diff options
author | Jonathan Reams <jbreams@mongodb.com> | 2018-08-15 13:53:40 -0400 |
---|---|---|
committer | Jason Carey <jcarey@argv.me> | 2019-04-18 14:04:32 -0400 |
commit | 6eaf16f2cff132b3e9d2fc4f45253751cc964a37 (patch) | |
tree | c9c6c863d16616e01fcf1c132f59f4fd40424fd1 | |
parent | b5b7a3e43ca68075624c15753afc9a60741f2628 (diff) | |
download | mongo-6eaf16f2cff132b3e9d2fc4f45253751cc964a37.tar.gz |
SERVER-34621 Log if client attempts unsupported TLS renegotiation on Windows
(cherry picked from commit 8de4f3563737eb3b23ae37eeaa9efa1cb40dc350)
-rw-r--r-- | src/mongo/transport/service_state_machine.cpp | 3 | ||||
-rw-r--r-- | src/mongo/util/net/ssl/detail/impl/schannel.ipp | 2 | ||||
-rw-r--r-- | src/mongo/util/net/ssl/error.hpp | 6 | ||||
-rw-r--r-- | src/mongo/util/net/ssl/impl/error.ipp | 3 |
4 files changed, 10 insertions, 4 deletions
diff --git a/src/mongo/transport/service_state_machine.cpp b/src/mongo/transport/service_state_machine.cpp index 1aed664aecf..0936a30f38f 100644 --- a/src/mongo/transport/service_state_machine.cpp +++ b/src/mongo/transport/service_state_machine.cpp @@ -308,7 +308,8 @@ void ServiceStateMachine::_sourceCallback(Status status) { transport::ServiceExecutorTaskName::kSSMProcessMessage); } else if (ErrorCodes::isInterruption(status.code()) || ErrorCodes::isNetworkError(status.code())) { - LOG(2) << "Session from " << remote << " encountered a network error during SourceMessage"; + LOG(2) << "Session from " << remote + << " encountered a network error during SourceMessage: " << status; _state.store(State::EndSession); } else if (status == TransportLayer::TicketSessionClosedStatus) { // Our session may have been closed internally. diff --git a/src/mongo/util/net/ssl/detail/impl/schannel.ipp b/src/mongo/util/net/ssl/detail/impl/schannel.ipp index 1dd9577b10e..81f8ffc21c5 100644 --- a/src/mongo/util/net/ssl/detail/impl/schannel.ipp +++ b/src/mongo/util/net/ssl/detail/impl/schannel.ipp @@ -608,7 +608,7 @@ ssl_want SSLReadManager::decryptBuffer(asio::error_code& ec, DecryptState* pDecr *pDecryptState = DecryptState::Renegotiate; // Fail the connection on SSL renegotiations - ec = asio::ssl::error::stream_truncated; + ec = asio::ssl::error::no_renegotiation; return ssl_want::want_nothing; } diff --git a/src/mongo/util/net/ssl/error.hpp b/src/mongo/util/net/ssl/error.hpp index 9996b825b12..3bf0ea02510 100644 --- a/src/mongo/util/net/ssl/error.hpp +++ b/src/mongo/util/net/ssl/error.hpp @@ -43,12 +43,14 @@ namespace error { enum stream_errors { #if defined(GENERATING_DOCUMENTATION) /// The underlying stream closed before the ssl stream gracefully shut down. - stream_truncated + stream_truncated, + no_renegotiation #elif (OPENSSL_VERSION_NUMBER < 0x10100000L) && !defined(OPENSSL_IS_BORINGSSL) && \ MONGO_CONFIG_SSL_PROVIDER == MONGO_CONFIG_SSL_PROVIDER_OPENSSL stream_truncated = ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SHORT_READ) #else - stream_truncated = 1 + stream_truncated = 1, + no_renegotiation #endif }; diff --git a/src/mongo/util/net/ssl/impl/error.ipp b/src/mongo/util/net/ssl/impl/error.ipp index b691cb391f7..abe179c33a7 100644 --- a/src/mongo/util/net/ssl/impl/error.ipp +++ b/src/mongo/util/net/ssl/impl/error.ipp @@ -37,6 +37,9 @@ public: #if MONGO_CONFIG_SSL_PROVIDER == MONGO_CONFIG_SSL_PROVIDER_WINDOWS std::string message(int value) const { + if (value == asio::ssl::error::no_renegotiation) { + return "peer requested renegotiation, which is not supported"; + } return mongo::errnoWithDescription(value); } #elif MONGO_CONFIG_SSL_PROVIDER == MONGO_CONFIG_SSL_PROVIDER_OPENSSL |