MINOR: ssl: Set connection error code in case of SSL read or write fatal failure

In case of a connection error happening after the SSL handshake is completed, the error code stored in the connection structure would not always be set, hence having some connection failures being described as successful in the fc_conn_err or bc_conn_err sample fetches. The most common case in which it could happen is when the SSL server rejects the client's certificate. The SSL_do_handshake call on the client side would be sucessful because the client effectively sent its client hello and certificate information to the server, but the next call to SSL_read on the client side would raise an SSL_ERROR_SSL code (through the SSL_get_error function) which is decribed in OpenSSL documentation as a non-recoverable and fatal SSL error. This patch ensures that in such a case, the connection's error code is set to a special CO_ERR_SSL_FATAL value.
2025-08-07 07:37:02 +02:00 · 2021-09-29 18:56:51 +02:00 · 2021-09-29 18:56:51 +02:00 · 61944f7a73
commit 61944f7a73
parent dbee2e57fd
4 changed files with 11 additions and 0 deletions
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@ -18030,6 +18030,7 @@ fc_conn_err_str : string
  | 40 | "SOCKS4 Proxy read error during handshake"                                |
  | 41 | "SOCKS4 Proxy deny the request"                                           |
  | 42 | "SOCKS4 Proxy handshake aborted by server"                                |
+  | 43 | "SSL fatal error"                                                         |
  +----+---------------------------------------------------------------------------+

 fc_http_major : integer
--- a/include/haproxy/connection-t.h
+++ b/include/haproxy/connection-t.h
@ -250,6 +250,8 @@ enum {
 	CO_ER_SOCKS4_RECV,       /* SOCKS4 Proxy read error during handshake */
 	CO_ER_SOCKS4_DENY,       /* SOCKS4 Proxy deny the request */
 	CO_ER_SOCKS4_ABORT,      /* SOCKS4 Proxy handshake aborted by server */
+
+	CO_ERR_SSL_FATAL,        /* SSL fatal error during a SSL_read or SSL_write */
 };

 /* error return codes for accept_conn() */
--- a/include/haproxy/connection.h
+++ b/include/haproxy/connection.h
@ -834,6 +834,8 @@ static inline const char *conn_err_code_str(struct connection *c)
 	case CO_ER_SOCKS4_RECV:    return "SOCKS4 Proxy read error during handshake";
 	case CO_ER_SOCKS4_DENY:    return "SOCKS4 Proxy deny the request";
 	case CO_ER_SOCKS4_ABORT:   return "SOCKS4 Proxy handshake aborted by server";
+
+	case CO_ERR_SSL_FATAL:     return "SSL fatal error";
 	}
 	return NULL;
 }
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@ -6185,6 +6185,9 @@ static size_t ssl_sock_to_buf(struct connection *conn, void *xprt_ctx, struct bu
 				break;
 			} else if (ret == SSL_ERROR_ZERO_RETURN)
 				goto read0;
+			else if (ret == SSL_ERROR_SSL) {
+				conn->err_code = CO_ERR_SSL_FATAL;
+			}
 			/* For SSL_ERROR_SYSCALL, make sure to clear the error
 			 * stack before shutting down the connection for
 			 * reading. */
@ -6346,6 +6349,9 @@ static size_t ssl_sock_from_buf(struct connection *conn, void *xprt_ctx, const s
 #endif
 				break;
 			}
+			else if (ret == SSL_ERROR_SSL || ret == SSL_ERROR_SYSCALL) {
+				conn->err_code = CO_ERR_SSL_FATAL;
+			}
 			goto out_error;
 		}
 	}