Re: SSL errors, verbosity level
Thanks Maxim and those two patches are now merged upstream: http://mailman.nginx.org/pipermail/nginx-devel/2018-July/011287.html http://mailman.nginx.org/pipermail/nginx-devel/2018-July/011288.html On Fri, Jul 13, 2018 at 4:13 AM, Richard Stanway wrote: > I'd also like to voice support for having this patch upstream. I've been > using a similar patch ever since requiring TLS 1.2 as the error log is > filled with "critical" version errors otherwise. > > On Wed, Jul 11, 2018 at 9:03 PM shiz wrote: > >> > Since you are using newer openssl, you may want to apply this patch >> >> I agree, many thanks to Piotr Sikora and to you, Frank! >> >> 2nd patch applied as well. >> >> My error log is a lot more readable now. I can see those real critical >> messages without being cluttered by meaningless/unfixable SSL issues. >> >> Any chance those are merged into nginx 1.15.2? >> >> Posted at Nginx Forum: https://forum.nginx.org/read. >> php?2,280446,280504#msg-280504 >> >> ___ >> nginx mailing list >> nginx@nginx.org >> http://mailman.nginx.org/mailman/listinfo/nginx >> > > ___ > nginx mailing list > nginx@nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx > ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Re: SSL errors, verbosity level
I'd also like to voice support for having this patch upstream. I've been using a similar patch ever since requiring TLS 1.2 as the error log is filled with "critical" version errors otherwise. On Wed, Jul 11, 2018 at 9:03 PM shiz wrote: > > Since you are using newer openssl, you may want to apply this patch > > I agree, many thanks to Piotr Sikora and to you, Frank! > > 2nd patch applied as well. > > My error log is a lot more readable now. I can see those real critical > messages without being cluttered by meaningless/unfixable SSL issues. > > Any chance those are merged into nginx 1.15.2? > > Posted at Nginx Forum: > https://forum.nginx.org/read.php?2,280446,280504#msg-280504 > > ___ > nginx mailing list > nginx@nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx > ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Re: SSL errors, verbosity level
> Since you are using newer openssl, you may want to apply this patch I agree, many thanks to Piotr Sikora and to you, Frank! 2nd patch applied as well. My error log is a lot more readable now. I can see those real critical messages without being cluttered by meaningless/unfixable SSL issues. Any chance those are merged into nginx 1.15.2? Posted at Nginx Forum: https://forum.nginx.org/read.php?2,280446,280504#msg-280504 ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Re: SSL errors, verbosity level
Glad it works and thanks Piotr Sikora for the patch! Since you are using newer openssl, you may want to apply this patch: https://nginx.googlesource.com/nginx/+/ec0b8aad6ca3cb37e03d1c06e42f110e4737af1f%5E%21/ On Wed, Jul 11, 2018 at 6:18 AM, shiz wrote: > > Those unsupported ssl version messages should be in "info" level > > That is a very useful patch, many thanks Frank > > Posted at Nginx Forum: https://forum.nginx.org/read. > php?2,280446,280496#msg-280496 > > ___ > nginx mailing list > nginx@nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx > ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Re: SSL errors, verbosity level
> Those unsupported ssl version messages should be in "info" level That is a very useful patch, many thanks Frank Posted at Nginx Forum: https://forum.nginx.org/read.php?2,280446,280496#msg-280496 ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Re: SSL errors, verbosity level
Those unsupported ssl version messages should be in "info" level instead of "crit", just like other SSL related errors. Applying below patch should make your error log cleaner: https://nginx.googlesource.com/nginx/+/6853c9c868504432ffadb8a7ca58ce8e50a83450%5E%21/ On Sat, Jul 7, 2018 at 8:38 AM, shiz wrote: > Hi, > > I see those messages in my error logs daily. > > ``` > 2018/07/07 08:01:32 [crit] 31935#31935: *342781 SSL_do_handshake() failed > (SSL: error:14209102:SSL > routines:tls_early_post_process_client_hello:unsupported protocol) while > SSL > handshaking, client: 173.208.91.177, server: 0.0.0.0:443 > 2018/07/07 08:06:24 [crit] 31939#31939: *343099 SSL_do_handshake() failed > (SSL: error:1420918C:SSL > routines:tls_early_post_process_client_hello:version too low) while SSL > handshaking, client: 141.212.122.16, server: 0.0.0.0:443 > ``` > > Is there a way to increase verbosity, i.e. which protocol is unsupported? > which version is too low? > > Nginx 1.15.1, supporting TLSv1.2, TLSv1.3 draft 23, OpenSSL-1.1.1-pre2 > > Not sure if it could be done within nginx, maybe OpenSSL source has to be > edited? > > Posted at Nginx Forum: https://forum.nginx.org/read. > php?2,280446,280446#msg-280446 > > ___ > nginx mailing list > nginx@nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx > ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Re: SSL errors, verbosity level
> You may want to update OpenSSL. Thanks but I did and almost zero browser was able to use draft 26 or 28. Therefore I downgraded OpenSSL from 1.1.1-pre8 to 1.1.1-pre2 (draft 23). Although TLS 1.3 has been finalized, Openssl 1.1.1 is still work in progress. Tested with latest Opera, Palemoon, Blackhawk, Vivaldi and Slimjet. I don't use Chrome nor Firefox. Had to disable CT too, generating way too much errors from older browsers. Seems this project is unmaintained for a year. Posted at Nginx Forum: https://forum.nginx.org/read.php?2,280446,280486#msg-280486 ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Re: SSL errors, verbosity level
> On 7 Jul 2018, at 18:38, shiz wrote: > > Hi, > > I see those messages in my error logs daily. > > ``` > 2018/07/07 08:01:32 [crit] 31935#31935: *342781 SSL_do_handshake() failed > (SSL: error:14209102:SSL > routines:tls_early_post_process_client_hello:unsupported protocol) while SSL > handshaking, client: 173.208.91.177, server: 0.0.0.0:443 > 2018/07/07 08:06:24 [crit] 31939#31939: *343099 SSL_do_handshake() failed > (SSL: error:1420918C:SSL > routines:tls_early_post_process_client_hello:version too low) while SSL > handshaking, client: 141.212.122.16, server: 0.0.0.0:443 > ``` > > Is there a way to increase verbosity, i.e. which protocol is unsupported? > which version is too low? > > Nginx 1.15.1, supporting TLSv1.2, TLSv1.3 draft 23, OpenSSL-1.1.1-pre2 > > Not sure if it could be done within nginx, maybe OpenSSL source has to be > edited? This may be caused by TLSv1.3 version draft mismatch as found in CH supported_versions. You may want to update OpenSSL. -- Sergey Kandaurov ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx