QUIC: add error code for handshake failed.
Sergey Kandaurov
pluknet at nginx.com
Fri Feb 17 12:53:24 UTC 2023
> On 17 Feb 2023, at 09:17, Jiuzhou Cui <jiuzhoucui at 163.com> wrote:
>
> Maybe NGX_QUIC_ERR_CRYPTO(sslerr) is not suitable here.
>
> I think error and error_reason should be set together.
>
> My scenes is error_reason is "handshake failed", but error is 8 set by parse TRANSPORT_PARAMETER failed before. My actual problem is parse transport parameter failed, so maybe error_reason "failed to process transport parameters" is useful for me to positioning problem. What do you think about this?
>
Actually, both error and error_reason are usually set together.
The problem is in overwriting error_reason that was previously set
specifically for transport parameters parsing error, during handshake,
with a generic "handshake failed" phrase. Please see the patch.
# HG changeset patch
# User Sergey Kandaurov <pluknet at nginx.com>
# Date 1676638271 -14400
# Fri Feb 17 16:51:11 2023 +0400
# Branch quic
# Node ID 09c7414487aa82b40d4ab33738dc578363fe3273
# Parent 2fcd590d85da9c3a0205a18cb295ec316c03f18e
QUIC: using most specific handshake error reasons.
A QUIC handshake may fail for a variety of reasons. Some of them arise
from our own checks and have a knownledge to set a suitable reason phrase.
Previously, it was overridden with a generic "handshake failed" phrase.
The latter is used for handshake errors generated in the SSL library and
reported with the send_alert callback. Now a specific phrase is preserved.
Reported by Jiuzhou Cui.
diff --git a/src/event/quic/ngx_event_quic_ssl.c b/src/event/quic/ngx_event_quic_ssl.c
--- a/src/event/quic/ngx_event_quic_ssl.c
+++ b/src/event/quic/ngx_event_quic_ssl.c
@@ -423,7 +423,11 @@ ngx_quic_crypto_input(ngx_connection_t *
if (sslerr != SSL_ERROR_WANT_READ) {
ngx_ssl_error(NGX_LOG_ERR, c->log, 0, "SSL_do_handshake() failed");
- qc->error_reason = "handshake failed";
+
+ if (!qc->error_reason) {
+ qc->error_reason = "handshake failed";
+ }
+
return NGX_ERROR;
}
}
>
> At 2023-02-16 22:42:27, "Sergey Kandaurov" <pluknet at nginx.com> wrote:
> >
> >> On 16 Feb 2023, at 17:36, Jiuzhou Cui <jiuzhoucui at 163.com> wrote:
> >>
> >> Hello!
> >>
> >> # HG changeset patch
> >> # User Jiuzhou Cui <cuijiuzhou at alibaba-inc.com>
> >> # Date 1676554419 -28800
> >> # Thu Feb 16 21:33:39 2023 +0800
> >> # Branch quic
> >> # Node ID 13396c3ad10bdc8c1ac6969e965ceac510dc162f
> >> # Parent b87a0dbc1150f415def5bc1e1f00d02b33519026
> >> QUIC: add error code for handshake failed.
> >>
> >> diff -r b87a0dbc1150 -r 13396c3ad10b src/event/quic/ngx_event_quic_ssl.c
> >> --- a/src/event/quic/ngx_event_quic_ssl.c Tue Oct 25 12:52:09 2022 +0400
> >> +++ b/src/event/quic/ngx_event_quic_ssl.c Thu Feb 16 21:33:39 2023 +0800
> >> @@ -202,7 +202,7 @@
> >> SSL_get0_alpn_selected(ssl_conn, &alpn_data, &alpn_len);
> >>
> >> if (alpn_len == 0) {
> >> - qc->error = 0x100 + SSL_AD_NO_APPLICATION_PROTOCOL;
> >> + qc->error = NGX_QUIC_ERR_CRYPTO(SSL_AD_NO_APPLICATION_PROTOCOL);
> >> qc->error_reason = "unsupported protocol in ALPN extension";
> >>
> >> ngx_log_error(NGX_LOG_INFO, c->log, 0,
> >> @@ -452,6 +452,7 @@
> >>
> >> if (sslerr != SSL_ERROR_WANT_READ) {
> >> ngx_ssl_error(NGX_LOG_ERR, c->log, 0, "SSL_do_handshake() failed");
> >> + qc->error = NGX_QUIC_ERR_CRYPTO(sslerr);
> >> qc->error_reason = "handshake failed";
> >> return NGX_ERROR;
> >> }
> >
> >Thank you for the patch.
> >
> >Applying to TLS handshake, qc->error is used to keep CRYPTO_ERROR,
> >a value based on the TLS alert. You are trying to set there
> >something different, this is not going to work.
> >
> >More, qc->error is usually set in the send_alert callback as passed from
> >TLS, so no need to deal with it here. Other places are QUIC protocol-
> >specific additions to negotiate ALPN and to carry transport parameters,
> >they are managed elsewhere.
> >
> >The ALPN part is ok. Looks like it was missed from the 97adb87f149b
> >change, which went soon after ALPN checks added in a2c34e77cfc1.
> >
> ># HG changeset patch
> ># User Sergey Kandaurov <pluknet at nginx.com>
> ># Date 1676558213 -14400
> ># Thu Feb 16 18:36:53 2023 +0400
> ># Branch quic
> ># Node ID 2fcd590d85da9c3a0205a18cb295ec316c03f18e
> ># Parent 12b756caaf167d2239fd3bd7a75b270ca89ca26b
> >QUIC: using NGX_QUIC_ERR_CRYPTO macro in ALPN checks.
> >
> >Patch by Jiuzhou Cui.
> >
> >diff --git a/src/event/quic/ngx_event_quic_ssl.c b/src/event/quic/ngx_event_quic_ssl.c
> >--- a/src/event/quic/ngx_event_quic_ssl.c
> >+++ b/src/event/quic/ngx_event_quic_ssl.c
> >@@ -190,7 +190,7 @@ ngx_quic_add_handshake_data(ngx_ssl_conn
> > SSL_get0_alpn_selected(ssl_conn, &alpn_data, &alpn_len);
> >
> > if (alpn_len == 0) {
> >- qc->error = 0x100 + SSL_AD_NO_APPLICATION_PROTOCOL;
> >+ qc->error = NGX_QUIC_ERR_CRYPTO(SSL_AD_NO_APPLICATION_PROTOCOL);
> > qc->error_reason = "unsupported protocol in ALPN extension";
> >
> > ngx_log_error(NGX_LOG_INFO, c->log, 0,
> >
> >--
> >Sergey Kandaurov
> >_______________________________________________
> >nginx-devel mailing list
> >nginx-devel at nginx.org
> >https://mailman.nginx.org/mailman/listinfo/nginx-devel
>
> _______________________________________________
> nginx-devel mailing list
> nginx-devel at nginx.org
> https://mailman.nginx.org/mailman/listinfo/nginx-devel
--
Sergey Kandaurov
More information about the nginx-devel
mailing list