Mercurial > hg > nginx
annotate auto/summary @ 8144:6bee5e692579
SSL: logging levels of various errors reported with tlsfuzzer.
To further differentiate client-related errors and adjust logging levels
of various SSL errors, nginx was tested with tlsfuzzer with multiple
OpenSSL versions (3.1.0-beta1, 3.0.8, 1.1.1t, 1.1.0l, 1.0.2u, 1.0.1u,
1.0.0s, 0.9.8zh).
The following errors were observed during tlsfuzzer runs with OpenSSL 3.0.8,
and are clearly client-related:
SSL_do_handshake() failed (SSL: error:0A000092:SSL routines::data length too long)
SSL_do_handshake() failed (SSL: error:0A0000A0:SSL routines::length too short)
SSL_do_handshake() failed (SSL: error:0A000124:SSL routines::bad legacy version)
SSL_do_handshake() failed (SSL: error:0A000178:SSL routines::no shared signature algorithms)
Accordingly, the SSL_R_DATA_LENGTH_TOO_LONG ("data length too long"),
SSL_R_LENGTH_TOO_SHORT ("length too short"), SSL_R_BAD_LEGACY_VERSION
("bad legacy version"), and SSL_R_NO_SHARED_SIGNATURE_ALGORITHMS
("no shared signature algorithms", misspelled as "sigature" in OpenSSL 1.0.2)
errors are now logged at the "info" level.
Additionally, the following errors were observed with OpenSSL 3.0.8 and
with TLSv1.3 enabled:
SSL_do_handshake() failed (SSL: error:0A00006F:SSL routines::bad digest length)
SSL_do_handshake() failed (SSL: error:0A000070:SSL routines::missing sigalgs extension)
SSL_do_handshake() failed (SSL: error:0A000096:SSL routines::encrypted length too long)
SSL_do_handshake() failed (SSL: error:0A00010F:SSL routines::bad length)
SSL_read() failed (SSL: error:0A00007A:SSL routines::bad key update)
SSL_read() failed (SSL: error:0A000125:SSL routines::mixed handshake and non handshake data)
Accordingly, the SSL_R_BAD_DIGEST_LENGTH ("bad digest length"),
SSL_R_MISSING_SIGALGS_EXTENSION ("missing sigalgs extension"),
SSL_R_ENCRYPTED_LENGTH_TOO_LONG ("encrypted length too long"),
SSL_R_BAD_LENGTH ("bad length"), SSL_R_BAD_KEY_UPDATE ("bad key update"),
and SSL_R_MIXED_HANDSHAKE_AND_NON_HANDSHAKE_DATA ("mixed handshake and non
handshake data") errors are now logged at the "info" level.
Additionally, the following errors were observed with OpenSSL 1.1.1t:
SSL_do_handshake() failed (SSL: error:14094091:SSL routines:ssl3_read_bytes:data between ccs and finished)
SSL_do_handshake() failed (SSL: error:14094199:SSL routines:ssl3_read_bytes:too many warn alerts)
SSL_read() failed (SSL: error:1408F0C6:SSL routines:ssl3_get_record:packet length too long)
SSL_read() failed (SSL: error:14094085:SSL routines:ssl3_read_bytes:ccs received early)
Accordingly, the SSL_R_CCS_RECEIVED_EARLY ("ccs received early"),
SSL_R_DATA_BETWEEN_CCS_AND_FINISHED ("data between ccs and finished"),
SSL_R_PACKET_LENGTH_TOO_LONG ("packet length too long"), and
SSL_R_TOO_MANY_WARN_ALERTS ("too many warn alerts") errors are now logged
at the "info" level.
Additionally, the following errors were observed with OpenSSL 1.0.2u:
SSL_do_handshake() failed (SSL: error:1407612A:SSL routines:SSL23_GET_CLIENT_HELLO:record too small)
SSL_do_handshake() failed (SSL: error:1408C09A:SSL routines:ssl3_get_finished:got a fin before a ccs)
Accordingly, the SSL_R_RECORD_TOO_SMALL ("record too small") and
SSL_R_GOT_A_FIN_BEFORE_A_CCS ("got a fin before a ccs") errors are now
logged at the "info" level.
No additional client-related errors were observed while testing with
OpenSSL 3.1.0-beta1, OpenSSL 1.1.0l, OpenSSL 1.0.1u, OpenSSL 1.0.0s,
and OpenSSL 0.9.8zh.
author | Maxim Dounin <mdounin@mdounin.ru> |
---|---|
date | Wed, 08 Mar 2023 22:21:59 +0300 |
parents | 0b5f12d5c531 |
children |
rev | line source |
---|---|
444
42d11f017717
nginx-0.1.0-2004-09-29-20:00:49 import; remove years from copyright
Igor Sysoev <igor@sysoev.ru>
parents:
425
diff
changeset
|
1 |
42d11f017717
nginx-0.1.0-2004-09-29-20:00:49 import; remove years from copyright
Igor Sysoev <igor@sysoev.ru>
parents:
425
diff
changeset
|
2 # Copyright (C) Igor Sysoev |
4412 | 3 # Copyright (C) Nginx, Inc. |
444
42d11f017717
nginx-0.1.0-2004-09-29-20:00:49 import; remove years from copyright
Igor Sysoev <igor@sysoev.ru>
parents:
425
diff
changeset
|
4 |
210
00cafae0bdf1
nginx-0.0.1-2003-12-14-23:10:27 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
5 |
00cafae0bdf1
nginx-0.0.1-2003-12-14-23:10:27 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
6 echo |
00cafae0bdf1
nginx-0.0.1-2003-12-14-23:10:27 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
7 echo "Configuration summary" |
00cafae0bdf1
nginx-0.0.1-2003-12-14-23:10:27 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
8 |
337
4feff829a849
nginx-0.0.3-2004-05-19-00:28:54 import
Igor Sysoev <igor@sysoev.ru>
parents:
285
diff
changeset
|
9 |
6018
466bd63b63d1
Thread pools implementation.
Valentin Bartenev <vbart@nginx.com>
parents:
6017
diff
changeset
|
10 if [ $USE_THREADS = YES ]; then |
466bd63b63d1
Thread pools implementation.
Valentin Bartenev <vbart@nginx.com>
parents:
6017
diff
changeset
|
11 echo " + using threads" |
466bd63b63d1
Thread pools implementation.
Valentin Bartenev <vbart@nginx.com>
parents:
6017
diff
changeset
|
12 fi |
466bd63b63d1
Thread pools implementation.
Valentin Bartenev <vbart@nginx.com>
parents:
6017
diff
changeset
|
13 |
265
6468241715e6
nginx-0.0.2-2004-02-20-19:48:59 import
Igor Sysoev <igor@sysoev.ru>
parents:
255
diff
changeset
|
14 if [ $USE_PCRE = DISABLED ]; then |
501 | 15 echo " + PCRE library is disabled" |
265
6468241715e6
nginx-0.0.2-2004-02-20-19:48:59 import
Igor Sysoev <igor@sysoev.ru>
parents:
255
diff
changeset
|
16 |
6468241715e6
nginx-0.0.2-2004-02-20-19:48:59 import
Igor Sysoev <igor@sysoev.ru>
parents:
255
diff
changeset
|
17 else |
6468241715e6
nginx-0.0.2-2004-02-20-19:48:59 import
Igor Sysoev <igor@sysoev.ru>
parents:
255
diff
changeset
|
18 case $PCRE in |
7981 | 19 YES) echo " + using system $PCRE_LIBRARY library" ;; |
425
bd39260a1383
nginx-0.0.10-2004-09-14-19:55:24 import
Igor Sysoev <igor@sysoev.ru>
parents:
424
diff
changeset
|
20 NONE) echo " + PCRE library is not used" ;; |
7981 | 21 *) echo " + using $PCRE_LIBRARY library: $PCRE" ;; |
265
6468241715e6
nginx-0.0.2-2004-02-20-19:48:59 import
Igor Sysoev <igor@sysoev.ru>
parents:
255
diff
changeset
|
22 esac |
6468241715e6
nginx-0.0.2-2004-02-20-19:48:59 import
Igor Sysoev <igor@sysoev.ru>
parents:
255
diff
changeset
|
23 fi |
212
679f60139863
nginx-0.0.1-2003-12-19-11:15:11 import
Igor Sysoev <igor@sysoev.ru>
parents:
210
diff
changeset
|
24 |
399
4e21d1291a14
nginx-0.0.7-2004-07-25-22:34:14 import
Igor Sysoev <igor@sysoev.ru>
parents:
337
diff
changeset
|
25 case $OPENSSL in |
425
bd39260a1383
nginx-0.0.10-2004-09-14-19:55:24 import
Igor Sysoev <igor@sysoev.ru>
parents:
424
diff
changeset
|
26 YES) echo " + using system OpenSSL library" ;; |
bd39260a1383
nginx-0.0.10-2004-09-14-19:55:24 import
Igor Sysoev <igor@sysoev.ru>
parents:
424
diff
changeset
|
27 NONE) echo " + OpenSSL library is not used" ;; |
bd39260a1383
nginx-0.0.10-2004-09-14-19:55:24 import
Igor Sysoev <igor@sysoev.ru>
parents:
424
diff
changeset
|
28 *) echo " + using OpenSSL library: $OPENSSL" ;; |
399
4e21d1291a14
nginx-0.0.7-2004-07-25-22:34:14 import
Igor Sysoev <igor@sysoev.ru>
parents:
337
diff
changeset
|
29 esac |
4e21d1291a14
nginx-0.0.7-2004-07-25-22:34:14 import
Igor Sysoev <igor@sysoev.ru>
parents:
337
diff
changeset
|
30 |
210
00cafae0bdf1
nginx-0.0.1-2003-12-14-23:10:27 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
31 case $ZLIB in |
425
bd39260a1383
nginx-0.0.10-2004-09-14-19:55:24 import
Igor Sysoev <igor@sysoev.ru>
parents:
424
diff
changeset
|
32 YES) echo " + using system zlib library" ;; |
bd39260a1383
nginx-0.0.10-2004-09-14-19:55:24 import
Igor Sysoev <igor@sysoev.ru>
parents:
424
diff
changeset
|
33 NONE) echo " + zlib library is not used" ;; |
bd39260a1383
nginx-0.0.10-2004-09-14-19:55:24 import
Igor Sysoev <igor@sysoev.ru>
parents:
424
diff
changeset
|
34 *) echo " + using zlib library: $ZLIB" ;; |
210
00cafae0bdf1
nginx-0.0.1-2003-12-14-23:10:27 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
35 esac |
00cafae0bdf1
nginx-0.0.1-2003-12-14-23:10:27 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
36 |
3380
1d9063f7483c
print libatomic configure summary
Igor Sysoev <igor@sysoev.ru>
parents:
2893
diff
changeset
|
37 case $NGX_LIBATOMIC in |
1d9063f7483c
print libatomic configure summary
Igor Sysoev <igor@sysoev.ru>
parents:
2893
diff
changeset
|
38 YES) echo " + using system libatomic_ops library" ;; |
1d9063f7483c
print libatomic configure summary
Igor Sysoev <igor@sysoev.ru>
parents:
2893
diff
changeset
|
39 NO) ;; # not used |
1d9063f7483c
print libatomic configure summary
Igor Sysoev <igor@sysoev.ru>
parents:
2893
diff
changeset
|
40 *) echo " + using libatomic_ops library: $NGX_LIBATOMIC" ;; |
1d9063f7483c
print libatomic configure summary
Igor Sysoev <igor@sysoev.ru>
parents:
2893
diff
changeset
|
41 esac |
1d9063f7483c
print libatomic configure summary
Igor Sysoev <igor@sysoev.ru>
parents:
2893
diff
changeset
|
42 |
210
00cafae0bdf1
nginx-0.0.1-2003-12-14-23:10:27 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
43 echo |
255
e6938ca7331a
nginx-0.0.2-2004-02-09-23:47:18 import
Igor Sysoev <igor@sysoev.ru>
parents:
253
diff
changeset
|
44 |
e6938ca7331a
nginx-0.0.2-2004-02-09-23:47:18 import
Igor Sysoev <igor@sysoev.ru>
parents:
253
diff
changeset
|
45 |
479 | 46 cat << END |
493 | 47 nginx path prefix: "$NGX_PREFIX" |
48 nginx binary file: "$NGX_SBIN_PATH" | |
6383 | 49 nginx modules path: "$NGX_MODULES_PATH" |
1352 | 50 nginx configuration prefix: "$NGX_CONF_PREFIX" |
493 | 51 nginx configuration file: "$NGX_CONF_PATH" |
52 nginx pid file: "$NGX_PID_PATH" | |
479 | 53 END |
54 | |
469 | 55 if test -n "$NGX_ERROR_LOG_PATH"; then |
493 | 56 echo " nginx error log file: \"$NGX_ERROR_LOG_PATH\"" |
444
42d11f017717
nginx-0.1.0-2004-09-29-20:00:49 import; remove years from copyright
Igor Sysoev <igor@sysoev.ru>
parents:
425
diff
changeset
|
57 else |
42d11f017717
nginx-0.1.0-2004-09-29-20:00:49 import; remove years from copyright
Igor Sysoev <igor@sysoev.ru>
parents:
425
diff
changeset
|
58 echo " nginx logs errors to stderr" |
42d11f017717
nginx-0.1.0-2004-09-29-20:00:49 import; remove years from copyright
Igor Sysoev <igor@sysoev.ru>
parents:
425
diff
changeset
|
59 fi |
479 | 60 |
61 cat << END | |
493 | 62 nginx http access log file: "$NGX_HTTP_LOG_PATH" |
63 nginx http client request body temporary files: "$NGX_HTTP_CLIENT_TEMP_PATH" | |
3557
77188d729402
print default module temporary directory path in summary
Igor Sysoev <igor@sysoev.ru>
parents:
3549
diff
changeset
|
64 END |
77188d729402
print default module temporary directory path in summary
Igor Sysoev <igor@sysoev.ru>
parents:
3549
diff
changeset
|
65 |
77188d729402
print default module temporary directory path in summary
Igor Sysoev <igor@sysoev.ru>
parents:
3549
diff
changeset
|
66 if [ $HTTP_PROXY = YES ]; then |
77188d729402
print default module temporary directory path in summary
Igor Sysoev <igor@sysoev.ru>
parents:
3549
diff
changeset
|
67 echo " nginx http proxy temporary files: \"$NGX_HTTP_PROXY_TEMP_PATH\"" |
77188d729402
print default module temporary directory path in summary
Igor Sysoev <igor@sysoev.ru>
parents:
3549
diff
changeset
|
68 fi |
479 | 69 |
3557
77188d729402
print default module temporary directory path in summary
Igor Sysoev <igor@sysoev.ru>
parents:
3549
diff
changeset
|
70 if [ $HTTP_FASTCGI = YES ]; then |
77188d729402
print default module temporary directory path in summary
Igor Sysoev <igor@sysoev.ru>
parents:
3549
diff
changeset
|
71 echo " nginx http fastcgi temporary files: \"$NGX_HTTP_FASTCGI_TEMP_PATH\"" |
77188d729402
print default module temporary directory path in summary
Igor Sysoev <igor@sysoev.ru>
parents:
3549
diff
changeset
|
72 fi |
77188d729402
print default module temporary directory path in summary
Igor Sysoev <igor@sysoev.ru>
parents:
3549
diff
changeset
|
73 |
77188d729402
print default module temporary directory path in summary
Igor Sysoev <igor@sysoev.ru>
parents:
3549
diff
changeset
|
74 if [ $HTTP_UWSGI = YES ]; then |
77188d729402
print default module temporary directory path in summary
Igor Sysoev <igor@sysoev.ru>
parents:
3549
diff
changeset
|
75 echo " nginx http uwsgi temporary files: \"$NGX_HTTP_UWSGI_TEMP_PATH\"" |
77188d729402
print default module temporary directory path in summary
Igor Sysoev <igor@sysoev.ru>
parents:
3549
diff
changeset
|
76 fi |
77188d729402
print default module temporary directory path in summary
Igor Sysoev <igor@sysoev.ru>
parents:
3549
diff
changeset
|
77 |
3637 | 78 if [ $HTTP_SCGI = YES ]; then |
79 echo " nginx http scgi temporary files: \"$NGX_HTTP_SCGI_TEMP_PATH\"" | |
80 fi | |
4280
91874133fb27
Renamed ngx_http_limit_zone_module to ngx_http_limit_conn_module.
Valentin Bartenev <vbart@nginx.com>
parents:
3895
diff
changeset
|
81 |
91874133fb27
Renamed ngx_http_limit_zone_module to ngx_http_limit_conn_module.
Valentin Bartenev <vbart@nginx.com>
parents:
3895
diff
changeset
|
82 echo "$NGX_POST_CONF_MSG" |