Mercurial > hg > nginx
annotate docs/GNUmakefile @ 8144:6bee5e692579
SSL: logging levels of various errors reported with tlsfuzzer.
To further differentiate client-related errors and adjust logging levels
of various SSL errors, nginx was tested with tlsfuzzer with multiple
OpenSSL versions (3.1.0-beta1, 3.0.8, 1.1.1t, 1.1.0l, 1.0.2u, 1.0.1u,
1.0.0s, 0.9.8zh).
The following errors were observed during tlsfuzzer runs with OpenSSL 3.0.8,
and are clearly client-related:
SSL_do_handshake() failed (SSL: error:0A000092:SSL routines::data length too long)
SSL_do_handshake() failed (SSL: error:0A0000A0:SSL routines::length too short)
SSL_do_handshake() failed (SSL: error:0A000124:SSL routines::bad legacy version)
SSL_do_handshake() failed (SSL: error:0A000178:SSL routines::no shared signature algorithms)
Accordingly, the SSL_R_DATA_LENGTH_TOO_LONG ("data length too long"),
SSL_R_LENGTH_TOO_SHORT ("length too short"), SSL_R_BAD_LEGACY_VERSION
("bad legacy version"), and SSL_R_NO_SHARED_SIGNATURE_ALGORITHMS
("no shared signature algorithms", misspelled as "sigature" in OpenSSL 1.0.2)
errors are now logged at the "info" level.
Additionally, the following errors were observed with OpenSSL 3.0.8 and
with TLSv1.3 enabled:
SSL_do_handshake() failed (SSL: error:0A00006F:SSL routines::bad digest length)
SSL_do_handshake() failed (SSL: error:0A000070:SSL routines::missing sigalgs extension)
SSL_do_handshake() failed (SSL: error:0A000096:SSL routines::encrypted length too long)
SSL_do_handshake() failed (SSL: error:0A00010F:SSL routines::bad length)
SSL_read() failed (SSL: error:0A00007A:SSL routines::bad key update)
SSL_read() failed (SSL: error:0A000125:SSL routines::mixed handshake and non handshake data)
Accordingly, the SSL_R_BAD_DIGEST_LENGTH ("bad digest length"),
SSL_R_MISSING_SIGALGS_EXTENSION ("missing sigalgs extension"),
SSL_R_ENCRYPTED_LENGTH_TOO_LONG ("encrypted length too long"),
SSL_R_BAD_LENGTH ("bad length"), SSL_R_BAD_KEY_UPDATE ("bad key update"),
and SSL_R_MIXED_HANDSHAKE_AND_NON_HANDSHAKE_DATA ("mixed handshake and non
handshake data") errors are now logged at the "info" level.
Additionally, the following errors were observed with OpenSSL 1.1.1t:
SSL_do_handshake() failed (SSL: error:14094091:SSL routines:ssl3_read_bytes:data between ccs and finished)
SSL_do_handshake() failed (SSL: error:14094199:SSL routines:ssl3_read_bytes:too many warn alerts)
SSL_read() failed (SSL: error:1408F0C6:SSL routines:ssl3_get_record:packet length too long)
SSL_read() failed (SSL: error:14094085:SSL routines:ssl3_read_bytes:ccs received early)
Accordingly, the SSL_R_CCS_RECEIVED_EARLY ("ccs received early"),
SSL_R_DATA_BETWEEN_CCS_AND_FINISHED ("data between ccs and finished"),
SSL_R_PACKET_LENGTH_TOO_LONG ("packet length too long"), and
SSL_R_TOO_MANY_WARN_ALERTS ("too many warn alerts") errors are now logged
at the "info" level.
Additionally, the following errors were observed with OpenSSL 1.0.2u:
SSL_do_handshake() failed (SSL: error:1407612A:SSL routines:SSL23_GET_CLIENT_HELLO:record too small)
SSL_do_handshake() failed (SSL: error:1408C09A:SSL routines:ssl3_get_finished:got a fin before a ccs)
Accordingly, the SSL_R_RECORD_TOO_SMALL ("record too small") and
SSL_R_GOT_A_FIN_BEFORE_A_CCS ("got a fin before a ccs") errors are now
logged at the "info" level.
No additional client-related errors were observed while testing with
OpenSSL 3.1.0-beta1, OpenSSL 1.1.0l, OpenSSL 1.0.1u, OpenSSL 1.0.0s,
and OpenSSL 0.9.8zh.
author | Maxim Dounin <mdounin@mdounin.ru> |
---|---|
date | Wed, 08 Mar 2023 22:21:59 +0300 |
parents | f303f3e43f7b |
children | 1bc938b270dc |
rev | line source |
---|---|
681 | 1 |
775 | 2 VER= $(shell grep 'define NGINX_VERSION' src/core/nginx.h \ |
5147
864030a4ff2a
Configure: unified nginx version computation constructs.
Ruslan Ermilov <ru@nginx.com>
parents:
4831
diff
changeset
|
3 | sed -e 's/^.*"\(.*\)".*/\1/') |
681 | 4 NGINX= nginx-$(VER) |
5 TEMP= tmp | |
5585
f303f3e43f7b
Docs: switched from java XSLScript to xslscript.pl.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5147
diff
changeset
|
6 XSLS?= xslscript.pl |
681 | 7 |
8 | |
4187
b9dade63fcc2
The reference documentation is moving elsewhere.
Ruslan Ermilov <ru@nginx.com>
parents:
4110
diff
changeset
|
9 all: changes |
4068
22364b1f61c9
Initial English translation of Core and HTTP Core modules.
Ruslan Ermilov <ru@nginx.com>
parents:
4013
diff
changeset
|
10 |
681 | 11 changes: $(TEMP)/$(NGINX)/CHANGES.ru \ |
12 $(TEMP)/$(NGINX)/CHANGES | |
13 | |
14 | |
4831
5e3bda6f5208
Pass changes.xml thru xmllint when generating CHANGES and CHANGES.ru.
Ruslan Ermilov <ru@nginx.com>
parents:
4776
diff
changeset
|
15 $(TEMP)/$(NGINX)/CHANGES.ru: docs/dtd/changes.dtd \ |
5e3bda6f5208
Pass changes.xml thru xmllint when generating CHANGES and CHANGES.ru.
Ruslan Ermilov <ru@nginx.com>
parents:
4776
diff
changeset
|
16 docs/xml/nginx/changes.xml \ |
4013
b427290fb6bc
- Added missing dependencies for the CHANGES{,ru} targets.
Ruslan Ermilov <ru@nginx.com>
parents:
3999
diff
changeset
|
17 docs/xml/change_log_conf.xml \ |
681 | 18 docs/xslt/changes.xslt |
19 | |
4776
3032f4854b81
Simplified makefile that builds CHANGES.
Ruslan Ermilov <ru@nginx.com>
parents:
4187
diff
changeset
|
20 mkdir -p $(TEMP)/$(NGINX) |
681 | 21 |
4831
5e3bda6f5208
Pass changes.xml thru xmllint when generating CHANGES and CHANGES.ru.
Ruslan Ermilov <ru@nginx.com>
parents:
4776
diff
changeset
|
22 xmllint --noout --valid docs/xml/nginx/changes.xml |
4013
b427290fb6bc
- Added missing dependencies for the CHANGES{,ru} targets.
Ruslan Ermilov <ru@nginx.com>
parents:
3999
diff
changeset
|
23 xsltproc --stringparam lang ru \ |
4776
3032f4854b81
Simplified makefile that builds CHANGES.
Ruslan Ermilov <ru@nginx.com>
parents:
4187
diff
changeset
|
24 -o $@ docs/xslt/changes.xslt docs/xml/nginx/changes.xml |
681 | 25 |
26 | |
4831
5e3bda6f5208
Pass changes.xml thru xmllint when generating CHANGES and CHANGES.ru.
Ruslan Ermilov <ru@nginx.com>
parents:
4776
diff
changeset
|
27 $(TEMP)/$(NGINX)/CHANGES: docs/dtd/changes.dtd \ |
5e3bda6f5208
Pass changes.xml thru xmllint when generating CHANGES and CHANGES.ru.
Ruslan Ermilov <ru@nginx.com>
parents:
4776
diff
changeset
|
28 docs/xml/nginx/changes.xml \ |
4013
b427290fb6bc
- Added missing dependencies for the CHANGES{,ru} targets.
Ruslan Ermilov <ru@nginx.com>
parents:
3999
diff
changeset
|
29 docs/xml/change_log_conf.xml \ |
681 | 30 docs/xslt/changes.xslt |
31 | |
4776
3032f4854b81
Simplified makefile that builds CHANGES.
Ruslan Ermilov <ru@nginx.com>
parents:
4187
diff
changeset
|
32 mkdir -p $(TEMP)/$(NGINX) |
681 | 33 |
4831
5e3bda6f5208
Pass changes.xml thru xmllint when generating CHANGES and CHANGES.ru.
Ruslan Ermilov <ru@nginx.com>
parents:
4776
diff
changeset
|
34 xmllint --noout --valid docs/xml/nginx/changes.xml |
4013
b427290fb6bc
- Added missing dependencies for the CHANGES{,ru} targets.
Ruslan Ermilov <ru@nginx.com>
parents:
3999
diff
changeset
|
35 xsltproc --stringparam lang en \ |
4776
3032f4854b81
Simplified makefile that builds CHANGES.
Ruslan Ermilov <ru@nginx.com>
parents:
4187
diff
changeset
|
36 -o $@ docs/xslt/changes.xslt docs/xml/nginx/changes.xml |
681 | 37 |
38 | |
5585
f303f3e43f7b
Docs: switched from java XSLScript to xslscript.pl.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5147
diff
changeset
|
39 docs/xslt/changes.xslt: docs/xsls/changes.xsls |
681 | 40 |
5585
f303f3e43f7b
Docs: switched from java XSLScript to xslscript.pl.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5147
diff
changeset
|
41 $(XSLS) -o $@ $< |