From 61944f7a73b1762771b15c95d3e74780d0cdc4cd Mon Sep 17 00:00:00 2001
From: Remi Tricot-Le Breton <rlebreton@haproxy.com>
Date: Wed, 29 Sep 2021 18:56:51 +0200
Subject: [PATCH] MINOR: ssl: Set connection error code in case of SSL read or
 write fatal failure

In case of a connection error happening after the SSL handshake is
completed, the error code stored in the connection structure would not
always be set, hence having some connection failures being described as
successful in the fc_conn_err or bc_conn_err sample fetches.
The most common case in which it could happen is when the SSL server
rejects the client's certificate. The SSL_do_handshake call on the
client side would be sucessful because the client effectively sent its
client hello and certificate information to the server, but the next
call to SSL_read on the client side would raise an SSL_ERROR_SSL code
(through the SSL_get_error function) which is decribed in OpenSSL
documentation as a non-recoverable and fatal SSL error.
This patch ensures that in such a case, the connection's error code is
set to a special CO_ERR_SSL_FATAL value.
---
 doc/configuration.txt          | 1 +
 include/haproxy/connection-t.h | 2 ++
 include/haproxy/connection.h   | 2 ++
 src/ssl_sock.c                 | 6 ++++++
 4 files changed, 11 insertions(+)

diff --git a/doc/configuration.txt b/doc/configuration.txt
index a7e8cdd80f..5b0aad2f0c 100644
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@@ -18030,6 +18030,7 @@ fc_conn_err_str : string
   | 40 | "SOCKS4 Proxy read error during handshake"                                |
   | 41 | "SOCKS4 Proxy deny the request"                                           |
   | 42 | "SOCKS4 Proxy handshake aborted by server"                                |
+  | 43 | "SSL fatal error"                                                         |
   +----+---------------------------------------------------------------------------+
 
 fc_http_major : integer
diff --git a/include/haproxy/connection-t.h b/include/haproxy/connection-t.h
index ed41cff824..4e4b65ee87 100644
--- a/include/haproxy/connection-t.h
+++ b/include/haproxy/connection-t.h
@@ -250,6 +250,8 @@ enum {
 	CO_ER_SOCKS4_RECV,       /* SOCKS4 Proxy read error during handshake */
 	CO_ER_SOCKS4_DENY,       /* SOCKS4 Proxy deny the request */
 	CO_ER_SOCKS4_ABORT,      /* SOCKS4 Proxy handshake aborted by server */
+
+	CO_ERR_SSL_FATAL,        /* SSL fatal error during a SSL_read or SSL_write */
 };
 
 /* error return codes for accept_conn() */
diff --git a/include/haproxy/connection.h b/include/haproxy/connection.h
index 77afb2bb00..7e5ee7e8ca 100644
--- a/include/haproxy/connection.h
+++ b/include/haproxy/connection.h
@@ -834,6 +834,8 @@ static inline const char *conn_err_code_str(struct connection *c)
 	case CO_ER_SOCKS4_RECV:    return "SOCKS4 Proxy read error during handshake";
 	case CO_ER_SOCKS4_DENY:    return "SOCKS4 Proxy deny the request";
 	case CO_ER_SOCKS4_ABORT:   return "SOCKS4 Proxy handshake aborted by server";
+
+	case CO_ERR_SSL_FATAL:     return "SSL fatal error";
 	}
 	return NULL;
 }
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index b5da625fd2..285a7c6ee3 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -6185,6 +6185,9 @@ static size_t ssl_sock_to_buf(struct connection *conn, void *xprt_ctx, struct bu
 				break;
 			} else if (ret == SSL_ERROR_ZERO_RETURN)
 				goto read0;
+			else if (ret == SSL_ERROR_SSL) {
+				conn->err_code = CO_ERR_SSL_FATAL;
+			}
 			/* For SSL_ERROR_SYSCALL, make sure to clear the error
 			 * stack before shutting down the connection for
 			 * reading. */
@@ -6346,6 +6349,9 @@ static size_t ssl_sock_from_buf(struct connection *conn, void *xprt_ctx, const s
 #endif
 				break;
 			}
+			else if (ret == SSL_ERROR_SSL || ret == SSL_ERROR_SYSCALL) {
+				conn->err_code = CO_ERR_SSL_FATAL;
+			}
 			goto out_error;
 		}
 	}
-- 
2.39.5