SSL: logging level of "record layer failure" errors

The SSL_R_RECORD_LAYER_FAILURE ("record layer failure") errors are reported by OpenSSL 3.2 or newer as the last record layer error for various low level read errors. Further, a976e6b9e (1.23.4) caused to always log them at the "crit" level. For example, the following errors are observed on OpenSSL 3.2.0 - 4.0: SSL_read() failed (SSL: error:0A000119:SSL routines::decryption failed or bad record mac error:0A000139:SSL routines::record layer failure) SSL_read() failed (SSL: error:1C800066:Provider routines::cipher operation failed error:0A000119:SSL routines::decryption failed or bad record mac error:0A000139:SSL routines::record layer failure) SSL_read() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) These errors are now logged at the "info" level. Closes: https://github.com/nginx/nginx/issues/961 Co-authored-by: Smeet23 <smeetagrawal2003@gmail.com>
2026-05-13 09:36:42 +00:00 · 2026-04-16 17:57:13 +04:00 · 2026-04-16 17:57:13 +04:00 · ff8221b4db
commit ff8221b4db
parent ea72fa1d92
1 changed files with 3 additions and 0 deletions
--- a/src/event/ngx_event_openssl.c
+++ b/src/event/ngx_event_openssl.c
@ -3966,6 +3966,9 @@ ngx_ssl_connection_error(ngx_connection_t *c, int sslerr, ngx_err_t err,
 #ifdef SSL_R_BAD_ECPOINT
            || n == SSL_R_BAD_ECPOINT                                /*  306 */
 #endif
+#ifdef SSL_R_RECORD_LAYER_FAILURE
+            || n == SSL_R_RECORD_LAYER_FAILURE                       /*  313 */
+#endif
 #ifdef SSL_R_RENEGOTIATE_EXT_TOO_LONG
            || n == SSL_R_RENEGOTIATE_EXT_TOO_LONG                   /*  335 */
            || n == SSL_R_RENEGOTIATION_ENCODING_ERR                 /*  336 */