Commit 1ef51847ca4b9c548c68abee801e2ea8047e80a3 - nginx

SSL: logging levels of "unsupported protocol", "version too low". Starting with OpenSSL 1.1.0, SSL_R_UNSUPPORTED_PROTOCOL instead of SSL_R_UNKNOWN_PROTOCOL is reported when a protocol is disabled via an SSL_OP_NO_* option. Additionally, SSL_R_VERSION_TOO_LOW is reported when using MinProtocol or when seclevel checks (as set by @SECLEVEL=n in the cipher string) rejects a protocol, and this is what happens with SSLv3 and @SECLEVEL=1, which is the default. There is also the SSL_R_VERSION_TOO_HIGH error code, but it looks like it is not possible to trigger it. Maxim Dounin 3 years ago

1 changed file(s) with 4 addition(s) and 0 deletion(s). Raw diff Collapse all Expand all

-0

src/event/ngx_event_openssl.c less more

2079	2079	\|\| n == SSL_R_UNEXPECTED_RECORD /* 245 */
2080	2080	\|\| n == SSL_R_UNKNOWN_ALERT_TYPE /* 246 */
2081	2081	\|\| n == SSL_R_UNKNOWN_PROTOCOL /* 252 */
	2082	\|\| n == SSL_R_UNSUPPORTED_PROTOCOL /* 258 */
2082	2083	\|\| n == SSL_R_WRONG_VERSION_NUMBER /* 267 */
2083	2084	\|\| n == SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC /* 281 */
2084	2085	#ifdef SSL_R_RENEGOTIATE_EXT_TOO_LONG

2094	2095	#endif
2095	2096	#ifdef SSL_R_INAPPROPRIATE_FALLBACK
2096	2097	\|\| n == SSL_R_INAPPROPRIATE_FALLBACK /* 373 */
	2098	#endif
	2099	#ifdef SSL_R_VERSION_TOO_LOW
	2100	\|\| n == SSL_R_VERSION_TOO_LOW /* 396 */
2097	2101	#endif
2098	2102	\|\| n == 1000 /* SSL_R_SSLV3_ALERT_CLOSE_NOTIFY */
2099	2103	#ifdef SSL_R_SSLV3_ALERT_UNEXPECTED_MESSAGE