[PATCH 2 of 2] SSL: logging levels of errors observed with BoringSSL
Maxim Dounin
mdounin at mdounin.ru
Thu Apr 23 02:43:50 UTC 2026
# HG changeset patch
# User Maxim Dounin <mdounin at mdounin.ru>
# Date 1776912204 -10800
# Thu Apr 23 05:43:24 2026 +0300
# Node ID 82d41494c3cbd93fd0f04d77758d1011f9ddbb0b
# Parent b49a45f7121b199c9e5fce6e3a1359fd6deb1943
SSL: logging levels of errors observed with BoringSSL.
The following client-related errors were observed during tlsfuzzer runs
with BoringSSL:
SSL_do_handshake() failed (SSL: error:100000f3:SSL routines:OPENSSL_internal:WRONG_CURVE)
SSL_do_handshake() failed (SSL: error:10000083:SSL routines:OPENSSL_internal:CLIENTHELLO_PARSE_FAILED)
Accordingly, the SSL_R_WRONG_CURVE and SSL_R_CLIENTHELLO_PARSE_FAILED
errors are now logged at the "info" level.
diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
--- a/src/event/ngx_event_openssl.c
+++ b/src/event/ngx_event_openssl.c
@@ -4090,6 +4090,9 @@ ngx_ssl_connection_error(ngx_connection_
|| n == SSL_R_BAD_KEY_UPDATE /* 122 */
#endif
|| n == SSL_R_BLOCK_CIPHER_PAD_IS_WRONG /* 129 */
+#ifdef SSL_R_CLIENTHELLO_PARSE_FAILED
+ || n == SSL_R_CLIENTHELLO_PARSE_FAILED /* 131 */
+#endif
|| n == SSL_R_CCS_RECEIVED_EARLY /* 133 */
#ifdef SSL_R_DECODE_ERROR
|| n == SSL_R_DECODE_ERROR /* 137 */
@@ -4151,6 +4154,9 @@ ngx_ssl_connection_error(ngx_connection_
#ifdef SSL_R_NO_APPLICATION_PROTOCOL
|| n == SSL_R_NO_APPLICATION_PROTOCOL /* 235 */
#endif
+#ifdef SSL_R_WRONG_CURVE
+ || n == SSL_R_WRONG_CURVE /* 243 */
+#endif
|| n == SSL_R_UNEXPECTED_MESSAGE /* 244 */
|| n == SSL_R_UNEXPECTED_RECORD /* 245 */
|| n == SSL_R_UNKNOWN_ALERT_TYPE /* 246 */
More information about the nginx-devel
mailing list