From b3966377d88b28d731590e02e82dae0b867b711c Mon Sep 17 00:00:00 2001 From: Willy Tarreau Date: Fri, 25 Apr 2014 18:54:29 +0200 Subject: [PATCH] MINOR: connection: add a new error code for SSL with heartbeat Users have seen a huge increase in the rate of SSL handshake failures starting from 2014/04/08 with the release of the Heartbleed OpenSSL vulnerability (CVE-2014-0160). Haproxy can detect that a heartbeat was received in the incoming handshake, and such heartbeats are not supposed to be common, so let's log a different message when a handshake error happens after a heartbeat is detected. This patch only adds the new message and the new code. --- include/proto/connection.h | 1 + include/types/connection.h | 1 + 2 files changed, 2 insertions(+) diff --git a/include/proto/connection.h b/include/proto/connection.h index 8609f1774c..dde9b8c7e5 100644 --- a/include/proto/connection.h +++ b/include/proto/connection.h @@ -581,6 +581,7 @@ static inline const char *conn_err_code_str(struct connection *c) case CO_ER_SSL_CA_FAIL: return "SSL client CA chain cannot be verified"; case CO_ER_SSL_CRT_FAIL: return "SSL client certificate not trusted"; case CO_ER_SSL_HANDSHAKE: return "SSL handshake failure"; + case CO_ER_SSL_HANDSHAKE_HB: return "SSL handshake failure after heartbeat"; case CO_ER_SSL_NO_TARGET: return "Attempt to use SSL on an unknown target (internal error)"; } return NULL; diff --git a/include/types/connection.h b/include/types/connection.h index 5341a86d62..84248c98ec 100644 --- a/include/types/connection.h +++ b/include/types/connection.h @@ -162,6 +162,7 @@ enum { CO_ER_SSL_CA_FAIL, /* client cert verification failed in the CA chain */ CO_ER_SSL_CRT_FAIL, /* client cert verification failed on the certificate */ CO_ER_SSL_HANDSHAKE, /* SSL error during handshake */ + CO_ER_SSL_HANDSHAKE_HB, /* SSL error during handshake with heartbeat present */ CO_ER_SSL_NO_TARGET, /* unkonwn target (not client nor server) */ };