MINOR: ssl: Set connection error code in case of SSL read or write fatal failure
In case of a connection error happening after the SSL handshake is
completed, the error code stored in the connection structure would not
always be set, hence having some connection failures being described as
successful in the fc_conn_err or bc_conn_err sample fetches.
The most common case in which it could happen is when the SSL server
rejects the client's certificate. The SSL_do_handshake call on the
client side would be sucessful because the client effectively sent its
client hello and certificate information to the server, but the next
call to SSL_read on the client side would raise an SSL_ERROR_SSL code
(through the SSL_get_error function) which is decribed in OpenSSL
documentation as a non-recoverable and fatal SSL error.
This patch ensures that in such a case, the connection's error code is
set to a special CO_ERR_SSL_FATAL value.
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index b5da625..285a7c6 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -6185,6 +6185,9 @@
break;
} else if (ret == SSL_ERROR_ZERO_RETURN)
goto read0;
+ else if (ret == SSL_ERROR_SSL) {
+ conn->err_code = CO_ERR_SSL_FATAL;
+ }
/* For SSL_ERROR_SYSCALL, make sure to clear the error
* stack before shutting down the connection for
* reading. */
@@ -6346,6 +6349,9 @@
#endif
break;
}
+ else if (ret == SSL_ERROR_SSL || ret == SSL_ERROR_SYSCALL) {
+ conn->err_code = CO_ERR_SSL_FATAL;
+ }
goto out_error;
}
}