[PATCH 4 of 4] SSL: logging levels of errors observed with BoringSSL
Roman Arutyunyan
arut at nginx.com
Tue Mar 7 14:48:52 UTC 2023
Hi,
On Wed, Mar 01, 2023 at 05:56:05PM +0300, Maxim Dounin wrote:
> # HG changeset patch
> # User Maxim Dounin <mdounin at mdounin.ru>
> # Date 1677682467 -10800
> # Wed Mar 01 17:54:27 2023 +0300
> # Node ID ad67809ab209bd575dac52756ad4aeb5255d430e
> # Parent 207742991a561c0ed70834d4ce18e8452689419d
> SSL: logging levels of errors observed with BoringSSL.
>
> As tested with tlsfuzzer with BoringSSL, the following errors are
> certainly client-related:
>
> SSL_do_handshake() failed (SSL: error:10000066:SSL routines:OPENSSL_internal:BAD_ALERT)
> SSL_do_handshake() failed (SSL: error:10000089:SSL routines:OPENSSL_internal:DECODE_ERROR)
> SSL_do_handshake() failed (SSL: error:100000dc:SSL routines:OPENSSL_internal:TOO_MANY_WARNING_ALERTS)
> SSL_do_handshake() failed (SSL: error:10000100:SSL routines:OPENSSL_internal:INVALID_COMPRESSION_LIST)
> SSL_do_handshake() failed (SSL: error:10000102:SSL routines:OPENSSL_internal:MISSING_KEY_SHARE)
> SSL_do_handshake() failed (SSL: error:1000010e:SSL routines:OPENSSL_internal:TOO_MUCH_SKIPPED_EARLY_DATA)
> SSL_read() failed (SSL: error:100000b6:SSL routines:OPENSSL_internal:NO_RENEGOTIATION)
>
> Accordingly, the SSL_R_BAD_ALERT, SSL_R_DECODE_ERROR,
> SSL_R_TOO_MANY_WARNING_ALERTS, SSL_R_INVALID_COMPRESSION_LIST,
> SSL_R_MISSING_KEY_SHARE, SSL_R_TOO_MUCH_SKIPPED_EARLY_DATA,
> and SSL_R_NO_RENEGOTIATION errors are now logged at the "info" level.
>
> diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
> --- a/src/event/ngx_event_openssl.c
> +++ b/src/event/ngx_event_openssl.c
> @@ -3396,6 +3396,9 @@ ngx_ssl_connection_error(ngx_connection_
> #ifdef SSL_R_NO_SUITABLE_KEY_SHARE
> || n == SSL_R_NO_SUITABLE_KEY_SHARE /* 101 */
> #endif
> +#ifdef SSL_R_BAD_ALERT
> + || n == SSL_R_BAD_ALERT /* 102 */
> +#endif
> #ifdef SSL_R_BAD_KEY_SHARE
> || n == SSL_R_BAD_KEY_SHARE /* 108 */
> #endif
> @@ -3415,6 +3418,9 @@ ngx_ssl_connection_error(ngx_connection_
> #endif
> || n == SSL_R_BLOCK_CIPHER_PAD_IS_WRONG /* 129 */
> || n == SSL_R_CCS_RECEIVED_EARLY /* 133 */
> +#ifdef SSL_R_DECODE_ERROR
> + || n == SSL_R_DECODE_ERROR /* 137 */
> +#endif
> #ifdef SSL_R_DATA_BETWEEN_CCS_AND_FINISHED
> || n == SSL_R_DATA_BETWEEN_CCS_AND_FINISHED /* 145 */
> #endif
> @@ -3432,6 +3438,9 @@ ngx_ssl_connection_error(ngx_connection_
> #ifdef SSL_R_LENGTH_TOO_SHORT
> || n == SSL_R_LENGTH_TOO_SHORT /* 160 */
> #endif
> +#ifdef SSL_R_NO_RENEGOTIATION
> + || n == SSL_R_NO_RENEGOTIATION /* 182 */
> +#endif
> #ifdef SSL_R_NO_CIPHERS_PASSED
> || n == SSL_R_NO_CIPHERS_PASSED /* 182 */
> #endif
> @@ -3445,6 +3454,9 @@ ngx_ssl_connection_error(ngx_connection_
> || n == SSL_R_PACKET_LENGTH_TOO_LONG /* 198 */
> #endif
> || n == SSL_R_RECORD_LENGTH_MISMATCH /* 213 */
> +#ifdef SSL_R_TOO_MANY_WARNING_ALERTS
> + || n == SSL_R_TOO_MANY_WARNING_ALERTS /* 220 */
> +#endif
> #ifdef SSL_R_CLIENTHELLO_TLSEXT
> || n == SSL_R_CLIENTHELLO_TLSEXT /* 226 */
> #endif
> @@ -3467,11 +3479,20 @@ ngx_ssl_connection_error(ngx_connection_
> #ifdef SSL_R_NO_COMMON_SIGNATURE_ALGORITHMS
> || n == SSL_R_NO_COMMON_SIGNATURE_ALGORITHMS /* 253 */
> #endif
> +#ifdef SSL_R_INVALID_COMPRESSION_LIST
> + || n == SSL_R_INVALID_COMPRESSION_LIST /* 256 */
> +#endif
> +#ifdef SSL_R_MISSING_KEY_SHARE
> + || n == SSL_R_MISSING_KEY_SHARE /* 258 */
> +#endif
> || n == SSL_R_UNSUPPORTED_PROTOCOL /* 258 */
> #ifdef SSL_R_NO_SHARED_GROUP
> || n == SSL_R_NO_SHARED_GROUP /* 266 */
> #endif
> || n == SSL_R_WRONG_VERSION_NUMBER /* 267 */
> +#ifdef SSL_R_TOO_MUCH_SKIPPED_EARLY_DATA
> + || n == SSL_R_TOO_MUCH_SKIPPED_EARLY_DATA /* 270 */
> +#endif
> || n == SSL_R_BAD_LENGTH /* 271 */
> || n == SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC /* 281 */
> #ifdef SSL_R_APPLICATION_DATA_AFTER_CLOSE_NOTIFY
> _______________________________________________
> nginx-devel mailing list
> nginx-devel at nginx.org
> https://mailman.nginx.org/mailman/listinfo/nginx-devel
Looks ok
More information about the nginx-devel
mailing list