[PATCH 3 of 4] SSL: logging levels of errors observed with tlsfuzzer and LibreSSL
Roman Arutyunyan
arut at nginx.com
Wed Mar 8 14:22:40 UTC 2023
Hi,
On Wed, Mar 08, 2023 at 01:25:23AM +0300, Maxim Dounin wrote:
> Hello!
>
> On Tue, Mar 07, 2023 at 06:47:59PM +0400, Roman Arutyunyan wrote:
>
> > On Wed, Mar 01, 2023 at 05:56:04PM +0300, Maxim Dounin wrote:
> > > # HG changeset patch
> > > # User Maxim Dounin <mdounin at mdounin.ru>
> > > # Date 1677682426 -10800
> > > # Wed Mar 01 17:53:46 2023 +0300
> > > # Node ID 207742991a561c0ed70834d4ce18e8452689419d
> > > # Parent c76e163105f1eac7727ce4e6d955fecb38d93e49
> > > SSL: logging levels of errors observed with tlsfuzzer and LibreSSL.
> > >
> > > As tested with tlsfuzzer with LibreSSL 2.7.0, the following errors are
> > > certainly client-related:
> >
> > LibreSSL 2.7.0 is ancient - March 21st, 2018.
>
> Err, typo, should be 3.7.0, the latest development release.
> Fixed.
>
> > > SSL_do_handshake() failed (SSL: error:14026073:SSL routines:ACCEPT_SR_CLNT_HELLO:bad packet length)
> > > SSL_do_handshake() failed (SSL: error:1402612C:SSL routines:ACCEPT_SR_CLNT_HELLO:ssl3 session id too long)
> >
> > I could not get this one with 2.7.0, but I got it with 3.6.0.
> >
> > > SSL_do_handshake() failed (SSL: error:140380EA:SSL routines:ACCEPT_SR_KEY_EXCH:tls rsa encrypted value length is wrong)
> >
> > With 3.6.0 two more errors are reported: SSL_R_SIGNATURE_ALGORITHMS_ERROR,
> > SSL_R_MISSING_RSA_CERTIFICATE:
> >
> > SSL_do_handshake() failed (SSL: error:1402F0FB:SSL routines:ACCEPT_SW_KEY_EXCH:unknown pkey type error:1402F168:SSL routines:ACCEPT_SW_KEY_EXCH:signature algorithms error)
> > SSL_do_handshake() failed (SSL: error:1402D0FB:SSL routines:ACCEPT_SW_CERT:unknown pkey type error:14FFF0A8:SSL routines:(UNKNOWN)SSL_internal:missing rsa certificate)
>
> Yes, these are also seen with LibreSSL 3.7.0 I've tested. But
> these looks like library internal errors to me.
>
> Given
>
> SSL_do_handshake() failed (SSL: error:14FFF3E7:SSL routines:(UNKNOWN)SSL_internal:unknown failure occurred) while SSL handshaking
>
> also observed with LibreSSL 3.7.0, I tend to think that error
> handling in LibreSSL needs some work.
Absolutely. I caught this one:
SSL_do_handshake() failed (SSL: error:14025455:SSL routines:ACCEPT_SR_CLNT_HELLO:reason(1109)) while SSL handshaking
OK, no more comments then. Looks good.
--
Roman Arutyunyan
More information about the nginx-devel
mailing list