SSL: logging levels of various errors added in OpenSSL 1.1.1.

Starting with OpenSSL 1.1.1, various additional errors can be reported by OpenSSL in case of client-related issues, most notably during TLSv1.3 handshakes. In particular, SSL_R_BAD_KEY_SHARE ("bad key share"), SSL_R_BAD_EXTENSION ("bad extension"), SSL_R_BAD_CIPHER ("bad cipher"), SSL_R_BAD_ECPOINT ("bad ecpoint"). These are now logged at the "info" level.
author: Maxim Dounin <mdounin@mdounin.ru> 2022-07-12 15:55:22 +0300
committer: Maxim Dounin <mdounin@mdounin.ru> 2022-07-12 15:55:22 +0300
commit: ea46b22dfb56137afc7463bc0383e52ff27c7905 (patch)
tree: 6037b7475e058d00b0ecd1bee4fcc38252479fd6
parent: d791b4aab418b0cbadbaf079fbb9360269d97941 (diff)
download: nginx-ea46b22dfb56137afc7463bc0383e52ff27c7905.tar.gz
1 files changed, 12 insertions, 0 deletions
diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
index 975f959ac..7b0417e4f 100644
--- a/src/event/ngx_event_openssl.c
+++ b/src/event/ngx_event_openssl.c
@@ -3343,6 +3343,12 @@ ngx_ssl_connection_error(ngx_connection_t *c, int sslerr, ngx_err_t err,
 #ifdef SSL_R_NO_SUITABLE_KEY_SHARE
             || n == SSL_R_NO_SUITABLE_KEY_SHARE                      /*  101 */
 #endif
+#ifdef SSL_R_BAD_KEY_SHARE
+            || n == SSL_R_BAD_KEY_SHARE                              /*  108 */
+#endif
+#ifdef SSL_R_BAD_EXTENSION
+            || n == SSL_R_BAD_EXTENSION                              /*  110 */
+#endif
 #ifdef SSL_R_NO_SUITABLE_SIGNATURE_ALGORITHM
             || n == SSL_R_NO_SUITABLE_SIGNATURE_ALGORITHM            /*  118 */
 #endif
@@ -3357,6 +3363,9 @@ ngx_ssl_connection_error(ngx_connection_t *c, int sslerr, ngx_err_t err,
             || n == SSL_R_NO_CIPHERS_PASSED                          /*  182 */
 #endif
             || n == SSL_R_NO_CIPHERS_SPECIFIED                       /*  183 */
+#ifdef SSL_R_BAD_CIPHER
+            || n == SSL_R_BAD_CIPHER                                 /*  186 */
+#endif
             || n == SSL_R_NO_COMPRESSION_SPECIFIED                   /*  187 */
             || n == SSL_R_NO_SHARED_CIPHER                           /*  193 */
             || n == SSL_R_RECORD_LENGTH_MISMATCH                     /*  213 */
@@ -3391,6 +3400,9 @@ ngx_ssl_connection_error(ngx_connection_t *c, int sslerr, ngx_err_t err,
 #ifdef SSL_R_APPLICATION_DATA_ON_SHUTDOWN
             || n == SSL_R_APPLICATION_DATA_ON_SHUTDOWN               /*  291 */
 #endif
+#ifdef SSL_R_BAD_ECPOINT
+            || n == SSL_R_BAD_ECPOINT                                /*  306 */
+#endif
 #ifdef SSL_R_RENEGOTIATE_EXT_TOO_LONG
             || n == SSL_R_RENEGOTIATE_EXT_TOO_LONG                   /*  335 */
             || n == SSL_R_RENEGOTIATION_ENCODING_ERR                 /*  336 */
author	Maxim Dounin <mdounin@mdounin.ru>	2022-07-12 15:55:22 +0300
committer	Maxim Dounin <mdounin@mdounin.ru>	2022-07-12 15:55:22 +0300
commit	ea46b22dfb56137afc7463bc0383e52ff27c7905 (patch)
tree	6037b7475e058d00b0ecd1bee4fcc38252479fd6
parent	d791b4aab418b0cbadbaf079fbb9360269d97941 (diff)
download	nginx-ea46b22dfb56137afc7463bc0383e52ff27c7905.tar.gz