Hi,
On Wed, Mar 01, 2023 at 05:56:04PM +0300, Maxim Dounin wrote:
> # HG changeset patch
> # User Maxim Dounin <mdou...@mdounin.ru>
> # Date 1677682426 -10800
> # Wed Mar 01 17:53:46 2023 +0300
> # Node ID 207742991a561c0ed70834d4ce18e8452689419d
> # Parent c76e163105f1eac7727ce4e6d955fecb38d93e49
> SSL: logging levels of errors observed with tlsfuzzer and LibreSSL.
>
> As tested with tlsfuzzer with LibreSSL 2.7.0, the following errors are
> certainly client-related:
LibreSSL 2.7.0 is ancient - March 21st, 2018.
> SSL_do_handshake() failed (SSL: error:14026073:SSL
> routines:ACCEPT_SR_CLNT_HELLO:bad packet length)
> SSL_do_handshake() failed (SSL: error:1402612C:SSL
> routines:ACCEPT_SR_CLNT_HELLO:ssl3 session id too long)
I could not get this one with 2.7.0, but I got it with 3.6.0.
> SSL_do_handshake() failed (SSL: error:140380EA:SSL
> routines:ACCEPT_SR_KEY_EXCH:tls rsa encrypted value length is wrong)
With 3.6.0 two more errors are reported: SSL_R_SIGNATURE_ALGORITHMS_ERROR,
SSL_R_MISSING_RSA_CERTIFICATE:
SSL_do_handshake() failed (SSL: error:1402F0FB:SSL
routines:ACCEPT_SW_KEY_EXCH:unknown pkey type error:1402F168:SSL
routines:ACCEPT_SW_KEY_EXCH:signature algorithms error)
SSL_do_handshake() failed (SSL: error:1402D0FB:SSL
routines:ACCEPT_SW_CERT:unknown pkey type error:14FFF0A8:SSL
routines:(UNKNOWN)SSL_internal:missing rsa certificate)
> Accordingly, the SSL_R_BAD_PACKET_LENGTH ("bad packet length"),
> SSL_R_SSL3_SESSION_ID_TOO_LONG ("ssl3 session id too long"),
> SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG ("tls rsa encrypted value
> length is wrong") errors are now logged at the "info" level.
>
> diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
> --- a/src/event/ngx_event_openssl.c
> +++ b/src/event/ngx_event_openssl.c
> @@ -3406,6 +3406,7 @@ ngx_ssl_connection_error(ngx_connection_
> #ifdef SSL_R_MISSING_SIGALGS_EXTENSION
> || n == SSL_R_MISSING_SIGALGS_EXTENSION /* 112
> */
> #endif
> + || n == SSL_R_BAD_PACKET_LENGTH /* 115
> */
> #ifdef SSL_R_NO_SUITABLE_SIGNATURE_ALGORITHM
> || n == SSL_R_NO_SUITABLE_SIGNATURE_ALGORITHM /* 118
> */
> #endif
> @@ -3453,6 +3454,9 @@ ngx_ssl_connection_error(ngx_connection_
> #ifdef SSL_R_CALLBACK_FAILED
> || n == SSL_R_CALLBACK_FAILED /* 234
> */
> #endif
> +#ifdef SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG
> + || n == SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG /* 234
> */
> +#endif
> #ifdef SSL_R_NO_APPLICATION_PROTOCOL
> || n == SSL_R_NO_APPLICATION_PROTOCOL /* 235
> */
> #endif
> @@ -3485,6 +3489,9 @@ ngx_ssl_connection_error(ngx_connection_
> #ifdef SSL_R_RECORD_TOO_SMALL
> || n == SSL_R_RECORD_TOO_SMALL /* 298
> */
> #endif
> +#ifdef SSL_R_SSL3_SESSION_ID_TOO_LONG
> + || n == SSL_R_SSL3_SESSION_ID_TOO_LONG /* 300
> */
> +#endif
> #ifdef SSL_R_BAD_ECPOINT
> || n == SSL_R_BAD_ECPOINT /* 306
> */
> #endif
> _______________________________________________
> nginx-devel mailing list
> nginx-devel@nginx.org
> https://mailman.nginx.org/mailman/listinfo/nginx-devel
--
Roman Arutyunyan
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
https://mailman.nginx.org/mailman/listinfo/nginx-devel
