Int ssl_errno = SSL_get_error(socket->ssl, ret) My current DEBUG messages looks like this:ĭEBUG MESSAGE at ssl.c:92: ssl.c:init_opensslĭEBUG MESSAGE at socket.c:145: socket.c:init_socketĭEBUG MESSAGE at socket.c:271: socket.c:make_connectionĭEBUG MESSAGE at socket.c:112: socket.c:init_connection_infoĭEBUG MESSAGE at socket.c:235: socket.c:dns_foundĭEBUG MESSAGE at socket.c:595: socket.c:connect_socketĭEBUG MESSAGE at socket.c:563: socket.c:init_bind_addressĭEBUG MESSAGE at socket.c:567: socket.c:init_bind_address INIT BIND ADDRESS PTONĭEBUG MESSAGE at socket.c:683: socket.c:connect_socket CREATE SOCKET O.K.ĭEBUG MESSAGE at socket.c:472: socket.c:complete_connect_socketĭEBUG MESSAGE at ssl_socket.c:435: ssl_socket.c:ssl_connectĭEBUG MESSAGE at ssl_socket.c:442: Connectiong to 127.0.0.1 with sslĭEBUG MESSAGE at ssl.c:421: ssl.c:init_ssl_connectionĭEBUG MESSAGE at ssl.c:513: INIT SSL CONNECTION OK ssl.c:init_ssl_connectionĭEBUG MESSAGE at ssl_socket.c:459: INIT SSL CONNECTION O.K.ĭEBUG MESSAGE at ssl_socket.c:469: SSL attach to socket O.K.ĭEBUG MESSAGE at ssl_socket.c:555: SSL_state_string TWCHĭEBUG MESSAGE at ssl_socket.c:556: SSL_state_string SSLv3/TLS write client helloĭEBUG MESSAGE at ssl_socket.c:557: ssl error syscall error:00000005:lib(0):func(0):DH libĭEBUG MESSAGE at ssl_socket.c:558: winsock errror 10009ĭEBUG MESSAGE at socket.c:181: socket.c:close_socketĭEBUG MESSAGE at ssl_socket.c:682: ssl_socket.c:ssl_closeĭEBUG MESSAGE at ssl.c:520: ssl.c:done_ssl_connectionĭEBUG MESSAGE at socket.c:161: socket.c:done_socketĭEBUG MESSAGE at socket.c:130: socket.c:done_connection_infoĭEBUG MESSAGE at ssl.c:184: ssl.c:done_openssl Would You have any educated guess on what could be possibly wrong? I just hope I'm retrieving the error codes correctly. WSAEBADF10009 | File handle is not valid. The DH lib is very cryptic and winsock error code 10009 is: So I guess the SSL_get_error shouldn't be called prior to the SSL_connect.īTW: now I'm finally getting to the error messages and I'm getting: ![]() The SSL_connect thread wasn't debuggable and returned error 0 and SYSCALL error. Because if this is called prior to the SSL_connect it would corrupt the stack in the connect thread on it's next call. I just spent some time trying to figure out what error does the SSL_connect returns. ![]() I guess the SSL_get_error has to be called AFTER the call of SSL_connect. The value returned by that TLS/SSL I/O function must be passed to SSL_get_error() in parameter ret. ![]() SSL_get_error() returns a result code (suitable for the C "switch" statement) for a preceding call to SSL_connect(), SSL_accept(), SSL_do_handshake(), SSL_read(), SSL_peek(), or SSL_write() on ssl. #define ssl_do_connect(socket) SSL_get_error((SSL *)socket->ssl, SSL_connect((SSL *)socket->ssl)) Will allow you to list all debug messages above info level (assuming you use syslog).I'm currently trying to compile the elinks on mingw. Will allow systemd-journald to capture all Nginx logs and administer their size. Or syslog: error_log syslog:server=/dev/log info You don't mention which distribution you are using, but most systems nowadays come with SystemD so redirecting your logs to standard error: error_log stderr info Ideally I'd also like to log the reason, but alerady knowing, that a connection was attempted but failed due to SSL would be very helpful.Īll the SSL handshake errors you mention are logged by nginx at an info level, so you don't need to enable debugging. In fact I would already be helped if I could just log the date and the ip address of any client that failed to connect due to SSL issues. ![]() So far I enable debug logging, ask remote users who have issues with their devices to connect and record the the traces, disable debug level, reload nginx and analyze then the obtained traces. Is there any way to log detailed information only if an ssl connection was refused but have a normal error log level for all other cases? However this logs contain loads of things which I am not interested in. error_log /var/log/nginx/errors_with_debug.log debug I can do this by increasing the error-log log level to debug. the device requires an outdated crypto algorithm or just a crypto algorithm, that I didn't make available with me server conf.Īs the devices are in remote locations, don't have easily accessible logs I would like to be able to analyze such issues with nginx logs.the device is too old and would require an older protocol TLS1.1.the device doesn't recognize an certain CA.Quite often I encounter the issue, that some devices cannot connect. I have a web site, that is visited by many different mobile devices and embedded devices.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |