diff options
| author | Maxim Dounin <mdounin@mdounin.ru> | 2019-02-25 16:41:15 +0300 |
|---|---|---|
| committer | Maxim Dounin <mdounin@mdounin.ru> | 2019-02-25 16:41:15 +0300 |
| commit | 2d7faa2311608fc2ce1bc47c15748c2b2ea22463 (patch) | |
| tree | a907486dd178630e8707994de5554d1f5ad64a4c /src | |
| parent | dce5823f595bc522df0ae25e3a5a6f63fd07eb2d (diff) | |
SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
The "(SSL:)" snippet currently appears in logs when nginx code uses
ngx_ssl_error() to log an error, but OpenSSL's error queue is empty.
This can happen either because the error wasn't in fact from OpenSSL,
or because OpenSSL did not indicate the error in the error queue
for some reason.
In particular, currently "(SSL:)" can be seen in errors at least in
the following cases:
- When SSL_write() fails due to a syscall error,
"[info] ... SSL_write() failed (SSL:) (32: Broken pipe)...".
- When loading a certificate with no data in it,
"[emerg] PEM_read_bio_X509_AUX(...) failed (SSL:)".
This can easily happen due to an additional empty line before
the end line, so all lines of the certificate are interpreted
as header lines.
- When trying to configure an unknown curve,
"[emerg] SSL_CTX_set1_curves_list("foo") failed (SSL:)".
Likely there are other cases as well.
With this change, "(SSL:...)" will be only added to the error message
if there is something in the error queue. This is expected to make
logs more readable in the above cases. Additionally, with this change
it is now possible to use ngx_ssl_error() to log errors when some
of the possible errors are not from OpenSSL and not expected to have
anything in the error queue.
Diffstat (limited to 'src')
| -rw-r--r-- | src/event/ngx_event_openssl.c | 50 |
1 files changed, 28 insertions, 22 deletions
diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c index da06a6f86..569f57731 100644 --- a/src/event/ngx_event_openssl.c +++ b/src/event/ngx_event_openssl.c @@ -2743,41 +2743,47 @@ ngx_ssl_error(ngx_uint_t level, ngx_log_t *log, ngx_err_t err, char *fmt, ...) p = ngx_vslprintf(errstr, last - 1, fmt, args); va_end(args); - p = ngx_cpystrn(p, (u_char *) " (SSL:", last - p); + if (ERR_peek_error()) { + p = ngx_cpystrn(p, (u_char *) " (SSL:", last - p); - for ( ;; ) { + for ( ;; ) { - n = ERR_peek_error_line_data(NULL, NULL, &data, &flags); + n = ERR_peek_error_line_data(NULL, NULL, &data, &flags); - if (n == 0) { - break; - } + if (n == 0) { + break; + } - /* ERR_error_string_n() requires at least one byte */ + /* ERR_error_string_n() requires at least one byte */ - if (p >= last - 1) { - goto next; - } + if (p >= last - 1) { + goto next; + } - *p++ = ' '; + *p++ = ' '; - ERR_error_string_n(n, (char *) p, last - p); + ERR_error_string_n(n, (char *) p, last - p); - while (p < last && *p) { - p++; - } + while (p < last && *p) { + p++; + } - if (p < last && *data && (flags & ERR_TXT_STRING)) { - *p++ = ':'; - p = ngx_cpystrn(p, (u_char *) data, last - p); - } + if (p < last && *data && (flags & ERR_TXT_STRING)) { + *p++ = ':'; + p = ngx_cpystrn(p, (u_char *) data, last - p); + } - next: + next: - (void) ERR_get_error(); + (void) ERR_get_error(); + } + + if (p < last) { + *p++ = ')'; + } } - ngx_log_error(level, log, err, "%*s)", p - errstr, errstr); + ngx_log_error(level, log, err, "%*s", p - errstr, errstr); } |