]> git.kaiwu.me - nginx.git/commitdiff
projects / nginx.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: a3a94f7)
SSL: logging levels of errors observed with tlsfuzzer and LibreSSL.
authorMaxim Dounin <mdounin@mdounin.ru>
Wed, 8 Mar 2023 19:22:34 +0000 (22:22 +0300)
committerMaxim Dounin <mdounin@mdounin.ru>
Wed, 8 Mar 2023 19:22:34 +0000 (22:22 +0300)
As tested with tlsfuzzer with LibreSSL 3.7.0, the following errors are
certainly client-related:

SSL_do_handshake() failed (SSL: error:14026073:SSL routines:ACCEPT_SR_CLNT_HELLO:bad packet length)
SSL_do_handshake() failed (SSL: error:1402612C:SSL routines:ACCEPT_SR_CLNT_HELLO:ssl3 session id too long)
SSL_do_handshake() failed (SSL: error:140380EA:SSL routines:ACCEPT_SR_KEY_EXCH:tls rsa encrypted value length is wrong)

Accordingly, the SSL_R_BAD_PACKET_LENGTH ("bad packet length"),
SSL_R_SSL3_SESSION_ID_TOO_LONG ("ssl3 session id too long"),
SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG ("tls rsa encrypted value
length is wrong") errors are now logged at the "info" level.

src/event/ngx_event_openssl.c patch | blob | history

diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
index 84cdef5a8b9c8059087ada94deebab6288ceefbb..b400ca6ee773891255e2a1b963deebd2eded7d65 100644 (file)
--- a/src/event/ngx_event_openssl.c
+++ b/src/event/ngx_event_openssl.c
@@ -3406,6 +3406,7 @@ ngx_ssl_connection_error(ngx_connection_t *c, int sslerr, ngx_err_t err,
 #ifdef SSL_R_MISSING_SIGALGS_EXTENSION
             || n == SSL_R_MISSING_SIGALGS_EXTENSION                  /*  112 */
 #endif
+            || n == SSL_R_BAD_PACKET_LENGTH                          /*  115 */
 #ifdef SSL_R_NO_SUITABLE_SIGNATURE_ALGORITHM
             || n == SSL_R_NO_SUITABLE_SIGNATURE_ALGORITHM            /*  118 */
 #endif
@@ -3453,6 +3454,9 @@ ngx_ssl_connection_error(ngx_connection_t *c, int sslerr, ngx_err_t err,
 #ifdef SSL_R_CALLBACK_FAILED
             || n == SSL_R_CALLBACK_FAILED                            /*  234 */
 #endif
+#ifdef SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG
+            || n == SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG    /*  234 */
+#endif
 #ifdef SSL_R_NO_APPLICATION_PROTOCOL
             || n == SSL_R_NO_APPLICATION_PROTOCOL                    /*  235 */
 #endif
@@ -3485,6 +3489,9 @@ ngx_ssl_connection_error(ngx_connection_t *c, int sslerr, ngx_err_t err,
 #ifdef SSL_R_RECORD_TOO_SMALL
             || n == SSL_R_RECORD_TOO_SMALL                           /*  298 */
 #endif
+#ifdef SSL_R_SSL3_SESSION_ID_TOO_LONG
+            || n == SSL_R_SSL3_SESSION_ID_TOO_LONG                   /*  300 */
+#endif
 #ifdef SSL_R_BAD_ECPOINT
             || n == SSL_R_BAD_ECPOINT                                /*  306 */
 #endif
nginx upstream