ b/src/event/quic/ngx_event_quic_ssl.c
> @@ -423,7 +423,11 @@ ngx_quic_crypto_input(ngx_connection_t *
>
> if (sslerr != SSL_ERROR_WANT_READ) {
> ngx_ssl_error(NGX_LOG_ERR, c->log, 0, "SSL_do_handshake() failed");
> - qc->error_reason = "handshake failed";
> +
> + if (!qc->error_reason) {
> + qc->error_reason = "handshake failed";
> + }
> +
> return NGX_ERROR;
> }
> }
Alternatively, the error_reason assignment can just be lifted.
# HG changeset patch
# User Sergey Kandaurov <pluknet at nginx.com>
# Date 1676987626 -14400
# Tue Feb 21 17:53:46 2023 +0400
# Branch quic
# Node ID e012c3999592fc935bfc786a232903567c512bfe
# Parent baada8d864cbedc7557b879f89eee5c412f3ca85
QUIC: moved "handshake failed" reason to send_alert.
A QUIC handshake may fail for a variety of reasons, which breaks down into
several cases, in order of precedence:
- generally, the error code is reported with the send_alert callback
- else, our own QUIC checks may set specific error code / reason phrase
- as a last resort, handshake may fail for some reason, which falls back
to send INTERNAL_ERROR in the CONNECTION_CLOSE frame.
Now, in the first case, both error code and generic phrase are set in the
send_alert callback, to preserve a specific reason phrase from overriding.
Additionally, absent error code / reason phrase are now converted to just
INTERNAL_ERROR, without reason phrase set.
Reported by Jiuzhou Cui.
diff --git a/src/event/quic/ngx_event_quic_ssl.c b/src/event/quic/ngx_event_quic_ssl.c
--- a/src/event/quic/ngx_event_quic_ssl.c
+++ b/src/event/quic/ngx_event_quic_ssl.c
@@ -301,6 +301,7 @@ ngx_quic_send_alert(ngx_ssl_conn_t *ssl_
}
qc->error = NGX_QUIC_ERR_CRYPTO(alert);
+ qc->error_reason = "handshake failed";
return 1;
}
@@ -423,7 +424,6 @@ ngx_quic_crypto_input(ngx_connection_t *
if (sslerr != SSL_ERROR_WANT_READ) {
ngx_ssl_error(NGX_LOG_ERR, c->log, 0, "SSL_do_handshake() failed");
- qc->error_reason = "handshake failed";
return NGX_ERROR;
}
}
--
Sergey Kandaurov
More information about the nginx-devel
mailing list