From: W.C.A. Wijngaards <wouter@nlnetlabs.nl>
Date: Tue, 3 Sep 2019 07:47:27 +0000 (+0200)
Subject: - squelch DNS over TLS errors 'ssl handshake failed crypto error'
X-Git-Tag: release-1.9.6rc1~117
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=1089fd6dc13e7d50a2183d51b69cd0896cd3bb4f;p=thirdparty%2Funbound.git

- squelch DNS over TLS errors 'ssl handshake failed crypto error'
  on low verbosity, they show on verbosity 3 (query details), because
  there is a high volume and the operator cannot do anything for the
  remote failure.  Specifically filters the high volume errors.
---

diff --git a/doc/Changelog b/doc/Changelog
index cf382ea84..ea45dea0f 100644
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -1,3 +1,9 @@
+3 September 2019: Wouter
+	- squelch DNS over TLS errors 'ssl handshake failed crypto error'
+	  on low verbosity, they show on verbosity 3 (query details), because
+	  there is a high volume and the operator cannot do anything for the
+	  remote failure.  Specifically filters the high volume errors.
+
 2 September 2019: Wouter
 	- ipset module #28: log that an address is added, when verbosity high.
 	- ipset: refactor long routine into three smaller ones.
diff --git a/util/net_help.c b/util/net_help.c
index 88bfc225a..4f382077e 100644
--- a/util/net_help.c
+++ b/util/net_help.c
@@ -697,11 +697,20 @@ void sock_list_merge(struct sock_list** list, struct regional* region,
 void
 log_crypto_err(const char* str)
 {
+#ifdef HAVE_SSL
+	log_crypto_err_code(str, ERR_get_error());
+#else
+	(void)str;
+#endif /* HAVE_SSL */
+}
+
+void log_crypto_err_code(const char* str, unsigned long err)
+{
 #ifdef HAVE_SSL
 	/* error:[error code]:[library name]:[function name]:[reason string] */
 	char buf[128];
 	unsigned long e;
-	ERR_error_string_n(ERR_get_error(), buf, sizeof(buf));
+	ERR_error_string_n(err, buf, sizeof(buf));
 	log_err("%s crypto %s", str, buf);
 	while( (e=ERR_get_error()) ) {
 		ERR_error_string_n(e, buf, sizeof(buf));
@@ -709,6 +718,7 @@ log_crypto_err(const char* str)
 	}
 #else
 	(void)str;
+	(void)err;
 #endif /* HAVE_SSL */
 }
 
diff --git a/util/net_help.h b/util/net_help.h
index 0b197fbdd..79e2a8349 100644
--- a/util/net_help.h
+++ b/util/net_help.h
@@ -378,6 +378,13 @@ void sock_list_merge(struct sock_list** list, struct regional* region,
  */
 void log_crypto_err(const char* str);
 
+/**
+ * Log libcrypto error from errcode with descriptive string, calls log_err.
+ * @param str: what failed.
+ * @param err: error code from ERR_get_error.
+ */
+void log_crypto_err_code(const char* str, unsigned long err);
+
 /**
  * Set SSL_OP_NOxxx options on SSL context to disable bad crypto
  * @param ctxt: SSL_CTX*
diff --git a/util/netevent.c b/util/netevent.c
index 9e2ba92b5..70cfcf4e0 100644
--- a/util/netevent.c
+++ b/util/netevent.c
@@ -1052,6 +1052,28 @@ log_cert(unsigned level, const char* str, X509* cert)
 }
 #endif /* HAVE_SSL */
 
+#ifdef HAVE_SSL
+/** true if the ssl handshake error has to be squelched from the logs */
+static int
+squelch_err_ssl_handshake(unsigned long err)
+{
+	if(verbosity >= VERB_QUERY)
+		return 0; /* only squelch on low verbosity */
+	/* this is very specific, we could filter on ERR_GET_REASON()
+	 * (the third element in ERR_PACK) */
+	if(err == ERR_PACK(ERR_LIB_SSL, SSL_F_SSL3_GET_RECORD, SSL_R_HTTPS_PROXY_REQUEST) ||
+		err == ERR_PACK(ERR_LIB_SSL, SSL_F_SSL3_GET_RECORD, SSL_R_HTTP_REQUEST) ||
+		err == ERR_PACK(ERR_LIB_SSL, SSL_F_SSL3_GET_RECORD, SSL_R_WRONG_VERSION_NUMBER) ||
+		err == ERR_PACK(ERR_LIB_SSL, SSL_F_SSL3_READ_BYTES, SSL_R_SSLV3_ALERT_BAD_CERTIFICATE) ||
+		err == ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_POST_PROCESS_CLIENT_HELLO, SSL_R_NO_SHARED_CIPHER) ||
+		err == ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, SSL_R_UNKNOWN_PROTOCOL) ||
+		err == ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, SSL_R_UNSUPPORTED_PROTOCOL) ||
+		err == ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, SSL_R_VERSION_TOO_LOW))
+		return 1;
+	return 0;
+}
+#endif /* HAVE_SSL */
+
 /** continue ssl handshake */
 #ifdef HAVE_SSL
 static int
@@ -1096,9 +1118,12 @@ ssl_handshake(struct comm_point* c)
 					strerror(errno));
 			return 0;
 		} else {
-			log_crypto_err("ssl handshake failed");
-			log_addr(1, "ssl handshake failed", &c->repinfo.addr,
-				c->repinfo.addrlen);
+			unsigned long err = ERR_get_error();
+			if(!squelch_err_ssl_handshake(err)) {
+				log_crypto_err_code("ssl handshake failed", err);
+				log_addr(1, "ssl handshake failed", &c->repinfo.addr,
+					c->repinfo.addrlen);
+			}
 			return 0;
 		}
 	}