- squelch DNS over TLS errors 'ssl handshake failed crypto error'

  on low verbosity, they show on verbosity 3 (query details), because
  there is a high volume and the operator cannot do anything for the
  remote failure.  Specifically filters the high volume errors.

diff --git a/doc/Changelog b/doc/Changelog
index cf382ea844aaa95252414947e42c8c3b601de1f2..ea45dea0f0f08991ddf2047deefc8a6dabdf860c 100644 (file)
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -1,3 +1,9 @@
+3 September 2019: Wouter
+       - squelch DNS over TLS errors 'ssl handshake failed crypto error'
+         on low verbosity, they show on verbosity 3 (query details), because
+         there is a high volume and the operator cannot do anything for the
+         remote failure.  Specifically filters the high volume errors.
+
 2 September 2019: Wouter
        - ipset module #28: log that an address is added, when verbosity high.
        - ipset: refactor long routine into three smaller ones.

diff --git a/util/net_help.c b/util/net_help.c
index 88bfc225a8e44d08f0256fe7f07450f986377f81..4f382077e8e8de129188878c743c9847a548cfb0 100644 (file)
--- a/util/net_help.c
+++ b/util/net_help.c
@@ -697,11 +697,20 @@ void sock_list_merge(struct sock_list** list, struct regional* region,
 void
 log_crypto_err(const char* str)
 {
+#ifdef HAVE_SSL
+       log_crypto_err_code(str, ERR_get_error());
+#else
+       (void)str;
+#endif /* HAVE_SSL */
+}
+
+void log_crypto_err_code(const char* str, unsigned long err)
+{
 #ifdef HAVE_SSL
        /* error:[error code]:[library name]:[function name]:[reason string] */
        char buf[128];
        unsigned long e;
-       ERR_error_string_n(ERR_get_error(), buf, sizeof(buf));
+       ERR_error_string_n(err, buf, sizeof(buf));
        log_err("%s crypto %s", str, buf);
        while( (e=ERR_get_error()) ) {
                ERR_error_string_n(e, buf, sizeof(buf));
@@ -709,6 +718,7 @@ log_crypto_err(const char* str)
        }
 #else
        (void)str;
+       (void)err;
 #endif /* HAVE_SSL */
 }
 

diff --git a/util/net_help.h b/util/net_help.h
index 0b197fbdd6e73e411ae11c0579d7be60ef31ef15..79e2a834931a0111bf70cdddaa06170c58b6bb0c 100644 (file)
--- a/util/net_help.h
+++ b/util/net_help.h
@@ -378,6 +378,13 @@ void sock_list_merge(struct sock_list** list, struct regional* region,
  */
 void log_crypto_err(const char* str);
 
+/**
+ * Log libcrypto error from errcode with descriptive string, calls log_err.
+ * @param str: what failed.
+ * @param err: error code from ERR_get_error.
+ */
+void log_crypto_err_code(const char* str, unsigned long err);
+
 /**
  * Set SSL_OP_NOxxx options on SSL context to disable bad crypto
  * @param ctxt: SSL_CTX*

diff --git a/util/netevent.c b/util/netevent.c
index 9e2ba92b5fdfa5b5a83f90e3b2865362fa9e4783..70cfcf4e013e6a7446a6431101bb377d01daa714 100644 (file)
--- a/util/netevent.c
+++ b/util/netevent.c
@@ -1052,6 +1052,28 @@ log_cert(unsigned level, const char* str, X509* cert)
 }
 #endif /* HAVE_SSL */
 
+#ifdef HAVE_SSL
+/** true if the ssl handshake error has to be squelched from the logs */
+static int
+squelch_err_ssl_handshake(unsigned long err)
+{
+       if(verbosity >= VERB_QUERY)
+               return 0; /* only squelch on low verbosity */
+       /* this is very specific, we could filter on ERR_GET_REASON()
+        * (the third element in ERR_PACK) */
+       if(err == ERR_PACK(ERR_LIB_SSL, SSL_F_SSL3_GET_RECORD, SSL_R_HTTPS_PROXY_REQUEST) ||
+               err == ERR_PACK(ERR_LIB_SSL, SSL_F_SSL3_GET_RECORD, SSL_R_HTTP_REQUEST) ||
+               err == ERR_PACK(ERR_LIB_SSL, SSL_F_SSL3_GET_RECORD, SSL_R_WRONG_VERSION_NUMBER) ||
+               err == ERR_PACK(ERR_LIB_SSL, SSL_F_SSL3_READ_BYTES, SSL_R_SSLV3_ALERT_BAD_CERTIFICATE) ||
+               err == ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_POST_PROCESS_CLIENT_HELLO, SSL_R_NO_SHARED_CIPHER) ||
+               err == ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, SSL_R_UNKNOWN_PROTOCOL) ||
+               err == ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, SSL_R_UNSUPPORTED_PROTOCOL) ||
+               err == ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, SSL_R_VERSION_TOO_LOW))
+               return 1;
+       return 0;
+}
+#endif /* HAVE_SSL */
+
 /** continue ssl handshake */
 #ifdef HAVE_SSL
 static int
@@ -1096,9 +1118,12 @@ ssl_handshake(struct comm_point* c)
                                        strerror(errno));
                        return 0;
                } else {
-                       log_crypto_err("ssl handshake failed");
-                       log_addr(1, "ssl handshake failed", &c->repinfo.addr,
-                               c->repinfo.addrlen);
+                       unsigned long err = ERR_get_error();
+                       if(!squelch_err_ssl_handshake(err)) {
+                               log_crypto_err_code("ssl handshake failed", err);
+                               log_addr(1, "ssl handshake failed", &c->repinfo.addr,
+                                       c->repinfo.addrlen);
+                       }
                        return 0;
                }
        }