SSL: logging level of "record layer failure" errors

The SSL_R_RECORD_LAYER_FAILURE ("record layer failure") errors are
reported by OpenSSL 3.2 or newer as the last record layer error for
various low level read errors.  Further, a976e6b9e (1.23.4) caused
to always log them at the "crit" level.  For example, the following
errors are observed on OpenSSL 3.2.0 - 4.0:

SSL_read() failed (SSL: error:0A000119:SSL routines::decryption failed
 or bad record mac error:0A000139:SSL routines::record layer failure)
SSL_read() failed (SSL: error:1C800066:Provider routines::cipher operation
 failed error:0A000119:SSL routines::decryption failed or bad record mac
 error:0A000139:SSL routines::record layer failure)
SSL_read() failed (SSL: error:0A00010B:SSL routines::wrong version number
 error:0A000139:SSL routines::record layer failure)

These errors are now logged at the "info" level.

Closes: https://github.com/nginx/nginx/issues/961
Co-authored-by: Smeet23 <smeetagrawal2003@gmail.com>

diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
index f04a462bf0195d0f3ca8b0194e95713fbce76b13..1653be0c341035318a831921d4c45057278e7ae4 100644 (file)
--- a/src/event/ngx_event_openssl.c
+++ b/src/event/ngx_event_openssl.c
@@ -3966,6 +3966,9 @@ ngx_ssl_connection_error(ngx_connection_t *c, int sslerr, ngx_err_t err,
 #ifdef SSL_R_BAD_ECPOINT
             || n == SSL_R_BAD_ECPOINT                                /*  306 */
 #endif
+#ifdef SSL_R_RECORD_LAYER_FAILURE
+            || n == SSL_R_RECORD_LAYER_FAILURE                       /*  313 */
+#endif
 #ifdef SSL_R_RENEGOTIATE_EXT_TOO_LONG
             || n == SSL_R_RENEGOTIATE_EXT_TOO_LONG                   /*  335 */
             || n == SSL_R_RENEGOTIATION_ENCODING_ERR                 /*  336 */