Feature #3258
closedopenssl: peer address not logged on shutdown failure
Description
Hello.
For rewriting my simple log parser i had a log saved in May, and now doing it in July.
This is from a AlpineLinux [edge] instance:
May 17 18:24:31 lighttpd[5900]: (../src/mod_openssl.c.3674) SSL (error): 5 -1: Bad message Jul 24 07:23:00 lighttpd[31710]: (../src/mod_openssl.c.3674) SSL (error): 5 -1: Bad message
It seems the code is still such in git master as of 3bc0bc2f81.
If the above would happen as part of an attack, say, i cannot do anything with it because the peer address is missing. (The code is doing connection shutdown, and so it may think that that is a thing of the past.)
It is no problem in my practice, i only have a few occurrences. (I match on SSL or SSL: in $2 of a cleaned up line via awk, then look around for what looks like an address.)
Updated by gstrauss about 1 month ago ยท Edited
- Subject changed from openssl: peer address not logged on shutdow failure to openssl: peer address not logged on shutdown failure
- Status changed from New to Wontfix
- Priority changed from Normal to Low
- Target version deleted (
1.4.xx)
Your communication style is extremely poor.
lighttpd does not provide the remote IP address in every error message.
If you think this message should include the remote IP address, then please explain why and provide factual and observational justification. (Omit opinions.)
"Because the remote IP is not there in the error message" is not a defensible "reason".
"Because sdaoden does not know what TLS alert CLOSE_NOTIFY signifies" is also not a reason.
"Because sdaoden suggests that this is an attack" is lacking evidence.
Should lighttpd report this at all, or should lighttpd be silent? In your posts on IRC and your seeming allergy to post questions in the Forums, you have not demonstrated competency to have this discussion.
If you continue to have a seeming allergy to posting questions in the Forums, and continue to make poorly worded feature requests, I will lock your account on this site. Please stop wasting everyone's time.
Updated by sdaoden about 1 month ago
Your communication style is extremely poor.
Granted. My english is not the best, too.
lighttpd does not provide the remote IP address in every error message.Yes, that is the problem. When making firewall decisions through log parsing, such error messages are entirely useless.
If you think this message should include the remote IP address, then please explain why and provide factual and observational justification. (Omit opinions.)I hope i have done so now. "Lock account", pffh. Really.
Updated by gstrauss about 1 month ago
I hope i have done so now.
You have not. You merely repeated that the IP is not in the log message. I can tell you want to do something with this log line. I would suggest the thing that you do is learn what it means before acting on it or posting uninformed judgment -- a pattern you seem to repeat ad infinitum.
You have not searched this site for previous discussions about CLOSE_NOTIFY, and you clearly do not understand what it means and how/why you might (or might not) react with your firewall, if reacting by changing your firewall is appropriate.
Many simple clients might not properly handle TLS alert CLOSE_NOTIFY and might simply close the socket. Similarly, network disconnections might occur, outside the control of client or server.
Use the forums to ask questions, or stop posting. Pick one of those two options.
Also available in: Atom