- 错误
- envoy
- AWS总结的可能原因
2021-11-15 03:35:51.692][359][debug][connection] [source/extensions/transport_sockets/tls/ssl_socket.cc:225] [C8] TLS error: 268435581:SSL routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED
[2021-11-15 03:35:51.692][359][debug][connection] [source/common/network/connection_impl.cc:242] [C8] closing socket: 0
[2021-11-15 03:35:51.692][359][debug][connection] [source/extensions/transport_sockets/tls/ssl_socket.cc:225] [C8] TLS error: 268435581:SSL routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED
[2021-11-15 03:35:51.692][359][debug][client] [source/common/http/codec_client.cc:99] [C8] disconnect. resetting 0 pending requests
[2021-11-15 03:35:51.692][359][debug][pool] [source/common/conn_pool/conn_pool_base.cc:343] [C8] client disconnected, failure reason: TLS error: 268435581:SSL routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED
[2021-11-15 03:35:51.692][359][debug][router] [source/common/router/router.cc:1026] [C0][S5574975610885113654] upstream reset: reset reason: connection failure, transport failure reason: TLS error: 268435581:SSL routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED
[2021-11-15 03:35:51.692][359][debug][http] [source/common/http/filter_manager.cc:839] [C0][S5574975610885113654] Sending local reply with details upstream_reset_before_response_started{connection failure,TLS error: 268435581:SSL routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED}
[2021-11-15 03:35:51.692][359][debug][http] [source/common/http/conn_manager_impl.cc:1501] [C0][S5574975610885113654] encoding headers via codec (end_stream=false):
envoy
代码:
https://github.com/envoyproxy/envoy/blob/c64497b8d727ef7631565c7674a2233c58bb51ac/source/extensions/transport_sockets/tls/ssl_socket.cc
if (failure_reason_.empty()) {
failure_reason_ = "TLS error:";
}
failure_reason_.append(absl::StrCat(" ", err, ":", // 拼接字符串;
absl::NullSafeStringView(ERR_lib_error_string(err)), ":",
absl::NullSafeStringView(ERR_func_error_string(err)), ":",
absl::NullSafeStringView(ERR_reason_error_string(err))));
}
三个error_string函数 都是openssl 提供的转换函数;
const char *ERR_lib_error_string(unsigned long e)
{
ERR_STRING_DATA d, *p;
unsigned long l;
if (!RUN_ONCE(&err_string_init, do_err_strings_init)) {
return NULL;
}
# define ERR_GET_LIB(l) (int)(((l) >> 24L) & 0x0FFL)
# define ERR_GET_FUNC(l) (int)(((l) >> 12L) & 0xFFFL)
# define ERR_GET_REASON(l) (int)( (l) & 0xFFFL)
l = ERR_GET_LIB(e);
d.error = ERR_PACK(l, 0, 0);
p = int_err_get_item(&d);
return ((p == NULL) ? NULL : p->string);
}
需要将错误码,非常三个部分,前10位,中间12位,后12位。
分别代表:LIB、Func、reason。
SSL routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED
这个就代表,是SSL routines 出的错误。SSL流程出错。
函数:OPENSSL_internal,
错误原因:CERTIFICATE_VERIFY_FAILED
再没有其他有用信息。
AWS总结的可能原因https://docs.aws.amazon.com/app-mesh/latest/userguide/troubleshooting-security.html
证书,不是由TLS客户规则中定义的证书机构签发。
The certificate was not signed by one of the certificate authorities defined in the TLS client policy trust bundle.
证书过期。
The certificate is no longer valid (expired).
SAN不能匹配请求的DNS主机。
The Subject Alternative Name (SAN) does not match the requested DNS hostname.
Make sure that the certificate offered by the backend service is valid, that it is signed by one of the certificate authorities in your TLS client policies trust bundle, and that it meets the criteria defined in Transport Layer Security (TLS).
