# HG changeset patch # User Maxim Dounin # Date 1678303354 -10800 # Node ID 64db9e50f6c5efba042742ab9a4e9fb95fc12841 # Parent 6bee5e692579a861dc26362736b78f9baa6669b3 SSL: logging levels of errors observed with tlsfuzzer and LibreSSL. As tested with tlsfuzzer with LibreSSL 3.7.0, the following errors are certainly client-related: SSL_do_handshake() failed (SSL: error:14026073:SSL routines:ACCEPT_SR_CLNT_HELLO:bad packet length) SSL_do_handshake() failed (SSL: error:1402612C:SSL routines:ACCEPT_SR_CLNT_HELLO:ssl3 session id too long) SSL_do_handshake() failed (SSL: error:140380EA:SSL routines:ACCEPT_SR_KEY_EXCH:tls rsa encrypted value length is wrong) Accordingly, the SSL_R_BAD_PACKET_LENGTH ("bad packet length"), SSL_R_SSL3_SESSION_ID_TOO_LONG ("ssl3 session id too long"), SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG ("tls rsa encrypted value length is wrong") errors are now logged at the "info" level. diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c --- a/src/event/ngx_event_openssl.c +++ b/src/event/ngx_event_openssl.c @@ -3406,6 +3406,7 @@ ngx_ssl_connection_error(ngx_connection_ #ifdef SSL_R_MISSING_SIGALGS_EXTENSION || n == SSL_R_MISSING_SIGALGS_EXTENSION /* 112 */ #endif + || n == SSL_R_BAD_PACKET_LENGTH /* 115 */ #ifdef SSL_R_NO_SUITABLE_SIGNATURE_ALGORITHM || n == SSL_R_NO_SUITABLE_SIGNATURE_ALGORITHM /* 118 */ #endif @@ -3453,6 +3454,9 @@ ngx_ssl_connection_error(ngx_connection_ #ifdef SSL_R_CALLBACK_FAILED || n == SSL_R_CALLBACK_FAILED /* 234 */ #endif +#ifdef SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG + || n == SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG /* 234 */ +#endif #ifdef SSL_R_NO_APPLICATION_PROTOCOL || n == SSL_R_NO_APPLICATION_PROTOCOL /* 235 */ #endif @@ -3485,6 +3489,9 @@ ngx_ssl_connection_error(ngx_connection_ #ifdef SSL_R_RECORD_TOO_SMALL || n == SSL_R_RECORD_TOO_SMALL /* 298 */ #endif +#ifdef SSL_R_SSL3_SESSION_ID_TOO_LONG + || n == SSL_R_SSL3_SESSION_ID_TOO_LONG /* 300 */ +#endif #ifdef SSL_R_BAD_ECPOINT || n == SSL_R_BAD_ECPOINT /* 306 */ #endif