Comments (4)
Yes, that would solve my problem. And I suspect you could be right that OpenSSL may not be available. At least, I've seen code in Puma that explicitly tries to deal with a Ruby that wasn't linked against OpenSSL. Perhaps it should be something like:
rescue Exception => ex
if defined?(OpenSSL::SSL::SSLError) && ex.is_a?(OpenSSL::SSL::SSLError)
@logger.debug(ex)
else
@logger.error(ex)
end
Disclaimer: this is the first code I write on a Monday morning so don't expect it to literally work but I'm sure you get the idea.
from webrick.
In HTTPS server sinario, server.rb has two different rescues depend on execption types during OpenSSL::SSL::SSLSocket#accept
:
- ignore silently:
Errno::ECONNRESET
,Errno::ECONNABORTED
,Errno::EPROTO
,Errno::EINVAL
- ERROR level log:
Exception
The possible options for your suggestion may be:
- Option 1. provide special way to handle SSLError
- Option 2. ignore silently SSLError as same as
Errno::ECONNRESET
, etc. - Option 3. log as an error (current behavior)
Option 1 seems hard to accept because WEBrick does not provide error-specific handling convention at the socket layer. In my opinion, it's common to send unintended incorrect packets or requests to a server under development. Because I want webrick to report these errors as logs, I like the current behavior, option 3.
By the way, as the code you refered looks slightly old version, I reproduced the situation with webrick-1.7.0, current latest version of gem, as follows.
% openssl req -new -newkey rsa:2048 -sha1 -days 365 -nodes -x509 -keyout localhost.key -out localhost.crt
% ruby -r webrick/https -e 's = WEBrick::HTTPServer.new(Port: 8443, SSLEnable: true, SSLVerifyClient: OpenSSL::SSL::VERIFY_NONE, SSLPrivateKey: OpenSSL::PKey::RSA.new(File.open("localhost.key").read), SSLCertificate: OpenSSL::X509::Certificate.new(File.open("localhost.crt").read), SSLCertName: [["CN", "localhost"]]); trap("INT"){s.shutdown}; s.start'
and open with nc command and kill by Ctrl+c from another terminal
% nc localhost 8443
^C
then I got the same error on the first terminal
[2021-08-23 00:27:34] ERROR OpenSSL::SSL::SSLError: SSL_accept SYSCALL returned=5 errno=0 state=before SSL initialization
/home/gotoken/.rbenv/versions/3.0.2/lib/ruby/gems/3.0.0/gems/webrick-1.7.0/lib/webrick/server.rb:302:in `accept'
/home/gotoken/.rbenv/versions/3.0.2/lib/ruby/gems/3.0.0/gems/webrick-1.7.0/lib/webrick/server.rb:302:in `block (2 levels) in start_thread'
/home/gotoken/.rbenv/versions/3.0.2/lib/ruby/gems/3.0.0/gems/webrick-1.7.0/lib/webrick/utils.rb:258:in `timeout'
/home/gotoken/.rbenv/versions/3.0.2/lib/ruby/gems/3.0.0/gems/webrick-1.7.0/lib/webrick/server.rb:300:in `block in start_thread'
The error raised at line 302 and rescued at 316 of
https://github.com/ruby/webrick/blob/v1.7.0/lib/webrick/server.rb#L288-L329
from webrick.
But does it need to be at the error level? Looking at https://en.wikipedia.org/wiki/Syslog#Severity_level I wonder if it we can't downgrade it to a lower level. My problem is mostly that this service is used in production and these are conditions that fill the logs. However, there's little an admin can do about this. Ignoring errors in logs is a bad practice, but right now there's little other choice.
from webrick.
However, there's little an admin can do about this
Indeed. What do you think of debug level log?
--- a/lib/webrick/server.rb
+++ b/lib/webrick/server.rb
@@ -313,6 +313,8 @@ module WEBrick
rescue ServerError => ex
msg = "#{ex.class}: #{ex.message}\n\t#{ex.backtrace[0]}"
@logger.error msg
+ rescue OpenSSL::SSL::SSLError => ex
+ @logger.debug ex
rescue Exception => ex
@logger.error ex
ensure
It is not immediately clear to me whether OpenSSL::SSL
is legal here. OpenSSL might not be defined in non ssl cases.
from webrick.
Related Issues (20)
- Is there any way to perform a connection upgrade (e.g. WebSockets) without monkey-patching `HTTPServer`? HOT 1
- WEBrick has an unsafe shutdown process it tries to concurrently write and close the @shutdown_pipe HOT 4
- Webrick `1.8.0` is incompatible with Rack `2.2.6.2` HOT 1
- Unicode handling in header location HOT 11
- test_httpresponse.rb test failures HOT 2
- MAX_URI_LENGTH exceeded results in nonsensical error HOT 2
- digest auth bug: wrong calculation for A1 HOT 1
- TypeError: no implicit conversion of Array into String HOT 5
- WEBrick RCE Vulnerability HOT 3
- Request Smuggling in WEBrick Due to Incorrect Parsing of Empty `Content-Length` Values HOT 2
- license helpful resource
- Request Smuggling in WEBrick via bad chunk-size parsing HOT 5
- Stripping NUL from the ends of header values HOT 1
- Link to documentation in README HOT 1
- Improper handling of chunks with incorrect lengths
- CR incorrectly permitted within header values HOT 1
- Improper stripping of whitespace from header values
- Improper message termination on half-closed socket
- Ruby version is showing up in Webrick Headers, and we need to edit that for security reason HOT 4
- WEBRick::HTTPServer creates ipv6only socket for host `::` HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from webrick.