Mercurial > hg > nginx
comparison src/event/ngx_event_openssl.c @ 8146:b7d4bfd132d2
SSL: logging levels of errors observed with BoringSSL.
As tested with tlsfuzzer with BoringSSL, the following errors are
certainly client-related:
SSL_do_handshake() failed (SSL: error:10000066:SSL routines:OPENSSL_internal:BAD_ALERT)
SSL_do_handshake() failed (SSL: error:10000089:SSL routines:OPENSSL_internal:DECODE_ERROR)
SSL_do_handshake() failed (SSL: error:100000dc:SSL routines:OPENSSL_internal:TOO_MANY_WARNING_ALERTS)
SSL_do_handshake() failed (SSL: error:10000100:SSL routines:OPENSSL_internal:INVALID_COMPRESSION_LIST)
SSL_do_handshake() failed (SSL: error:10000102:SSL routines:OPENSSL_internal:MISSING_KEY_SHARE)
SSL_do_handshake() failed (SSL: error:1000010e:SSL routines:OPENSSL_internal:TOO_MUCH_SKIPPED_EARLY_DATA)
SSL_read() failed (SSL: error:100000b6:SSL routines:OPENSSL_internal:NO_RENEGOTIATION)
Accordingly, the SSL_R_BAD_ALERT, SSL_R_DECODE_ERROR,
SSL_R_TOO_MANY_WARNING_ALERTS, SSL_R_INVALID_COMPRESSION_LIST,
SSL_R_MISSING_KEY_SHARE, SSL_R_TOO_MUCH_SKIPPED_EARLY_DATA,
and SSL_R_NO_RENEGOTIATION errors are now logged at the "info" level.
author | Maxim Dounin <mdounin@mdounin.ru> |
---|---|
date | Wed, 08 Mar 2023 22:22:47 +0300 |
parents | 64db9e50f6c5 |
children | 0af598651e33 |
comparison
equal
deleted
inserted
replaced
8145:64db9e50f6c5 | 8146:b7d4bfd132d2 |
---|---|
3394 /* handshake failures */ | 3394 /* handshake failures */ |
3395 if (n == SSL_R_BAD_CHANGE_CIPHER_SPEC /* 103 */ | 3395 if (n == SSL_R_BAD_CHANGE_CIPHER_SPEC /* 103 */ |
3396 #ifdef SSL_R_NO_SUITABLE_KEY_SHARE | 3396 #ifdef SSL_R_NO_SUITABLE_KEY_SHARE |
3397 || n == SSL_R_NO_SUITABLE_KEY_SHARE /* 101 */ | 3397 || n == SSL_R_NO_SUITABLE_KEY_SHARE /* 101 */ |
3398 #endif | 3398 #endif |
3399 #ifdef SSL_R_BAD_ALERT | |
3400 || n == SSL_R_BAD_ALERT /* 102 */ | |
3401 #endif | |
3399 #ifdef SSL_R_BAD_KEY_SHARE | 3402 #ifdef SSL_R_BAD_KEY_SHARE |
3400 || n == SSL_R_BAD_KEY_SHARE /* 108 */ | 3403 || n == SSL_R_BAD_KEY_SHARE /* 108 */ |
3401 #endif | 3404 #endif |
3402 #ifdef SSL_R_BAD_EXTENSION | 3405 #ifdef SSL_R_BAD_EXTENSION |
3403 || n == SSL_R_BAD_EXTENSION /* 110 */ | 3406 || n == SSL_R_BAD_EXTENSION /* 110 */ |
3413 #ifdef SSL_R_BAD_KEY_UPDATE | 3416 #ifdef SSL_R_BAD_KEY_UPDATE |
3414 || n == SSL_R_BAD_KEY_UPDATE /* 122 */ | 3417 || n == SSL_R_BAD_KEY_UPDATE /* 122 */ |
3415 #endif | 3418 #endif |
3416 || n == SSL_R_BLOCK_CIPHER_PAD_IS_WRONG /* 129 */ | 3419 || n == SSL_R_BLOCK_CIPHER_PAD_IS_WRONG /* 129 */ |
3417 || n == SSL_R_CCS_RECEIVED_EARLY /* 133 */ | 3420 || n == SSL_R_CCS_RECEIVED_EARLY /* 133 */ |
3421 #ifdef SSL_R_DECODE_ERROR | |
3422 || n == SSL_R_DECODE_ERROR /* 137 */ | |
3423 #endif | |
3418 #ifdef SSL_R_DATA_BETWEEN_CCS_AND_FINISHED | 3424 #ifdef SSL_R_DATA_BETWEEN_CCS_AND_FINISHED |
3419 || n == SSL_R_DATA_BETWEEN_CCS_AND_FINISHED /* 145 */ | 3425 || n == SSL_R_DATA_BETWEEN_CCS_AND_FINISHED /* 145 */ |
3420 #endif | 3426 #endif |
3421 || n == SSL_R_DATA_LENGTH_TOO_LONG /* 146 */ | 3427 || n == SSL_R_DATA_LENGTH_TOO_LONG /* 146 */ |
3422 || n == SSL_R_DIGEST_CHECK_FAILED /* 149 */ | 3428 || n == SSL_R_DIGEST_CHECK_FAILED /* 149 */ |
3430 || n == SSL_R_HTTP_REQUEST /* 156 */ | 3436 || n == SSL_R_HTTP_REQUEST /* 156 */ |
3431 || n == SSL_R_LENGTH_MISMATCH /* 159 */ | 3437 || n == SSL_R_LENGTH_MISMATCH /* 159 */ |
3432 #ifdef SSL_R_LENGTH_TOO_SHORT | 3438 #ifdef SSL_R_LENGTH_TOO_SHORT |
3433 || n == SSL_R_LENGTH_TOO_SHORT /* 160 */ | 3439 || n == SSL_R_LENGTH_TOO_SHORT /* 160 */ |
3434 #endif | 3440 #endif |
3441 #ifdef SSL_R_NO_RENEGOTIATION | |
3442 || n == SSL_R_NO_RENEGOTIATION /* 182 */ | |
3443 #endif | |
3435 #ifdef SSL_R_NO_CIPHERS_PASSED | 3444 #ifdef SSL_R_NO_CIPHERS_PASSED |
3436 || n == SSL_R_NO_CIPHERS_PASSED /* 182 */ | 3445 || n == SSL_R_NO_CIPHERS_PASSED /* 182 */ |
3437 #endif | 3446 #endif |
3438 || n == SSL_R_NO_CIPHERS_SPECIFIED /* 183 */ | 3447 || n == SSL_R_NO_CIPHERS_SPECIFIED /* 183 */ |
3439 #ifdef SSL_R_BAD_CIPHER | 3448 #ifdef SSL_R_BAD_CIPHER |
3443 || n == SSL_R_NO_SHARED_CIPHER /* 193 */ | 3452 || n == SSL_R_NO_SHARED_CIPHER /* 193 */ |
3444 #ifdef SSL_R_PACKET_LENGTH_TOO_LONG | 3453 #ifdef SSL_R_PACKET_LENGTH_TOO_LONG |
3445 || n == SSL_R_PACKET_LENGTH_TOO_LONG /* 198 */ | 3454 || n == SSL_R_PACKET_LENGTH_TOO_LONG /* 198 */ |
3446 #endif | 3455 #endif |
3447 || n == SSL_R_RECORD_LENGTH_MISMATCH /* 213 */ | 3456 || n == SSL_R_RECORD_LENGTH_MISMATCH /* 213 */ |
3457 #ifdef SSL_R_TOO_MANY_WARNING_ALERTS | |
3458 || n == SSL_R_TOO_MANY_WARNING_ALERTS /* 220 */ | |
3459 #endif | |
3448 #ifdef SSL_R_CLIENTHELLO_TLSEXT | 3460 #ifdef SSL_R_CLIENTHELLO_TLSEXT |
3449 || n == SSL_R_CLIENTHELLO_TLSEXT /* 226 */ | 3461 || n == SSL_R_CLIENTHELLO_TLSEXT /* 226 */ |
3450 #endif | 3462 #endif |
3451 #ifdef SSL_R_PARSE_TLSEXT | 3463 #ifdef SSL_R_PARSE_TLSEXT |
3452 || n == SSL_R_PARSE_TLSEXT /* 227 */ | 3464 || n == SSL_R_PARSE_TLSEXT /* 227 */ |
3465 || n == SSL_R_UNKNOWN_ALERT_TYPE /* 246 */ | 3477 || n == SSL_R_UNKNOWN_ALERT_TYPE /* 246 */ |
3466 || n == SSL_R_UNKNOWN_PROTOCOL /* 252 */ | 3478 || n == SSL_R_UNKNOWN_PROTOCOL /* 252 */ |
3467 #ifdef SSL_R_NO_COMMON_SIGNATURE_ALGORITHMS | 3479 #ifdef SSL_R_NO_COMMON_SIGNATURE_ALGORITHMS |
3468 || n == SSL_R_NO_COMMON_SIGNATURE_ALGORITHMS /* 253 */ | 3480 || n == SSL_R_NO_COMMON_SIGNATURE_ALGORITHMS /* 253 */ |
3469 #endif | 3481 #endif |
3482 #ifdef SSL_R_INVALID_COMPRESSION_LIST | |
3483 || n == SSL_R_INVALID_COMPRESSION_LIST /* 256 */ | |
3484 #endif | |
3485 #ifdef SSL_R_MISSING_KEY_SHARE | |
3486 || n == SSL_R_MISSING_KEY_SHARE /* 258 */ | |
3487 #endif | |
3470 || n == SSL_R_UNSUPPORTED_PROTOCOL /* 258 */ | 3488 || n == SSL_R_UNSUPPORTED_PROTOCOL /* 258 */ |
3471 #ifdef SSL_R_NO_SHARED_GROUP | 3489 #ifdef SSL_R_NO_SHARED_GROUP |
3472 || n == SSL_R_NO_SHARED_GROUP /* 266 */ | 3490 || n == SSL_R_NO_SHARED_GROUP /* 266 */ |
3473 #endif | 3491 #endif |
3474 || n == SSL_R_WRONG_VERSION_NUMBER /* 267 */ | 3492 || n == SSL_R_WRONG_VERSION_NUMBER /* 267 */ |
3493 #ifdef SSL_R_TOO_MUCH_SKIPPED_EARLY_DATA | |
3494 || n == SSL_R_TOO_MUCH_SKIPPED_EARLY_DATA /* 270 */ | |
3495 #endif | |
3475 || n == SSL_R_BAD_LENGTH /* 271 */ | 3496 || n == SSL_R_BAD_LENGTH /* 271 */ |
3476 || n == SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC /* 281 */ | 3497 || n == SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC /* 281 */ |
3477 #ifdef SSL_R_APPLICATION_DATA_AFTER_CLOSE_NOTIFY | 3498 #ifdef SSL_R_APPLICATION_DATA_AFTER_CLOSE_NOTIFY |
3478 || n == SSL_R_APPLICATION_DATA_AFTER_CLOSE_NOTIFY /* 291 */ | 3499 || n == SSL_R_APPLICATION_DATA_AFTER_CLOSE_NOTIFY /* 291 */ |
3479 #endif | 3500 #endif |