Welcome! Log In Create A New Profile

[PATCH 3 of 4] SSL: logging levels of errors observed with tlsfuzzer and LibreSSL

Forum List Message List New Topic Print View

Maxim Dounin

March 01, 2023 10:10AM

# HG changeset patch
# User Maxim Dounin <mdounin@mdounin.ru>
# Date 1677682426 -10800
# Wed Mar 01 17:53:46 2023 +0300
# Node ID 207742991a561c0ed70834d4ce18e8452689419d
# Parent c76e163105f1eac7727ce4e6d955fecb38d93e49
SSL: logging levels of errors observed with tlsfuzzer and LibreSSL.

As tested with tlsfuzzer with LibreSSL 2.7.0, the following errors are
certainly client-related:

SSL_do_handshake() failed (SSL: error:14026073:SSL routines:ACCEPT_SR_CLNT_HELLO:bad packet length)
SSL_do_handshake() failed (SSL: error:1402612C:SSL routines:ACCEPT_SR_CLNT_HELLO:ssl3 session id too long)
SSL_do_handshake() failed (SSL: error:140380EA:SSL routines:ACCEPT_SR_KEY_EXCH:tls rsa encrypted value length is wrong)

Accordingly, the SSL_R_BAD_PACKET_LENGTH ("bad packet length"),
SSL_R_SSL3_SESSION_ID_TOO_LONG ("ssl3 session id too long"),
SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG ("tls rsa encrypted value
length is wrong") errors are now logged at the "info" level.

diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
--- a/src/event/ngx_event_openssl.c
+++ b/src/event/ngx_event_openssl.c
@@ -3406,6 +3406,7 @@ ngx_ssl_connection_error(ngx_connection_
#ifdef SSL_R_MISSING_SIGALGS_EXTENSION
|| n == SSL_R_MISSING_SIGALGS_EXTENSION /* 112 */
#endif
+ || n == SSL_R_BAD_PACKET_LENGTH /* 115 */
#ifdef SSL_R_NO_SUITABLE_SIGNATURE_ALGORITHM
|| n == SSL_R_NO_SUITABLE_SIGNATURE_ALGORITHM /* 118 */
#endif
@@ -3453,6 +3454,9 @@ ngx_ssl_connection_error(ngx_connection_
#ifdef SSL_R_CALLBACK_FAILED
|| n == SSL_R_CALLBACK_FAILED /* 234 */
#endif
+#ifdef SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG
+ || n == SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG /* 234 */
+#endif
#ifdef SSL_R_NO_APPLICATION_PROTOCOL
|| n == SSL_R_NO_APPLICATION_PROTOCOL /* 235 */
#endif
@@ -3485,6 +3489,9 @@ ngx_ssl_connection_error(ngx_connection_
#ifdef SSL_R_RECORD_TOO_SMALL
|| n == SSL_R_RECORD_TOO_SMALL /* 298 */
#endif
+#ifdef SSL_R_SSL3_SESSION_ID_TOO_LONG
+ || n == SSL_R_SSL3_SESSION_ID_TOO_LONG /* 300 */
+#endif
#ifdef SSL_R_BAD_ECPOINT
|| n == SSL_R_BAD_ECPOINT /* 306 */
#endif
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
https://mailman.nginx.org/mailman/listinfo/nginx-devel

Reply Quote

RSS

Subject	Author	Views	Posted
[PATCH 0 of 4] logging levels of SSL errors observed with tlsfuzzer	Maxim Dounin	452	March 01, 2023 10:10AM
[PATCH 1 of 4] SSL: switched to detect log level based on the last error	Maxim Dounin	92	March 01, 2023 10:10AM
Re: [PATCH 1 of 4] SSL: switched to detect log level based on the last error	Roman Arutyunyan	97	March 07, 2023 09:42AM
Re: [PATCH 1 of 4] SSL: switched to detect log level based on the last error	Maxim Dounin	102	March 07, 2023 04:52PM
[PATCH 3 of 4] SSL: logging levels of errors observed with tlsfuzzer and LibreSSL	Maxim Dounin	97	March 01, 2023 10:10AM
Re: [PATCH 3 of 4] SSL: logging levels of errors observed with tlsfuzzer and LibreSSL	Roman Arutyunyan	104	March 07, 2023 09:48AM
Re: [PATCH 3 of 4] SSL: logging levels of errors observed with tlsfuzzer and LibreSSL	Maxim Dounin	180	March 07, 2023 05:26PM
Re: [PATCH 3 of 4] SSL: logging levels of errors observed with tlsfuzzer and LibreSSL	Roman Arutyunyan	95	March 08, 2023 09:24AM
Re: [PATCH 3 of 4] SSL: logging levels of errors observed with tlsfuzzer and LibreSSL	Maxim Dounin	146	March 08, 2023 02:50PM
[PATCH 4 of 4] SSL: logging levels of errors observed with BoringSSL	Maxim Dounin	104	March 01, 2023 10:10AM
Re: [PATCH 4 of 4] SSL: logging levels of errors observed with BoringSSL	Roman Arutyunyan	106	March 07, 2023 09:50AM
[PATCH 2 of 4] SSL: logging levels of various errors reported with tlsfuzzer	Maxim Dounin	151	March 01, 2023 10:12AM
Re: [PATCH 2 of 4] SSL: logging levels of various errors reported with tlsfuzzer	Roman Arutyunyan	108	March 07, 2023 09:48AM
Re: [PATCH 2 of 4] SSL: logging levels of various errors reported with tlsfuzzer	Maxim Dounin	105	March 07, 2023 05:08PM
Re: [PATCH 2 of 4] SSL: logging levels of various errors reported with tlsfuzzer	Roman Arutyunyan	98	March 08, 2023 09:20AM

Sorry, you do not have permission to post/reply in this forum.

Online Users

Guests: 299

Record Number of Users: 8 on April 13, 2023

Record Number of Guests: 421 on December 02, 2018