[PATCH 4 of 4] SSL: logging levels of errors observed with BoringSSL

Roman Arutyunyan arut at nginx.com
Tue Mar 7 14:48:52 UTC 2023


Hi,

On Wed, Mar 01, 2023 at 05:56:05PM +0300, Maxim Dounin wrote:
> # HG changeset patch
> # User Maxim Dounin <mdounin at mdounin.ru>
> # Date 1677682467 -10800
> #      Wed Mar 01 17:54:27 2023 +0300
> # Node ID ad67809ab209bd575dac52756ad4aeb5255d430e
> # Parent  207742991a561c0ed70834d4ce18e8452689419d
> SSL: logging levels of errors observed with BoringSSL.
> 
> As tested with tlsfuzzer with BoringSSL, the following errors are
> certainly client-related:
> 
> SSL_do_handshake() failed (SSL: error:10000066:SSL routines:OPENSSL_internal:BAD_ALERT)
> SSL_do_handshake() failed (SSL: error:10000089:SSL routines:OPENSSL_internal:DECODE_ERROR)
> SSL_do_handshake() failed (SSL: error:100000dc:SSL routines:OPENSSL_internal:TOO_MANY_WARNING_ALERTS)
> SSL_do_handshake() failed (SSL: error:10000100:SSL routines:OPENSSL_internal:INVALID_COMPRESSION_LIST)
> SSL_do_handshake() failed (SSL: error:10000102:SSL routines:OPENSSL_internal:MISSING_KEY_SHARE)
> SSL_do_handshake() failed (SSL: error:1000010e:SSL routines:OPENSSL_internal:TOO_MUCH_SKIPPED_EARLY_DATA)
> SSL_read() failed (SSL: error:100000b6:SSL routines:OPENSSL_internal:NO_RENEGOTIATION)
> 
> Accordingly, the SSL_R_BAD_ALERT, SSL_R_DECODE_ERROR,
> SSL_R_TOO_MANY_WARNING_ALERTS, SSL_R_INVALID_COMPRESSION_LIST,
> SSL_R_MISSING_KEY_SHARE, SSL_R_TOO_MUCH_SKIPPED_EARLY_DATA,
> and SSL_R_NO_RENEGOTIATION errors are now logged at the "info" level.
> 
> diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
> --- a/src/event/ngx_event_openssl.c
> +++ b/src/event/ngx_event_openssl.c
> @@ -3396,6 +3396,9 @@ ngx_ssl_connection_error(ngx_connection_
>  #ifdef SSL_R_NO_SUITABLE_KEY_SHARE
>              || n == SSL_R_NO_SUITABLE_KEY_SHARE                      /*  101 */
>  #endif
> +#ifdef SSL_R_BAD_ALERT
> +            || n == SSL_R_BAD_ALERT                                  /*  102 */
> +#endif
>  #ifdef SSL_R_BAD_KEY_SHARE
>              || n == SSL_R_BAD_KEY_SHARE                              /*  108 */
>  #endif
> @@ -3415,6 +3418,9 @@ ngx_ssl_connection_error(ngx_connection_
>  #endif
>              || n == SSL_R_BLOCK_CIPHER_PAD_IS_WRONG                  /*  129 */
>              || n == SSL_R_CCS_RECEIVED_EARLY                         /*  133 */
> +#ifdef SSL_R_DECODE_ERROR
> +            || n == SSL_R_DECODE_ERROR                               /*  137 */
> +#endif
>  #ifdef SSL_R_DATA_BETWEEN_CCS_AND_FINISHED
>              || n == SSL_R_DATA_BETWEEN_CCS_AND_FINISHED              /*  145 */
>  #endif
> @@ -3432,6 +3438,9 @@ ngx_ssl_connection_error(ngx_connection_
>  #ifdef SSL_R_LENGTH_TOO_SHORT
>              || n == SSL_R_LENGTH_TOO_SHORT                           /*  160 */
>  #endif
> +#ifdef SSL_R_NO_RENEGOTIATION
> +            || n == SSL_R_NO_RENEGOTIATION                           /*  182 */
> +#endif
>  #ifdef SSL_R_NO_CIPHERS_PASSED
>              || n == SSL_R_NO_CIPHERS_PASSED                          /*  182 */
>  #endif
> @@ -3445,6 +3454,9 @@ ngx_ssl_connection_error(ngx_connection_
>              || n == SSL_R_PACKET_LENGTH_TOO_LONG                     /*  198 */
>  #endif
>              || n == SSL_R_RECORD_LENGTH_MISMATCH                     /*  213 */
> +#ifdef SSL_R_TOO_MANY_WARNING_ALERTS
> +            || n == SSL_R_TOO_MANY_WARNING_ALERTS                    /*  220 */
> +#endif
>  #ifdef SSL_R_CLIENTHELLO_TLSEXT
>              || n == SSL_R_CLIENTHELLO_TLSEXT                         /*  226 */
>  #endif
> @@ -3467,11 +3479,20 @@ ngx_ssl_connection_error(ngx_connection_
>  #ifdef SSL_R_NO_COMMON_SIGNATURE_ALGORITHMS
>              || n == SSL_R_NO_COMMON_SIGNATURE_ALGORITHMS             /*  253 */
>  #endif
> +#ifdef SSL_R_INVALID_COMPRESSION_LIST
> +            || n == SSL_R_INVALID_COMPRESSION_LIST                   /*  256 */
> +#endif
> +#ifdef SSL_R_MISSING_KEY_SHARE
> +            || n == SSL_R_MISSING_KEY_SHARE                          /*  258 */
> +#endif
>              || n == SSL_R_UNSUPPORTED_PROTOCOL                       /*  258 */
>  #ifdef SSL_R_NO_SHARED_GROUP
>              || n == SSL_R_NO_SHARED_GROUP                            /*  266 */
>  #endif
>              || n == SSL_R_WRONG_VERSION_NUMBER                       /*  267 */
> +#ifdef SSL_R_TOO_MUCH_SKIPPED_EARLY_DATA
> +            || n == SSL_R_TOO_MUCH_SKIPPED_EARLY_DATA                /*  270 */
> +#endif
>              || n == SSL_R_BAD_LENGTH                                 /*  271 */
>              || n == SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC        /*  281 */
>  #ifdef SSL_R_APPLICATION_DATA_AFTER_CLOSE_NOTIFY
> _______________________________________________
> nginx-devel mailing list
> nginx-devel at nginx.org
> https://mailman.nginx.org/mailman/listinfo/nginx-devel

Looks ok


More information about the nginx-devel mailing list