Welcome! Log In Create A New Profile

Advanced

[PATCH 1 of 4] SSL: switched to detect log level based on the last error

Maxim Dounin
March 01, 2023 10:10AM
# HG changeset patch
# User Maxim Dounin <mdounin@mdounin.ru>
# Date 1677682263 -10800
# Wed Mar 01 17:51:03 2023 +0300
# Node ID 4d0a265c1d20f22f196680dfcc9d044f9e711865
# Parent 2acb00b9b5fff8a97523b659af4377fc605abe6e
SSL: switched to detect log level based on the last error.

In some cases there might be multiple errors in the OpenSSL error queue,
notably when a libcrypto call fails, and then the SSL layer generates
an error itself. For example, the following errors were observed
with OpenSSL 3.0.8 with TLSv1.3 enabled:

SSL_do_handshake() failed (SSL: error:02800066:Diffie-Hellman routines::invalid public key error:0A000132:SSL routines::bad ecpoint)
SSL_do_handshake() failed (SSL: error:08000066:elliptic curve routines::invalid encoding error:0A000132:SSL routines::bad ecpoint)
SSL_do_handshake() failed (SSL: error:0800006B:elliptic curve routines::point is not on curve error:0A000132:SSL routines::bad ecpoint)

In such cases it seems to be better to determine logging level based on
the last error in the error queue (the one added by the SSL layer,
SSL_R_BAD_ECPOINT in all of the above example example errors). To do so,
the ngx_ssl_connection_error() function was changed to use
ERR_peek_last_error().

diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
--- a/src/event/ngx_event_openssl.c
+++ b/src/event/ngx_event_openssl.c
@@ -3389,7 +3389,7 @@ ngx_ssl_connection_error(ngx_connection_

} else if (sslerr == SSL_ERROR_SSL) {

- n = ERR_GET_REASON(ERR_peek_error());
+ n = ERR_GET_REASON(ERR_peek_last_error());

/* handshake failures */
if (n == SSL_R_BAD_CHANGE_CIPHER_SPEC /* 103 */
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
https://mailman.nginx.org/mailman/listinfo/nginx-devel
Subject Author Views Posted

[PATCH 0 of 4] logging levels of SSL errors observed with tlsfuzzer

Maxim Dounin 524 March 01, 2023 10:10AM

[PATCH 1 of 4] SSL: switched to detect log level based on the last error

Maxim Dounin 142 March 01, 2023 10:10AM

Re: [PATCH 1 of 4] SSL: switched to detect log level based on the last error

Roman Arutyunyan 142 March 07, 2023 09:42AM

Re: [PATCH 1 of 4] SSL: switched to detect log level based on the last error

Maxim Dounin 154 March 07, 2023 04:52PM

[PATCH 3 of 4] SSL: logging levels of errors observed with tlsfuzzer and LibreSSL

Maxim Dounin 144 March 01, 2023 10:10AM

Re: [PATCH 3 of 4] SSL: logging levels of errors observed with tlsfuzzer and LibreSSL

Roman Arutyunyan 145 March 07, 2023 09:48AM

Re: [PATCH 3 of 4] SSL: logging levels of errors observed with tlsfuzzer and LibreSSL

Maxim Dounin 261 March 07, 2023 05:26PM

Re: [PATCH 3 of 4] SSL: logging levels of errors observed with tlsfuzzer and LibreSSL

Roman Arutyunyan 146 March 08, 2023 09:24AM

Re: [PATCH 3 of 4] SSL: logging levels of errors observed with tlsfuzzer and LibreSSL

Maxim Dounin 195 March 08, 2023 02:50PM

[PATCH 4 of 4] SSL: logging levels of errors observed with BoringSSL

Maxim Dounin 142 March 01, 2023 10:10AM

Re: [PATCH 4 of 4] SSL: logging levels of errors observed with BoringSSL

Roman Arutyunyan 147 March 07, 2023 09:50AM

[PATCH 2 of 4] SSL: logging levels of various errors reported with tlsfuzzer

Maxim Dounin 203 March 01, 2023 10:12AM

Re: [PATCH 2 of 4] SSL: logging levels of various errors reported with tlsfuzzer

Roman Arutyunyan 148 March 07, 2023 09:48AM

Re: [PATCH 2 of 4] SSL: logging levels of various errors reported with tlsfuzzer

Maxim Dounin 146 March 07, 2023 05:08PM

Re: [PATCH 2 of 4] SSL: logging levels of various errors reported with tlsfuzzer

Roman Arutyunyan 137 March 08, 2023 09:20AM



Sorry, you do not have permission to post/reply in this forum.

Online Users

Guests: 306
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 500 on July 15, 2024
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready