From 6eaf16f2cff132b3e9d2fc4f45253751cc964a37 Mon Sep 17 00:00:00 2001 From: Jonathan Reams Date: Wed, 15 Aug 2018 13:53:40 -0400 Subject: SERVER-34621 Log if client attempts unsupported TLS renegotiation on Windows (cherry picked from commit 8de4f3563737eb3b23ae37eeaa9efa1cb40dc350) --- src/mongo/transport/service_state_machine.cpp | 3 ++- src/mongo/util/net/ssl/detail/impl/schannel.ipp | 2 +- src/mongo/util/net/ssl/error.hpp | 6 ++++-- src/mongo/util/net/ssl/impl/error.ipp | 3 +++ 4 files changed, 10 insertions(+), 4 deletions(-) diff --git a/src/mongo/transport/service_state_machine.cpp b/src/mongo/transport/service_state_machine.cpp index 1aed664aecf..0936a30f38f 100644 --- a/src/mongo/transport/service_state_machine.cpp +++ b/src/mongo/transport/service_state_machine.cpp @@ -308,7 +308,8 @@ void ServiceStateMachine::_sourceCallback(Status status) { transport::ServiceExecutorTaskName::kSSMProcessMessage); } else if (ErrorCodes::isInterruption(status.code()) || ErrorCodes::isNetworkError(status.code())) { - LOG(2) << "Session from " << remote << " encountered a network error during SourceMessage"; + LOG(2) << "Session from " << remote + << " encountered a network error during SourceMessage: " << status; _state.store(State::EndSession); } else if (status == TransportLayer::TicketSessionClosedStatus) { // Our session may have been closed internally. diff --git a/src/mongo/util/net/ssl/detail/impl/schannel.ipp b/src/mongo/util/net/ssl/detail/impl/schannel.ipp index 1dd9577b10e..81f8ffc21c5 100644 --- a/src/mongo/util/net/ssl/detail/impl/schannel.ipp +++ b/src/mongo/util/net/ssl/detail/impl/schannel.ipp @@ -608,7 +608,7 @@ ssl_want SSLReadManager::decryptBuffer(asio::error_code& ec, DecryptState* pDecr *pDecryptState = DecryptState::Renegotiate; // Fail the connection on SSL renegotiations - ec = asio::ssl::error::stream_truncated; + ec = asio::ssl::error::no_renegotiation; return ssl_want::want_nothing; } diff --git a/src/mongo/util/net/ssl/error.hpp b/src/mongo/util/net/ssl/error.hpp index 9996b825b12..3bf0ea02510 100644 --- a/src/mongo/util/net/ssl/error.hpp +++ b/src/mongo/util/net/ssl/error.hpp @@ -43,12 +43,14 @@ namespace error { enum stream_errors { #if defined(GENERATING_DOCUMENTATION) /// The underlying stream closed before the ssl stream gracefully shut down. - stream_truncated + stream_truncated, + no_renegotiation #elif (OPENSSL_VERSION_NUMBER < 0x10100000L) && !defined(OPENSSL_IS_BORINGSSL) && \ MONGO_CONFIG_SSL_PROVIDER == MONGO_CONFIG_SSL_PROVIDER_OPENSSL stream_truncated = ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SHORT_READ) #else - stream_truncated = 1 + stream_truncated = 1, + no_renegotiation #endif }; diff --git a/src/mongo/util/net/ssl/impl/error.ipp b/src/mongo/util/net/ssl/impl/error.ipp index b691cb391f7..abe179c33a7 100644 --- a/src/mongo/util/net/ssl/impl/error.ipp +++ b/src/mongo/util/net/ssl/impl/error.ipp @@ -37,6 +37,9 @@ public: #if MONGO_CONFIG_SSL_PROVIDER == MONGO_CONFIG_SSL_PROVIDER_WINDOWS std::string message(int value) const { + if (value == asio::ssl::error::no_renegotiation) { + return "peer requested renegotiation, which is not supported"; + } return mongo::errnoWithDescription(value); } #elif MONGO_CONFIG_SSL_PROVIDER == MONGO_CONFIG_SSL_PROVIDER_OPENSSL -- cgit v1.2.1