# HG changeset patch # User Maxim Dounin # Date 1531752438 -10800 # Node ID 7c00d8dbdb3a7cd2f79756876f6acab8bbeac3a1 # Parent 6c52c99c475e032a320234fbd48225359290da30 SSL: logging levels of "unsupported protocol", "version too low". Starting with OpenSSL 1.1.0, SSL_R_UNSUPPORTED_PROTOCOL instead of SSL_R_UNKNOWN_PROTOCOL is reported when a protocol is disabled via an SSL_OP_NO_* option. Additionally, SSL_R_VERSION_TOO_LOW is reported when using MinProtocol or when seclevel checks (as set by @SECLEVEL=n in the cipher string) rejects a protocol, and this is what happens with SSLv3 and @SECLEVEL=1, which is the default. There is also the SSL_R_VERSION_TOO_HIGH error code, but it looks like it is not possible to trigger it. diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c --- a/src/event/ngx_event_openssl.c +++ b/src/event/ngx_event_openssl.c @@ -2080,6 +2080,7 @@ ngx_ssl_connection_error(ngx_connection_ || n == SSL_R_UNEXPECTED_RECORD /* 245 */ || n == SSL_R_UNKNOWN_ALERT_TYPE /* 246 */ || n == SSL_R_UNKNOWN_PROTOCOL /* 252 */ + || n == SSL_R_UNSUPPORTED_PROTOCOL /* 258 */ || n == SSL_R_WRONG_VERSION_NUMBER /* 267 */ || n == SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC /* 281 */ #ifdef SSL_R_RENEGOTIATE_EXT_TOO_LONG @@ -2096,6 +2097,9 @@ ngx_ssl_connection_error(ngx_connection_ #ifdef SSL_R_INAPPROPRIATE_FALLBACK || n == SSL_R_INAPPROPRIATE_FALLBACK /* 373 */ #endif +#ifdef SSL_R_VERSION_TOO_LOW + || n == SSL_R_VERSION_TOO_LOW /* 396 */ +#endif || n == 1000 /* SSL_R_SSLV3_ALERT_CLOSE_NOTIFY */ #ifdef SSL_R_SSLV3_ALERT_UNEXPECTED_MESSAGE || n == SSL_R_SSLV3_ALERT_UNEXPECTED_MESSAGE /* 1010 */