syzh
commented
4 years ago @un-def could you help to add more test to cover the more error case?
Closed toruneko closed 7 months ago
syzh
commented
4 years ago @un-def could you help to add more test to cover the more error case?
un-def
commented
4 years ago @syzh what error cases did you mean? Should we add test cases for each OpenSSL FFI call that can produce an error (in other words, cover each place where get_error is used, 8 different OpenSSL functions)?
BTW, I am not the author of this PR :) I just came across it when discovered the reason of stale global SSL error alerts in my logs.
RaidAndFade
commented
2 years ago Hello Team,
I hope this PR has not been frozen in development, as the Decrypt Failures can lead to OpenSSL SSL Handshake errors, as the NGINX SSL Handshake Flow checks for errors in the process. (and this decrypt will show up and prevent successful SSL Handshake, even with a valid certificate)
I have for now bypassed this issue by calling the ERR_get_error in my own code if the decrypt returns nil, but this PR proposes a much cleaner and more unified solution.
👍 to this PR, please seriously review this as even unrelated decrypt failures cause SSL handshake errors and prevent successful requests.
Thanks!
This patch not only improves informativity but also eliminates the following alert in the nginx log:
The alert is emitted during the successful subsequent method call.