Mercurial > hg > nginx

comparison src/event/ngx_event_openssl.c @ 8144:6bee5e692579

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
SSL: logging levels of various errors reported with tlsfuzzer. To further differentiate client-related errors and adjust logging levels of various SSL errors, nginx was tested with tlsfuzzer with multiple OpenSSL versions (3.1.0-beta1, 3.0.8, 1.1.1t, 1.1.0l, 1.0.2u, 1.0.1u, 1.0.0s, 0.9.8zh). The following errors were observed during tlsfuzzer runs with OpenSSL 3.0.8, and are clearly client-related: SSL_do_handshake() failed (SSL: error:0A000092:SSL routines::data length too long) SSL_do_handshake() failed (SSL: error:0A0000A0:SSL routines::length too short) SSL_do_handshake() failed (SSL: error:0A000124:SSL routines::bad legacy version) SSL_do_handshake() failed (SSL: error:0A000178:SSL routines::no shared signature algorithms) Accordingly, the SSL_R_DATA_LENGTH_TOO_LONG ("data length too long"), SSL_R_LENGTH_TOO_SHORT ("length too short"), SSL_R_BAD_LEGACY_VERSION ("bad legacy version"), and SSL_R_NO_SHARED_SIGNATURE_ALGORITHMS ("no shared signature algorithms", misspelled as "sigature" in OpenSSL 1.0.2) errors are now logged at the "info" level. Additionally, the following errors were observed with OpenSSL 3.0.8 and with TLSv1.3 enabled: SSL_do_handshake() failed (SSL: error:0A00006F:SSL routines::bad digest length) SSL_do_handshake() failed (SSL: error:0A000070:SSL routines::missing sigalgs extension) SSL_do_handshake() failed (SSL: error:0A000096:SSL routines::encrypted length too long) SSL_do_handshake() failed (SSL: error:0A00010F:SSL routines::bad length) SSL_read() failed (SSL: error:0A00007A:SSL routines::bad key update) SSL_read() failed (SSL: error:0A000125:SSL routines::mixed handshake and non handshake data) Accordingly, the SSL_R_BAD_DIGEST_LENGTH ("bad digest length"), SSL_R_MISSING_SIGALGS_EXTENSION ("missing sigalgs extension"), SSL_R_ENCRYPTED_LENGTH_TOO_LONG ("encrypted length too long"), SSL_R_BAD_LENGTH ("bad length"), SSL_R_BAD_KEY_UPDATE ("bad key update"), and SSL_R_MIXED_HANDSHAKE_AND_NON_HANDSHAKE_DATA ("mixed handshake and non handshake data") errors are now logged at the "info" level. Additionally, the following errors were observed with OpenSSL 1.1.1t: SSL_do_handshake() failed (SSL: error:14094091:SSL routines:ssl3_read_bytes:data between ccs and finished) SSL_do_handshake() failed (SSL: error:14094199:SSL routines:ssl3_read_bytes:too many warn alerts) SSL_read() failed (SSL: error:1408F0C6:SSL routines:ssl3_get_record:packet length too long) SSL_read() failed (SSL: error:14094085:SSL routines:ssl3_read_bytes:ccs received early) Accordingly, the SSL_R_CCS_RECEIVED_EARLY ("ccs received early"), SSL_R_DATA_BETWEEN_CCS_AND_FINISHED ("data between ccs and finished"), SSL_R_PACKET_LENGTH_TOO_LONG ("packet length too long"), and SSL_R_TOO_MANY_WARN_ALERTS ("too many warn alerts") errors are now logged at the "info" level. Additionally, the following errors were observed with OpenSSL 1.0.2u: SSL_do_handshake() failed (SSL: error:1407612A:SSL routines:SSL23_GET_CLIENT_HELLO:record too small) SSL_do_handshake() failed (SSL: error:1408C09A:SSL routines:ssl3_get_finished:got a fin before a ccs) Accordingly, the SSL_R_RECORD_TOO_SMALL ("record too small") and SSL_R_GOT_A_FIN_BEFORE_A_CCS ("got a fin before a ccs") errors are now logged at the "info" level. No additional client-related errors were observed while testing with OpenSSL 3.1.0-beta1, OpenSSL 1.1.0l, OpenSSL 1.0.1u, OpenSSL 1.0.0s, and OpenSSL 0.9.8zh.
author Maxim Dounin <mdounin@mdounin.ru>
date Wed, 08 Mar 2023 22:21:59 +0300
parents 69c7df4fe5d3
children 64db9e50f6c5
comparison
equal deleted inserted replaced
8143:69c7df4fe5d3 8144:6bee5e692579
3400 || n == SSL_R_BAD_KEY_SHARE /* 108 */ 3400 || n == SSL_R_BAD_KEY_SHARE /* 108 */
3401 #endif 3401 #endif
3402 #ifdef SSL_R_BAD_EXTENSION 3402 #ifdef SSL_R_BAD_EXTENSION
3403 || n == SSL_R_BAD_EXTENSION /* 110 */ 3403 || n == SSL_R_BAD_EXTENSION /* 110 */
3404 #endif 3404 #endif
3405 || n == SSL_R_BAD_DIGEST_LENGTH /* 111 */
3406 #ifdef SSL_R_MISSING_SIGALGS_EXTENSION
3407 || n == SSL_R_MISSING_SIGALGS_EXTENSION /* 112 */
3408 #endif
3405 #ifdef SSL_R_NO_SUITABLE_SIGNATURE_ALGORITHM 3409 #ifdef SSL_R_NO_SUITABLE_SIGNATURE_ALGORITHM
3406 || n == SSL_R_NO_SUITABLE_SIGNATURE_ALGORITHM /* 118 */ 3410 || n == SSL_R_NO_SUITABLE_SIGNATURE_ALGORITHM /* 118 */
3407 #endif 3411 #endif
3412 #ifdef SSL_R_BAD_KEY_UPDATE
3413 || n == SSL_R_BAD_KEY_UPDATE /* 122 */
3414 #endif
3408 || n == SSL_R_BLOCK_CIPHER_PAD_IS_WRONG /* 129 */ 3415 || n == SSL_R_BLOCK_CIPHER_PAD_IS_WRONG /* 129 */
3416 || n == SSL_R_CCS_RECEIVED_EARLY /* 133 */
3417 #ifdef SSL_R_DATA_BETWEEN_CCS_AND_FINISHED
3418 || n == SSL_R_DATA_BETWEEN_CCS_AND_FINISHED /* 145 */
3419 #endif
3420 || n == SSL_R_DATA_LENGTH_TOO_LONG /* 146 */
3409 || n == SSL_R_DIGEST_CHECK_FAILED /* 149 */ 3421 || n == SSL_R_DIGEST_CHECK_FAILED /* 149 */
3422 || n == SSL_R_ENCRYPTED_LENGTH_TOO_LONG /* 150 */
3410 || n == SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST /* 151 */ 3423 || n == SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST /* 151 */
3411 || n == SSL_R_EXCESSIVE_MESSAGE_SIZE /* 152 */ 3424 || n == SSL_R_EXCESSIVE_MESSAGE_SIZE /* 152 */
3425 #ifdef SSL_R_GOT_A_FIN_BEFORE_A_CCS
3426 || n == SSL_R_GOT_A_FIN_BEFORE_A_CCS /* 154 */
3427 #endif
3412 || n == SSL_R_HTTPS_PROXY_REQUEST /* 155 */ 3428 || n == SSL_R_HTTPS_PROXY_REQUEST /* 155 */
3413 || n == SSL_R_HTTP_REQUEST /* 156 */ 3429 || n == SSL_R_HTTP_REQUEST /* 156 */
3414 || n == SSL_R_LENGTH_MISMATCH /* 159 */ 3430 || n == SSL_R_LENGTH_MISMATCH /* 159 */
3431 #ifdef SSL_R_LENGTH_TOO_SHORT
3432 || n == SSL_R_LENGTH_TOO_SHORT /* 160 */
3433 #endif
3415 #ifdef SSL_R_NO_CIPHERS_PASSED 3434 #ifdef SSL_R_NO_CIPHERS_PASSED
3416 || n == SSL_R_NO_CIPHERS_PASSED /* 182 */ 3435 || n == SSL_R_NO_CIPHERS_PASSED /* 182 */
3417 #endif 3436 #endif
3418 || n == SSL_R_NO_CIPHERS_SPECIFIED /* 183 */ 3437 || n == SSL_R_NO_CIPHERS_SPECIFIED /* 183 */
3419 #ifdef SSL_R_BAD_CIPHER 3438 #ifdef SSL_R_BAD_CIPHER
3420 || n == SSL_R_BAD_CIPHER /* 186 */ 3439 || n == SSL_R_BAD_CIPHER /* 186 */
3421 #endif 3440 #endif
3422 || n == SSL_R_NO_COMPRESSION_SPECIFIED /* 187 */ 3441 || n == SSL_R_NO_COMPRESSION_SPECIFIED /* 187 */
3423 || n == SSL_R_NO_SHARED_CIPHER /* 193 */ 3442 || n == SSL_R_NO_SHARED_CIPHER /* 193 */
3443 #ifdef SSL_R_PACKET_LENGTH_TOO_LONG
3444 || n == SSL_R_PACKET_LENGTH_TOO_LONG /* 198 */
3445 #endif
3424 || n == SSL_R_RECORD_LENGTH_MISMATCH /* 213 */ 3446 || n == SSL_R_RECORD_LENGTH_MISMATCH /* 213 */
3425 #ifdef SSL_R_CLIENTHELLO_TLSEXT 3447 #ifdef SSL_R_CLIENTHELLO_TLSEXT
3426 || n == SSL_R_CLIENTHELLO_TLSEXT /* 226 */ 3448 || n == SSL_R_CLIENTHELLO_TLSEXT /* 226 */
3427 #endif 3449 #endif
3428 #ifdef SSL_R_PARSE_TLSEXT 3450 #ifdef SSL_R_PARSE_TLSEXT
3444 || n == SSL_R_UNSUPPORTED_PROTOCOL /* 258 */ 3466 || n == SSL_R_UNSUPPORTED_PROTOCOL /* 258 */
3445 #ifdef SSL_R_NO_SHARED_GROUP 3467 #ifdef SSL_R_NO_SHARED_GROUP
3446 || n == SSL_R_NO_SHARED_GROUP /* 266 */ 3468 || n == SSL_R_NO_SHARED_GROUP /* 266 */
3447 #endif 3469 #endif
3448 || n == SSL_R_WRONG_VERSION_NUMBER /* 267 */ 3470 || n == SSL_R_WRONG_VERSION_NUMBER /* 267 */
3471 || n == SSL_R_BAD_LENGTH /* 271 */
3449 || n == SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC /* 281 */ 3472 || n == SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC /* 281 */
3450 #ifdef SSL_R_APPLICATION_DATA_AFTER_CLOSE_NOTIFY 3473 #ifdef SSL_R_APPLICATION_DATA_AFTER_CLOSE_NOTIFY
3451 || n == SSL_R_APPLICATION_DATA_AFTER_CLOSE_NOTIFY /* 291 */ 3474 || n == SSL_R_APPLICATION_DATA_AFTER_CLOSE_NOTIFY /* 291 */
3452 #endif 3475 #endif
3453 #ifdef SSL_R_APPLICATION_DATA_ON_SHUTDOWN 3476 #ifdef SSL_R_APPLICATION_DATA_ON_SHUTDOWN
3454 || n == SSL_R_APPLICATION_DATA_ON_SHUTDOWN /* 291 */ 3477 || n == SSL_R_APPLICATION_DATA_ON_SHUTDOWN /* 291 */
3478 #endif
3479 #ifdef SSL_R_BAD_LEGACY_VERSION
3480 || n == SSL_R_BAD_LEGACY_VERSION /* 292 */
3481 #endif
3482 #ifdef SSL_R_MIXED_HANDSHAKE_AND_NON_HANDSHAKE_DATA
3483 || n == SSL_R_MIXED_HANDSHAKE_AND_NON_HANDSHAKE_DATA /* 293 */
3484 #endif
3485 #ifdef SSL_R_RECORD_TOO_SMALL
3486 || n == SSL_R_RECORD_TOO_SMALL /* 298 */
3455 #endif 3487 #endif
3456 #ifdef SSL_R_BAD_ECPOINT 3488 #ifdef SSL_R_BAD_ECPOINT
3457 || n == SSL_R_BAD_ECPOINT /* 306 */ 3489 || n == SSL_R_BAD_ECPOINT /* 306 */
3458 #endif 3490 #endif
3459 #ifdef SSL_R_RENEGOTIATE_EXT_TOO_LONG 3491 #ifdef SSL_R_RENEGOTIATE_EXT_TOO_LONG
3468 || n == SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING /* 345 */ 3500 || n == SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING /* 345 */
3469 #endif 3501 #endif
3470 #ifdef SSL_R_INAPPROPRIATE_FALLBACK 3502 #ifdef SSL_R_INAPPROPRIATE_FALLBACK
3471 || n == SSL_R_INAPPROPRIATE_FALLBACK /* 373 */ 3503 || n == SSL_R_INAPPROPRIATE_FALLBACK /* 373 */
3472 #endif 3504 #endif
3505 #ifdef SSL_R_NO_SHARED_SIGNATURE_ALGORITHMS
3506 || n == SSL_R_NO_SHARED_SIGNATURE_ALGORITHMS /* 376 */
3507 #endif
3508 #ifdef SSL_R_NO_SHARED_SIGATURE_ALGORITHMS
3509 || n == SSL_R_NO_SHARED_SIGATURE_ALGORITHMS /* 376 */
3510 #endif
3473 #ifdef SSL_R_CERT_CB_ERROR 3511 #ifdef SSL_R_CERT_CB_ERROR
3474 || n == SSL_R_CERT_CB_ERROR /* 377 */ 3512 || n == SSL_R_CERT_CB_ERROR /* 377 */
3475 #endif 3513 #endif
3476 #ifdef SSL_R_VERSION_TOO_LOW 3514 #ifdef SSL_R_VERSION_TOO_LOW
3477 || n == SSL_R_VERSION_TOO_LOW /* 396 */ 3515 || n == SSL_R_VERSION_TOO_LOW /* 396 */
3516 #endif
3517 #ifdef SSL_R_TOO_MANY_WARN_ALERTS
3518 || n == SSL_R_TOO_MANY_WARN_ALERTS /* 409 */
3478 #endif 3519 #endif
3479 #ifdef SSL_R_BAD_RECORD_TYPE 3520 #ifdef SSL_R_BAD_RECORD_TYPE
3480 || n == SSL_R_BAD_RECORD_TYPE /* 443 */ 3521 || n == SSL_R_BAD_RECORD_TYPE /* 443 */
3481 #endif 3522 #endif
3482 || n == 1000 /* SSL_R_SSLV3_ALERT_CLOSE_NOTIFY */ 3523 || n == 1000 /* SSL_R_SSLV3_ALERT_CLOSE_NOTIFY */