[SERVER-11806] Distinct SSL messages for distinct causes of closed connections Created: 21/Nov/13  Updated: 14/Apr/17  Resolved: 03/Dec/13

Status: Closed
Project: Core Server
Component/s: Security
Affects Version/s: 2.5.3
Fix Version/s: 2.5.5

Type: Bug Priority: Major - P3
Reporter: Kevin Pulo Assignee: Andreas Nilsson
Resolution: Done Votes: 0
Labels: logging, ssl
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Depends
is depended on by SERVER-11807 Idle SSL replset has SSL errors and s... Closed
Related
Operating System: ALL
Participants:
Case:

 Description   

The log messages for SSL_ERROR_ZERO_RETURN and SSL_ERROR_SYSCALL are the same: "SSL network connection closed", as an error in 2.5.3 and at loglevel 3 in 2.5.4. Although this is true, the former case is a potentially normal, to be expected event in the lifetime of an SSL connection (particularly during the initial connect), whereas the latter is an unexpected condition (either an IO error, or an EOF in violation of the SSL protocol). Thus, the log behaviour in the two cases should reflect this, rather than conflating the two.

In previous versions, SSL_ERROR_ZERO_RETURN was logged as an error, whereas the LOG(3) is more appropriate. In this case, throwing a SocketException is not appropriate, since no actual error has occurred.

According to the SSL_get_error() manpage (1.0.1c, snippets below), in the case of SSL_ERROR_SYSCALL, if ret != 0, then we should use emit an error based on getSSLErrorMessage(ret) (like for SSL_ERROR_SSL).

However, if ret == 0, then if code == 0 (called ret in the manpage), then we should emit an error such as "SSL protocol violating EOF", otherwise if code == -1 then report errno before throwing the SocketException.

SSL_ERROR_ZERO_RETURN
    The TLS/SSL connection has been closed.  If the protocol version is SSL 3.0 or TLS 1.0, this result code
    is returned only if a closure alert has occurred in the protocol, i.e. if the connection has been closed
    cleanly. Note that in this case SSL_ERROR_ZERO_RETURN does not necessarily indicate that the underlying
    transport has been closed.
 
SSL_ERROR_SYSCALL
    Some I/O error occurred.  The OpenSSL error queue may contain more information on the error.  If the
    error queue is empty (i.e. ERR_get_error() returns 0), ret can be used to find out more about the error:
    If ret == 0, an EOF was observed that violates the protocol.  If ret == -1, the underlying BIO reported
    an I/O error (for socket I/O on Unix systems, consult errno for details).

Bonus points for swapping ret and code in SSLManager::_handleSSLError() so that they match OpenSSL's convention, avoiding confusion such as in the previous two paragraphs.



 Comments   
Comment by Githook User [ 02/Dec/13 ]

Author:

{u'username': u'agralius', u'name': u'Andreas Nilsson', u'email': u'andreas.nilsson@10gen.com'}

Message: SERVER-11806 Distinct errors for SSL connection closes
Branch: master
https://github.com/mongodb/mongo/commit/253ca6ed273c963aa4842f0b5447d2f3bd429a53

Generated at Thu Feb 08 03:26:48 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.