Mercurial > hg > nginx

view auto/summary @ 8144:6bee5e692579

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
SSL: logging levels of various errors reported with tlsfuzzer. To further differentiate client-related errors and adjust logging levels of various SSL errors, nginx was tested with tlsfuzzer with multiple OpenSSL versions (3.1.0-beta1, 3.0.8, 1.1.1t, 1.1.0l, 1.0.2u, 1.0.1u, 1.0.0s, 0.9.8zh). The following errors were observed during tlsfuzzer runs with OpenSSL 3.0.8, and are clearly client-related: SSL_do_handshake() failed (SSL: error:0A000092:SSL routines::data length too long) SSL_do_handshake() failed (SSL: error:0A0000A0:SSL routines::length too short) SSL_do_handshake() failed (SSL: error:0A000124:SSL routines::bad legacy version) SSL_do_handshake() failed (SSL: error:0A000178:SSL routines::no shared signature algorithms) Accordingly, the SSL_R_DATA_LENGTH_TOO_LONG ("data length too long"), SSL_R_LENGTH_TOO_SHORT ("length too short"), SSL_R_BAD_LEGACY_VERSION ("bad legacy version"), and SSL_R_NO_SHARED_SIGNATURE_ALGORITHMS ("no shared signature algorithms", misspelled as "sigature" in OpenSSL 1.0.2) errors are now logged at the "info" level. Additionally, the following errors were observed with OpenSSL 3.0.8 and with TLSv1.3 enabled: SSL_do_handshake() failed (SSL: error:0A00006F:SSL routines::bad digest length) SSL_do_handshake() failed (SSL: error:0A000070:SSL routines::missing sigalgs extension) SSL_do_handshake() failed (SSL: error:0A000096:SSL routines::encrypted length too long) SSL_do_handshake() failed (SSL: error:0A00010F:SSL routines::bad length) SSL_read() failed (SSL: error:0A00007A:SSL routines::bad key update) SSL_read() failed (SSL: error:0A000125:SSL routines::mixed handshake and non handshake data) Accordingly, the SSL_R_BAD_DIGEST_LENGTH ("bad digest length"), SSL_R_MISSING_SIGALGS_EXTENSION ("missing sigalgs extension"), SSL_R_ENCRYPTED_LENGTH_TOO_LONG ("encrypted length too long"), SSL_R_BAD_LENGTH ("bad length"), SSL_R_BAD_KEY_UPDATE ("bad key update"), and SSL_R_MIXED_HANDSHAKE_AND_NON_HANDSHAKE_DATA ("mixed handshake and non handshake data") errors are now logged at the "info" level. Additionally, the following errors were observed with OpenSSL 1.1.1t: SSL_do_handshake() failed (SSL: error:14094091:SSL routines:ssl3_read_bytes:data between ccs and finished) SSL_do_handshake() failed (SSL: error:14094199:SSL routines:ssl3_read_bytes:too many warn alerts) SSL_read() failed (SSL: error:1408F0C6:SSL routines:ssl3_get_record:packet length too long) SSL_read() failed (SSL: error:14094085:SSL routines:ssl3_read_bytes:ccs received early) Accordingly, the SSL_R_CCS_RECEIVED_EARLY ("ccs received early"), SSL_R_DATA_BETWEEN_CCS_AND_FINISHED ("data between ccs and finished"), SSL_R_PACKET_LENGTH_TOO_LONG ("packet length too long"), and SSL_R_TOO_MANY_WARN_ALERTS ("too many warn alerts") errors are now logged at the "info" level. Additionally, the following errors were observed with OpenSSL 1.0.2u: SSL_do_handshake() failed (SSL: error:1407612A:SSL routines:SSL23_GET_CLIENT_HELLO:record too small) SSL_do_handshake() failed (SSL: error:1408C09A:SSL routines:ssl3_get_finished:got a fin before a ccs) Accordingly, the SSL_R_RECORD_TOO_SMALL ("record too small") and SSL_R_GOT_A_FIN_BEFORE_A_CCS ("got a fin before a ccs") errors are now logged at the "info" level. No additional client-related errors were observed while testing with OpenSSL 3.1.0-beta1, OpenSSL 1.1.0l, OpenSSL 1.0.1u, OpenSSL 1.0.0s, and OpenSSL 0.9.8zh.
author Maxim Dounin <mdounin@mdounin.ru>
date Wed, 08 Mar 2023 22:21:59 +0300
parents 0b5f12d5c531
children
line wrap: on
line source


# Copyright (C) Igor Sysoev
# Copyright (C) Nginx, Inc.


echo
echo "Configuration summary"


if [ $USE_THREADS = YES ]; then
    echo "  + using threads"
fi

if [ $USE_PCRE = DISABLED ]; then
    echo "  + PCRE library is disabled"

else
    case $PCRE in
        YES)   echo "  + using system $PCRE_LIBRARY library" ;;
        NONE)  echo "  + PCRE library is not used" ;;
        *)     echo "  + using $PCRE_LIBRARY library: $PCRE" ;;
    esac
fi

case $OPENSSL in
    YES)   echo "  + using system OpenSSL library" ;;
    NONE)  echo "  + OpenSSL library is not used" ;;
    *)     echo "  + using OpenSSL library: $OPENSSL" ;;
esac

case $ZLIB in
    YES)   echo "  + using system zlib library" ;;
    NONE)  echo "  + zlib library is not used" ;;
    *)     echo "  + using zlib library: $ZLIB" ;;
esac

case $NGX_LIBATOMIC in
    YES)   echo "  + using system libatomic_ops library" ;;
    NO)    ;; # not used
    *)     echo "  + using libatomic_ops library: $NGX_LIBATOMIC" ;;
esac

echo


cat << END
  nginx path prefix: "$NGX_PREFIX"
  nginx binary file: "$NGX_SBIN_PATH"
  nginx modules path: "$NGX_MODULES_PATH"
  nginx configuration prefix: "$NGX_CONF_PREFIX"
  nginx configuration file: "$NGX_CONF_PATH"
  nginx pid file: "$NGX_PID_PATH"
END

if test -n "$NGX_ERROR_LOG_PATH"; then
    echo "  nginx error log file: \"$NGX_ERROR_LOG_PATH\""
else
    echo "  nginx logs errors to stderr"
fi

cat << END
  nginx http access log file: "$NGX_HTTP_LOG_PATH"
  nginx http client request body temporary files: "$NGX_HTTP_CLIENT_TEMP_PATH"
END

if [ $HTTP_PROXY = YES ]; then
    echo "  nginx http proxy temporary files: \"$NGX_HTTP_PROXY_TEMP_PATH\""
fi

if [ $HTTP_FASTCGI = YES ]; then
    echo "  nginx http fastcgi temporary files: \"$NGX_HTTP_FASTCGI_TEMP_PATH\""
fi

if [ $HTTP_UWSGI = YES ]; then
    echo "  nginx http uwsgi temporary files: \"$NGX_HTTP_UWSGI_TEMP_PATH\""
fi

if [ $HTTP_SCGI = YES ]; then
    echo "  nginx http scgi temporary files: \"$NGX_HTTP_SCGI_TEMP_PATH\""
fi

echo "$NGX_POST_CONF_MSG"