[nginx] SSL: logging levels of errors observed with BoringSSL.

Roman Arutyunyan arut at nginx.com
Mon Mar 13 12:59:09 UTC 2023


details:   https://hg.nginx.org/nginx/rev/b7d4bfd132d2
branches:  
changeset: 8146:b7d4bfd132d2
user:      Maxim Dounin <mdounin at mdounin.ru>
date:      Wed Mar 08 22:22:47 2023 +0300
description:
SSL: logging levels of errors observed with BoringSSL.

As tested with tlsfuzzer with BoringSSL, the following errors are
certainly client-related:

SSL_do_handshake() failed (SSL: error:10000066:SSL routines:OPENSSL_internal:BAD_ALERT)
SSL_do_handshake() failed (SSL: error:10000089:SSL routines:OPENSSL_internal:DECODE_ERROR)
SSL_do_handshake() failed (SSL: error:100000dc:SSL routines:OPENSSL_internal:TOO_MANY_WARNING_ALERTS)
SSL_do_handshake() failed (SSL: error:10000100:SSL routines:OPENSSL_internal:INVALID_COMPRESSION_LIST)
SSL_do_handshake() failed (SSL: error:10000102:SSL routines:OPENSSL_internal:MISSING_KEY_SHARE)
SSL_do_handshake() failed (SSL: error:1000010e:SSL routines:OPENSSL_internal:TOO_MUCH_SKIPPED_EARLY_DATA)
SSL_read() failed (SSL: error:100000b6:SSL routines:OPENSSL_internal:NO_RENEGOTIATION)

Accordingly, the SSL_R_BAD_ALERT, SSL_R_DECODE_ERROR,
SSL_R_TOO_MANY_WARNING_ALERTS, SSL_R_INVALID_COMPRESSION_LIST,
SSL_R_MISSING_KEY_SHARE, SSL_R_TOO_MUCH_SKIPPED_EARLY_DATA,
and SSL_R_NO_RENEGOTIATION errors are now logged at the "info" level.

diffstat:

 src/event/ngx_event_openssl.c |  21 +++++++++++++++++++++
 1 files changed, 21 insertions(+), 0 deletions(-)

diffs (64 lines):

diff -r 64db9e50f6c5 -r b7d4bfd132d2 src/event/ngx_event_openssl.c
--- a/src/event/ngx_event_openssl.c	Wed Mar 08 22:22:34 2023 +0300
+++ b/src/event/ngx_event_openssl.c	Wed Mar 08 22:22:47 2023 +0300
@@ -3396,6 +3396,9 @@ ngx_ssl_connection_error(ngx_connection_
 #ifdef SSL_R_NO_SUITABLE_KEY_SHARE
             || n == SSL_R_NO_SUITABLE_KEY_SHARE                      /*  101 */
 #endif
+#ifdef SSL_R_BAD_ALERT
+            || n == SSL_R_BAD_ALERT                                  /*  102 */
+#endif
 #ifdef SSL_R_BAD_KEY_SHARE
             || n == SSL_R_BAD_KEY_SHARE                              /*  108 */
 #endif
@@ -3415,6 +3418,9 @@ ngx_ssl_connection_error(ngx_connection_
 #endif
             || n == SSL_R_BLOCK_CIPHER_PAD_IS_WRONG                  /*  129 */
             || n == SSL_R_CCS_RECEIVED_EARLY                         /*  133 */
+#ifdef SSL_R_DECODE_ERROR
+            || n == SSL_R_DECODE_ERROR                               /*  137 */
+#endif
 #ifdef SSL_R_DATA_BETWEEN_CCS_AND_FINISHED
             || n == SSL_R_DATA_BETWEEN_CCS_AND_FINISHED              /*  145 */
 #endif
@@ -3432,6 +3438,9 @@ ngx_ssl_connection_error(ngx_connection_
 #ifdef SSL_R_LENGTH_TOO_SHORT
             || n == SSL_R_LENGTH_TOO_SHORT                           /*  160 */
 #endif
+#ifdef SSL_R_NO_RENEGOTIATION
+            || n == SSL_R_NO_RENEGOTIATION                           /*  182 */
+#endif
 #ifdef SSL_R_NO_CIPHERS_PASSED
             || n == SSL_R_NO_CIPHERS_PASSED                          /*  182 */
 #endif
@@ -3445,6 +3454,9 @@ ngx_ssl_connection_error(ngx_connection_
             || n == SSL_R_PACKET_LENGTH_TOO_LONG                     /*  198 */
 #endif
             || n == SSL_R_RECORD_LENGTH_MISMATCH                     /*  213 */
+#ifdef SSL_R_TOO_MANY_WARNING_ALERTS
+            || n == SSL_R_TOO_MANY_WARNING_ALERTS                    /*  220 */
+#endif
 #ifdef SSL_R_CLIENTHELLO_TLSEXT
             || n == SSL_R_CLIENTHELLO_TLSEXT                         /*  226 */
 #endif
@@ -3467,11 +3479,20 @@ ngx_ssl_connection_error(ngx_connection_
 #ifdef SSL_R_NO_COMMON_SIGNATURE_ALGORITHMS
             || n == SSL_R_NO_COMMON_SIGNATURE_ALGORITHMS             /*  253 */
 #endif
+#ifdef SSL_R_INVALID_COMPRESSION_LIST
+            || n == SSL_R_INVALID_COMPRESSION_LIST                   /*  256 */
+#endif
+#ifdef SSL_R_MISSING_KEY_SHARE
+            || n == SSL_R_MISSING_KEY_SHARE                          /*  258 */
+#endif
             || n == SSL_R_UNSUPPORTED_PROTOCOL                       /*  258 */
 #ifdef SSL_R_NO_SHARED_GROUP
             || n == SSL_R_NO_SHARED_GROUP                            /*  266 */
 #endif
             || n == SSL_R_WRONG_VERSION_NUMBER                       /*  267 */
+#ifdef SSL_R_TOO_MUCH_SKIPPED_EARLY_DATA
+            || n == SSL_R_TOO_MUCH_SKIPPED_EARLY_DATA                /*  270 */
+#endif
             || n == SSL_R_BAD_LENGTH                                 /*  271 */
             || n == SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC        /*  281 */
 #ifdef SSL_R_APPLICATION_DATA_AFTER_CLOSE_NOTIFY


More information about the nginx-devel mailing list