Hello!

On Tue, Dec 31, 2013 at 10:10:32AM +1100, Sergei Turchanov wrote:

> Okay, maybe. But what about at least this part:
>
> @@ -1801,7 +1801,7 @@ ngx_http_process_request(ngx_http_reques
> if (rc != X509_V_OK
> && (sscf->verify != 3 ||
> !ngx_ssl_verify_error_optional(rc)))
> {
> - ngx_log_error(NGX_LOG_INFO, c->log, 0,
> + ngx_log_error(NGX_LOG_ERR, c->log, 0,
> "client SSL certificate verify error:
> (%l:%s)",
> rc, X509_verify_cert_error_string(rc));
>
> @@ -1816,7 +1816,7 @@ ngx_http_process_request(ngx_http_reques
> cert = SSL_get_peer_certificate(c->ssl->connection);
>
> if (cert == NULL) {
> - ngx_log_error(NGX_LOG_INFO, c->log, 0,
> + ngx_log_error(NGX_LOG_ERR, c->log, 0,
> "client sent no required SSL
> certificate");
>
> ngx_ssl_remove_cached_session(sscf->ssl.ctx,
>
>
> We use client certificate s and having ability to see client ssl
> certificates errors
> without setting error_log to 'info' level helps a lot. And these error are
> not just
> as easily triggered as plain client http errors. Don't you agree?

They are easily triggered by clients, even assuming non-malicious
clients. Moreover, e.g., Safari on OS X used to supply arbitrary
certificates in a response to a certificate request, see here:

http://trac.nginx.org/nginx/ticket/472

If you want to trace such problems without using the 'info'
logging level, adding the $ssl_client_verify variable to access
logs might be a good idea, see here:

http://nginx.org/en/docs/http/ngx_http_ssl_module.html#variables

Additionally, there are special status codes available for these
conditions, to facilitate automatic detection and hanlding of
these errors, see here:

http://nginx.org/en/docs/http/ngx_http_ssl_module.html#errors

--
Maxim Dounin
http://nginx.org/

_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel