[PATCH 4 of 4] SSL: logging levels of errors observed with BoringSSL
Maxim Dounin
mdounin at mdounin.ru
Wed Mar 1 14:56:05 UTC 2023
# HG changeset patch
# User Maxim Dounin <mdounin at mdounin.ru>
# Date 1677682467 -10800
# Wed Mar 01 17:54:27 2023 +0300
# Node ID ad67809ab209bd575dac52756ad4aeb5255d430e
# Parent 207742991a561c0ed70834d4ce18e8452689419d
SSL: logging levels of errors observed with BoringSSL.
As tested with tlsfuzzer with BoringSSL, the following errors are
certainly client-related:
SSL_do_handshake() failed (SSL: error:10000066:SSL routines:OPENSSL_internal:BAD_ALERT)
SSL_do_handshake() failed (SSL: error:10000089:SSL routines:OPENSSL_internal:DECODE_ERROR)
SSL_do_handshake() failed (SSL: error:100000dc:SSL routines:OPENSSL_internal:TOO_MANY_WARNING_ALERTS)
SSL_do_handshake() failed (SSL: error:10000100:SSL routines:OPENSSL_internal:INVALID_COMPRESSION_LIST)
SSL_do_handshake() failed (SSL: error:10000102:SSL routines:OPENSSL_internal:MISSING_KEY_SHARE)
SSL_do_handshake() failed (SSL: error:1000010e:SSL routines:OPENSSL_internal:TOO_MUCH_SKIPPED_EARLY_DATA)
SSL_read() failed (SSL: error:100000b6:SSL routines:OPENSSL_internal:NO_RENEGOTIATION)
Accordingly, the SSL_R_BAD_ALERT, SSL_R_DECODE_ERROR,
SSL_R_TOO_MANY_WARNING_ALERTS, SSL_R_INVALID_COMPRESSION_LIST,
SSL_R_MISSING_KEY_SHARE, SSL_R_TOO_MUCH_SKIPPED_EARLY_DATA,
and SSL_R_NO_RENEGOTIATION errors are now logged at the "info" level.
diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
--- a/src/event/ngx_event_openssl.c
+++ b/src/event/ngx_event_openssl.c
@@ -3396,6 +3396,9 @@ ngx_ssl_connection_error(ngx_connection_
#ifdef SSL_R_NO_SUITABLE_KEY_SHARE
|| n == SSL_R_NO_SUITABLE_KEY_SHARE /* 101 */
#endif
+#ifdef SSL_R_BAD_ALERT
+ || n == SSL_R_BAD_ALERT /* 102 */
+#endif
#ifdef SSL_R_BAD_KEY_SHARE
|| n == SSL_R_BAD_KEY_SHARE /* 108 */
#endif
@@ -3415,6 +3418,9 @@ ngx_ssl_connection_error(ngx_connection_
#endif
|| n == SSL_R_BLOCK_CIPHER_PAD_IS_WRONG /* 129 */
|| n == SSL_R_CCS_RECEIVED_EARLY /* 133 */
+#ifdef SSL_R_DECODE_ERROR
+ || n == SSL_R_DECODE_ERROR /* 137 */
+#endif
#ifdef SSL_R_DATA_BETWEEN_CCS_AND_FINISHED
|| n == SSL_R_DATA_BETWEEN_CCS_AND_FINISHED /* 145 */
#endif
@@ -3432,6 +3438,9 @@ ngx_ssl_connection_error(ngx_connection_
#ifdef SSL_R_LENGTH_TOO_SHORT
|| n == SSL_R_LENGTH_TOO_SHORT /* 160 */
#endif
+#ifdef SSL_R_NO_RENEGOTIATION
+ || n == SSL_R_NO_RENEGOTIATION /* 182 */
+#endif
#ifdef SSL_R_NO_CIPHERS_PASSED
|| n == SSL_R_NO_CIPHERS_PASSED /* 182 */
#endif
@@ -3445,6 +3454,9 @@ ngx_ssl_connection_error(ngx_connection_
|| n == SSL_R_PACKET_LENGTH_TOO_LONG /* 198 */
#endif
|| n == SSL_R_RECORD_LENGTH_MISMATCH /* 213 */
+#ifdef SSL_R_TOO_MANY_WARNING_ALERTS
+ || n == SSL_R_TOO_MANY_WARNING_ALERTS /* 220 */
+#endif
#ifdef SSL_R_CLIENTHELLO_TLSEXT
|| n == SSL_R_CLIENTHELLO_TLSEXT /* 226 */
#endif
@@ -3467,11 +3479,20 @@ ngx_ssl_connection_error(ngx_connection_
#ifdef SSL_R_NO_COMMON_SIGNATURE_ALGORITHMS
|| n == SSL_R_NO_COMMON_SIGNATURE_ALGORITHMS /* 253 */
#endif
+#ifdef SSL_R_INVALID_COMPRESSION_LIST
+ || n == SSL_R_INVALID_COMPRESSION_LIST /* 256 */
+#endif
+#ifdef SSL_R_MISSING_KEY_SHARE
+ || n == SSL_R_MISSING_KEY_SHARE /* 258 */
+#endif
|| n == SSL_R_UNSUPPORTED_PROTOCOL /* 258 */
#ifdef SSL_R_NO_SHARED_GROUP
|| n == SSL_R_NO_SHARED_GROUP /* 266 */
#endif
|| n == SSL_R_WRONG_VERSION_NUMBER /* 267 */
+#ifdef SSL_R_TOO_MUCH_SKIPPED_EARLY_DATA
+ || n == SSL_R_TOO_MUCH_SKIPPED_EARLY_DATA /* 270 */
+#endif
|| n == SSL_R_BAD_LENGTH /* 271 */
|| n == SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC /* 281 */
#ifdef SSL_R_APPLICATION_DATA_AFTER_CLOSE_NOTIFY
More information about the nginx-devel
mailing list