[
https://issues.apache.org/jira/browse/TS-2653?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14003197#comment-14003197
]
kang li commented on TS-2653:
-----------------------------
Hi [~bcall] ,
I had investigated the "alert 0" error. It occurs in two condition through the
tcpdump result and code analysis.
1. libsecurity_ssl read SSL record error, then it send a fatal "alert 0" to
server. This condition is hard to be avoided as it was triggered in client
side. One simple fix for this issue that could just ignore this "CLOSE_NOTIFY"
error which dose in libsecurity_ssl. Or this may related other issues that
trigger libsecurity_ssl read errors.
2. ATS read error and then shutdown the TCP connection without "close notify"
to client. This breaks the rfc standard, so libsecurity_ssl respond with fatal
"alert 0". I have tried fix this problem by send "close notify" before close
tcp connection. But the result shows that "close notify" didn't been successful
sent as the TCP connection may have been shutdown before calling
close_UnixNetVConnection.
As these "alert 0" error doesn't mean real error at it always show successful
access log. I'm now working high priority issues. Will move back to this issue
if I got free time.
> SSL Error message cleanup
> -------------------------
>
> Key: TS-2653
> URL: https://issues.apache.org/jira/browse/TS-2653
> Project: Traffic Server
> Issue Type: Bug
> Components: Logging, SSL
> Reporter: Bryan Call
> Assignee: Bryan Call
> Fix For: 5.0.0
>
>
> We see a lot of SSL error messages in production. It would be good to
> determine if these are really errors or remove logging of some of these
> errors:
> {code}
> -bash-4.1$ tail -100000 diags.log | cut -f4-20 -d : | grep SSL | sort | uniq
> -c | sort -rn
> 3108 SSL::36:error:140943E8:SSL
> routines:SSL3_READ_BYTES:reason(1000):s3_pkt.c:1256:SSL alert number 0
> 3079 SSL::32:error:140943E8:SSL
> routines:SSL3_READ_BYTES:reason(1000):s3_pkt.c:1256:SSL alert number 0
> 3068 SSL::27:error:140943E8:SSL
> routines:SSL3_READ_BYTES:reason(1000):s3_pkt.c:1256:SSL alert number 0
> 3051 SSL::44:error:140943E8:SSL
> routines:SSL3_READ_BYTES:reason(1000):s3_pkt.c:1256:SSL alert number 0
> 3043 SSL::24:error:140943E8:SSL
> routines:SSL3_READ_BYTES:reason(1000):s3_pkt.c:1256:SSL alert number 0
> 3041 SSL::47:error:140943E8:SSL
> routines:SSL3_READ_BYTES:reason(1000):s3_pkt.c:1256:SSL alert number 0
> 3041 SSL::38:error:140943E8:SSL
> routines:SSL3_READ_BYTES:reason(1000):s3_pkt.c:1256:SSL alert number 0
> 3040 SSL::46:error:140943E8:SSL
> routines:SSL3_READ_BYTES:reason(1000):s3_pkt.c:1256:SSL alert number 0
> 3025 SSL::34:error:140943E8:SSL
> routines:SSL3_READ_BYTES:reason(1000):s3_pkt.c:1256:SSL alert number 0
> 3025 SSL::25:error:140943E8:SSL
> routines:SSL3_READ_BYTES:reason(1000):s3_pkt.c:1256:SSL alert number 0
> 3021 SSL::31:error:140943E8:SSL
> routines:SSL3_READ_BYTES:reason(1000):s3_pkt.c:1256:SSL alert number 0
> 3011 SSL::42:error:140943E8:SSL
> routines:SSL3_READ_BYTES:reason(1000):s3_pkt.c:1256:SSL alert number 0
> 3006 SSL::39:error:140943E8:SSL
> routines:SSL3_READ_BYTES:reason(1000):s3_pkt.c:1256:SSL alert number 0
> 3004 SSL::29:error:140943E8:SSL
> routines:SSL3_READ_BYTES:reason(1000):s3_pkt.c:1256:SSL alert number 0
> 3000 SSL::30:error:140943E8:SSL
> routines:SSL3_READ_BYTES:reason(1000):s3_pkt.c:1256:SSL alert number 0
> 2996 SSL::43:error:140943E8:SSL
> routines:SSL3_READ_BYTES:reason(1000):s3_pkt.c:1256:SSL alert number 0
> 2993 SSL::45:error:140943E8:SSL
> routines:SSL3_READ_BYTES:reason(1000):s3_pkt.c:1256:SSL alert number 0
> 2977 SSL::40:error:140943E8:SSL
> routines:SSL3_READ_BYTES:reason(1000):s3_pkt.c:1256:SSL alert number 0
> 2976 SSL::33:error:140943E8:SSL
> routines:SSL3_READ_BYTES:reason(1000):s3_pkt.c:1256:SSL alert number 0
> 2974 SSL::41:error:140943E8:SSL
> routines:SSL3_READ_BYTES:reason(1000):s3_pkt.c:1256:SSL alert number 0
> 2974 SSL::28:error:140943E8:SSL
> routines:SSL3_READ_BYTES:reason(1000):s3_pkt.c:1256:SSL alert number 0
> 2958 SSL::37:error:140943E8:SSL
> routines:SSL3_READ_BYTES:reason(1000):s3_pkt.c:1256:SSL alert number 0
> 2947 SSL::35:error:140943E8:SSL
> routines:SSL3_READ_BYTES:reason(1000):s3_pkt.c:1256:SSL alert number 0
> 2922 SSL::26:error:140943E8:SSL
> routines:SSL3_READ_BYTES:reason(1000):s3_pkt.c:1256:SSL alert number 0
> 28 SSL::36:error:14094415:SSL routines:SSL3_READ_BYTES:sslv3 alert
> certificate expired:s3_pkt.c:1256:SSL alert number 45
> 26 SSL::24:error:14094415:SSL routines:SSL3_READ_BYTES:sslv3 alert
> certificate expired:s3_pkt.c:1256:SSL alert number 45
> 25 SSL::44:error:14094415:SSL routines:SSL3_READ_BYTES:sslv3 alert
> certificate expired:s3_pkt.c:1256:SSL alert number 45
> 25 SSL::27:error:14094415:SSL routines:SSL3_READ_BYTES:sslv3 alert
> certificate expired:s3_pkt.c:1256:SSL alert number 45
> 24 SSL::34:error:14094415:SSL routines:SSL3_READ_BYTES:sslv3 alert
> certificate expired:s3_pkt.c:1256:SSL alert number 45
> 24 SSL::30:error:14094415:SSL routines:SSL3_READ_BYTES:sslv3 alert
> certificate expired:s3_pkt.c:1256:SSL alert number 45
> 23 SSL::39:error:14094415:SSL routines:SSL3_READ_BYTES:sslv3 alert
> certificate expired:s3_pkt.c:1256:SSL alert number 45
> 23 SSL::33:error:14094415:SSL routines:SSL3_READ_BYTES:sslv3 alert
> certificate expired:s3_pkt.c:1256:SSL alert number 45
> 23 SSL::32:error:14094415:SSL routines:SSL3_READ_BYTES:sslv3 alert
> certificate expired:s3_pkt.c:1256:SSL alert number 45
> 22 SSL::44:error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert
> unknown ca:s3_pkt.c:1256:SSL alert number 48
> 21 SSL::38:error:14094415:SSL routines:SSL3_READ_BYTES:sslv3 alert
> certificate expired:s3_pkt.c:1256:SSL alert number 45
> 20 SSL::45:error:14094415:SSL routines:SSL3_READ_BYTES:sslv3 alert
> certificate expired:s3_pkt.c:1256:SSL alert number 45
> 20 SSL::41:error:14094415:SSL routines:SSL3_READ_BYTES:sslv3 alert
> certificate expired:s3_pkt.c:1256:SSL alert number 45
> 20 SSL::28:error:14094415:SSL routines:SSL3_READ_BYTES:sslv3 alert
> certificate expired:s3_pkt.c:1256:SSL alert number 45
> 19 SSL::42:error:14094415:SSL routines:SSL3_READ_BYTES:sslv3 alert
> certificate expired:s3_pkt.c:1256:SSL alert number 45
> 19 SSL::41:error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert
> unknown ca:s3_pkt.c:1256:SSL alert number 48
> 19 SSL::35:error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert
> unknown ca:s3_pkt.c:1256:SSL alert number 48
> 18 SSL::47:error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert
> unknown ca:s3_pkt.c:1256:SSL alert number 48
> 18 SSL::37:error:14094415:SSL routines:SSL3_READ_BYTES:sslv3 alert
> certificate expired:s3_pkt.c:1256:SSL alert number 45
> 18 SSL::34:error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert
> unknown ca:s3_pkt.c:1256:SSL alert number 48
> 18 SSL::31:error:14094415:SSL routines:SSL3_READ_BYTES:sslv3 alert
> certificate expired:s3_pkt.c:1256:SSL alert number 45
> 18 SSL::24:error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert
> unknown ca:s3_pkt.c:1256:SSL alert number 48
> 17 SSL::46:error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert
> unknown ca:s3_pkt.c:1256:SSL alert number 48
> 17 SSL::43:error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert
> unknown ca:s3_pkt.c:1256:SSL alert number 48
> 17 SSL::40:error:14094415:SSL routines:SSL3_READ_BYTES:sslv3 alert
> certificate expired:s3_pkt.c:1256:SSL alert number 45
> 17 SSL::26:error:14094415:SSL routines:SSL3_READ_BYTES:sslv3 alert
> certificate expired:s3_pkt.c:1256:SSL alert number 45
> 16 SSL::47:error:14094415:SSL routines:SSL3_READ_BYTES:sslv3 alert
> certificate expired:s3_pkt.c:1256:SSL alert number 45
> 16 SSL::42:error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert
> unknown ca:s3_pkt.c:1256:SSL alert number 48
> 15 SSL::35:error:14094415:SSL routines:SSL3_READ_BYTES:sslv3 alert
> certificate expired:s3_pkt.c:1256:SSL alert number 45
> 15 SSL::25:error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert
> unknown ca:s3_pkt.c:1256:SSL alert number 48
> 14 SSL::45:error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert
> unknown ca:s3_pkt.c:1256:SSL alert number 48
> 14 SSL::43:error:14094415:SSL routines:SSL3_READ_BYTES:sslv3 alert
> certificate expired:s3_pkt.c:1256:SSL alert number 45
> 14 SSL::37:error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert
> unknown ca:s3_pkt.c:1256:SSL alert number 48
> 14 SSL::36:error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert
> unknown ca:s3_pkt.c:1256:SSL alert number 48
> 14 SSL::29:error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert
> unknown ca:s3_pkt.c:1256:SSL alert number 48
> 13 SSL::39:error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert
> unknown ca:s3_pkt.c:1256:SSL alert number 48
> 13 SSL::28:error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert
> unknown ca:s3_pkt.c:1256:SSL alert number 48
> 12 SSL::38:error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert
> unknown ca:s3_pkt.c:1256:SSL alert number 48
> 12 SSL::31:error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert
> unknown ca:s3_pkt.c:1256:SSL alert number 48
> 12 SSL::29:error:14094415:SSL routines:SSL3_READ_BYTES:sslv3 alert
> certificate expired:s3_pkt.c:1256:SSL alert number 45
> 12 SSL::25:error:14094415:SSL routines:SSL3_READ_BYTES:sslv3 alert
> certificate expired:s3_pkt.c:1256:SSL alert number 45
> 11 SSL::46:error:14094415:SSL routines:SSL3_READ_BYTES:sslv3 alert
> certificate expired:s3_pkt.c:1256:SSL alert number 45
> 11 SSL::40:error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert
> unknown ca:s3_pkt.c:1256:SSL alert number 48
> 11 SSL::33:error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert
> unknown ca:s3_pkt.c:1256:SSL alert number 48
> 11 SSL::32:error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert
> unknown ca:s3_pkt.c:1256:SSL alert number 48
> 11 SSL::26:error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert
> unknown ca:s3_pkt.c:1256:SSL alert number 48
> 9 SSL::30:error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert
> unknown ca:s3_pkt.c:1256:SSL alert number 48
> 9 SSL::27:error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert
> unknown ca:s3_pkt.c:1256:SSL alert number 48
> 5 SSL::45:error:1408F119:SSL routines:SSL3_GET_RECORD:decryption
> failed or bad record mac:s3_pkt.c:484:
> 5 SSL::29:error:1408F119:SSL routines:SSL3_GET_RECORD:decryption
> failed or bad record mac:s3_pkt.c:484:
> 4 SSL::47:error:1408F119:SSL routines:SSL3_GET_RECORD:decryption
> failed or bad record mac:s3_pkt.c:484:
> 4 SSL::34:error:1408F119:SSL routines:SSL3_GET_RECORD:decryption
> failed or bad record mac:s3_pkt.c:484:
> 3 SSL::43:error:1408F119:SSL routines:SSL3_GET_RECORD:decryption
> failed or bad record mac:s3_pkt.c:484:
> 3 SSL::42:error:1408F119:SSL routines:SSL3_GET_RECORD:decryption
> failed or bad record mac:s3_pkt.c:484:
> 3 SSL::40:error:140943FC:SSL routines:SSL3_READ_BYTES:sslv3 alert bad
> record mac:s3_pkt.c:1256:SSL alert number 20
> 3 SSL::37:error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad
> certificate:s3_pkt.c:1256:SSL alert number 42
> 3 SSL::37:error:1408F119:SSL routines:SSL3_GET_RECORD:decryption
> failed or bad record mac:s3_pkt.c:484:
> 3 SSL::31:error:1408F119:SSL routines:SSL3_GET_RECORD:decryption
> failed or bad record mac:s3_pkt.c:484:
> 3 SSL::28:error:1408F119:SSL routines:SSL3_GET_RECORD:decryption
> failed or bad record mac:s3_pkt.c:484:
> 3 SSL::27:error:1408F119:SSL routines:SSL3_GET_RECORD:decryption
> failed or bad record mac:s3_pkt.c:484:
> 3 SSL::24:error:1408F119:SSL routines:SSL3_GET_RECORD:decryption
> failed or bad record mac:s3_pkt.c:484:
> 2 SSL::43:error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad
> certificate:s3_pkt.c:1256:SSL alert number 42
> 2 SSL::41:error:1408F119:SSL routines:SSL3_GET_RECORD:decryption
> failed or bad record mac:s3_pkt.c:484:
> 2 SSL::40:error:1408F119:SSL routines:SSL3_GET_RECORD:decryption
> failed or bad record mac:s3_pkt.c:484:
> 2 SSL::39:error:1408F119:SSL routines:SSL3_GET_RECORD:decryption
> failed or bad record mac:s3_pkt.c:484:
> 2 SSL::38:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version
> number:s3_pkt.c:337:
> 2 SSL::36:error:1408F119:SSL routines:SSL3_GET_RECORD:decryption
> failed or bad record mac:s3_pkt.c:484:
> 2 SSL::33:error:1408F119:SSL routines:SSL3_GET_RECORD:decryption
> failed or bad record mac:s3_pkt.c:484:
> 2 SSL::30:error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad
> certificate:s3_pkt.c:1256:SSL alert number 42
> 2 SSL::30:error:1408F119:SSL routines:SSL3_GET_RECORD:decryption
> failed or bad record mac:s3_pkt.c:484:
> 2 SSL::26:error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad
> certificate:s3_pkt.c:1256:SSL alert number 42
> 2 SSL::26:error:1408F119:SSL routines:SSL3_GET_RECORD:decryption
> failed or bad record mac:s3_pkt.c:484:
> 2 SSL::25:error:1408F119:SSL routines:SSL3_GET_RECORD:decryption
> failed or bad record mac:s3_pkt.c:484:
> 1 SSL::47:error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad
> certificate:s3_pkt.c:1256:SSL alert number 42
> 1 SSL::46:error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad
> certificate:s3_pkt.c:1256:SSL alert number 42
> 1 SSL::46:error:140943F2:SSL routines:SSL3_READ_BYTES:sslv3 alert
> unexpected message:s3_pkt.c:1256:SSL alert number 10
> 1 SSL::46:error:1408F081:SSL routines:SSL3_GET_RECORD:block cipher pad
> is wrong:s3_pkt.c:410:
> 1 SSL::45:error:140943F2:SSL routines:SSL3_READ_BYTES:sslv3 alert
> unexpected message:s3_pkt.c:1256:SSL alert number 10
> 1 SSL::44:error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad
> certificate:s3_pkt.c:1256:SSL alert number 42
> 1 SSL::43:error:140943FC:SSL routines:SSL3_READ_BYTES:sslv3 alert bad
> record mac:s3_pkt.c:1256:SSL alert number 20
> 1 SSL::41:error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad
> certificate:s3_pkt.c:1256:SSL alert number 42
> 1 SSL::40:error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad
> certificate:s3_pkt.c:1256:SSL alert number 42
> 1 SSL::38:error:1408F119:SSL routines:SSL3_GET_RECORD:decryption
> failed or bad record mac:s3_pkt.c:484:
> 1 SSL::36:error:1408F081:SSL routines:SSL3_GET_RECORD:block cipher pad
> is wrong:s3_pkt.c:410:
> 1 SSL::35:error:1408F119:SSL routines:SSL3_GET_RECORD:decryption
> failed or bad record mac:s3_pkt.c:484:
> 1 SSL::35:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version
> number:s3_pkt.c:337:
> 1 SSL::34:error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad
> certificate:s3_pkt.c:1256:SSL alert number 42
> 1 SSL::34:error:140943FC:SSL routines:SSL3_READ_BYTES:sslv3 alert bad
> record mac:s3_pkt.c:1256:SSL alert number 20
> 1 SSL::33:error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad
> certificate:s3_pkt.c:1256:SSL alert number 42
> 1 SSL::33:error:1408F081:SSL routines:SSL3_GET_RECORD:block cipher pad
> is wrong:s3_pkt.c:410:
> 1 SSL::32:error:140943FC:SSL routines:SSL3_READ_BYTES:sslv3 alert bad
> record mac:s3_pkt.c:1256:SSL alert number 20
> 1 SSL::32:error:1408F119:SSL routines:SSL3_GET_RECORD:decryption
> failed or bad record mac:s3_pkt.c:484:
> 1 SSL::29:error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad
> certificate:s3_pkt.c:1256:SSL alert number 42
> 1 SSL::29:error:140943F2:SSL routines:SSL3_READ_BYTES:sslv3 alert
> unexpected message:s3_pkt.c:1256:SSL alert number 10
> 1 SSL::27:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version
> number:s3_pkt.c:337:
> 1 SSL::25:error:140943FC:SSL routines:SSL3_READ_BYTES:sslv3 alert bad
> record mac:s3_pkt.c:1256:SSL alert number 20
> {code}
--
This message was sent by Atlassian JIRA
(v6.2#6252)
