MINOR: connection: add a new error code for SSL with heartbeat

Users have seen a huge increase in the rate of SSL handshake failures
starting from 2014/04/08 with the release of the Heartbleed OpenSSL
vulnerability (CVE-2014-0160). Haproxy can detect that a heartbeat
was received in the incoming handshake, and such heartbeats are not
supposed to be common, so let's log a different message when a
handshake error happens after a heartbeat is detected.

This patch only adds the new message and the new code.

diff --git a/include/proto/connection.h b/include/proto/connection.h
index 8609f1774c81ad25b51782c5ef8409a8047ef6fb..dde9b8c7e53698a44bb518e00d6fa815fb1a8387 100644 (file)
--- a/include/proto/connection.h
+++ b/include/proto/connection.h
@@ -581,6 +581,7 @@ static inline const char *conn_err_code_str(struct connection *c)
        case CO_ER_SSL_CA_FAIL:   return "SSL client CA chain cannot be verified";
        case CO_ER_SSL_CRT_FAIL:  return "SSL client certificate not trusted";
        case CO_ER_SSL_HANDSHAKE: return "SSL handshake failure";
+       case CO_ER_SSL_HANDSHAKE_HB: return "SSL handshake failure after heartbeat";
        case CO_ER_SSL_NO_TARGET: return "Attempt to use SSL on an unknown target (internal error)";
        }
        return NULL;

diff --git a/include/types/connection.h b/include/types/connection.h
index 5341a86d6236cf33d1482610542ca6035377385b..84248c98ec214ae9ea06608378e57e17478a2d76 100644 (file)
--- a/include/types/connection.h
+++ b/include/types/connection.h
@@ -162,6 +162,7 @@ enum {
        CO_ER_SSL_CA_FAIL,      /* client cert verification failed in the CA chain */
        CO_ER_SSL_CRT_FAIL,     /* client cert verification failed on the certificate */
        CO_ER_SSL_HANDSHAKE,    /* SSL error during handshake */
+       CO_ER_SSL_HANDSHAKE_HB, /* SSL error during handshake with heartbeat present */
        CO_ER_SSL_NO_TARGET,    /* unkonwn target (not client nor server) */
 };