1. 客户端报SSL_R_SSLV3_ALERT_CERTIFICATE_UNKNOWN错误时，不作为maybe pinning; 2. ssl policy中增加protocol_errors的bypass开关。

common/include/ssl_stream.h

@@ -16,6 +16,7 @@ enum SSL_STREAM_OPT
 	SSL_STREAM_OPT_IS_CT_CERT,				//0:FALSE, 1:TRUE.
 	SSL_STREAM_OPT_IS_MUTUAL_AUTH,			//0:FALSE, 1:TRUE.
 	SSL_STREAM_OPT_PINNING_STATUS,			//0:FALSE, 1:TRUE.
+	SSL_STREAM_OPT_HAS_PROTOCOL_ERRORS,	//0:FALSE, 1:TRUE.
 	SSL_STREAM_OPT_NO_VERIFY_SELF_SIGNED,	//VALUE is an interger, SIZE=sizeof(int). 1:ON, 0:OFF. DEFAULT:0.
 	SSL_STREAM_OPT_NO_VERIFY_COMMON_NAME,	//VALUE is an interger, SIZE=sizeof(int). 1:ON, 0:OFF. DEFAULT:1.
 	SSL_STREAM_OPT_NO_VERIFY_ISSUER,		//VALUE is an interger, SIZE=sizeof(int). 1:ON, 0:OFF. DEFAULT:0.

platform/include/internal/ssl_service_cache.h

@@ -13,6 +13,7 @@ struct ssl_service_status
 	char is_ev;
 	char is_ct;
 	char is_mutual_auth;
+	char has_protocol_errors;
 };
 
 struct ssl_service_cache;
@@ -25,6 +26,7 @@ struct ssl_service_cache_statistics
 {
 	long long pinning_cli_cnt;
 	long long mutual_auth_cli_cnt;
+	long long proto_err_cli_cnt;
 	long long ev_srv_cnt;
 	long long ct_srv_cnt;
 };

platform/src/ssl_service_cache.cpp

@@ -5,11 +5,13 @@
 #include <string.h>
 
 #define	FAIL_AS_PINNING_COUNT	4
-#define	FAIL_AS_PINNING_TIME	30
+#define	FAIL_TIME_WINDOW		30
+#define	FAIL_AS_PROTO_ERR_COUNT	5
 struct ssl_svc_client_st
 {
 	time_t last_update_time;
-	unsigned int fail_count;
+	unsigned int suspect_pinning_count;	
+	unsigned int protocol_error_count;
 	char is_mutual_auth;
 	struct ssl_service_cache* ref_svc_cache;
 };
@@ -40,7 +42,7 @@ static void ssl_svc_free_client_st(void * data)
 	{
 		svc_cache->stat.mutual_auth_cli_cnt--;
 	}
-	if(p->fail_count>=FAIL_AS_PINNING_COUNT)
+	if(p->suspect_pinning_count>=FAIL_AS_PINNING_COUNT)
 	{
 		svc_cache->stat.pinning_cli_cnt--;
 	}
@@ -80,11 +82,11 @@ static long cli_st_read_cb(void * data, const uchar * key, uint size, void * use
 	{
 		return 0;
 	}
-	if(cli_st->fail_count==0)
+	if(cli_st->suspect_pinning_count==0)
 	{		
 		result->pinning_status=PINNING_ST_NOT_PINNING;
 	}
-	else if(cli_st->fail_count<FAIL_AS_PINNING_COUNT)
+	else if(cli_st->suspect_pinning_count<FAIL_AS_PINNING_COUNT)
 	{
 		result->pinning_status=PINNING_ST_MAYBE_PINNING;
 	}
@@ -92,6 +94,10 @@ static long cli_st_read_cb(void * data, const uchar * key, uint size, void * use
 	{
 		result->pinning_status=PINNING_ST_PINNING;
 	}
+	if(cli_st->protocol_error_count>=FAIL_AS_PROTO_ERR_COUNT)
+	{
+		result->has_protocol_errors=1;
+	}
 	result->is_mutual_auth=cli_st->is_mutual_auth;
 	return 1;
 }
@@ -110,37 +116,44 @@ static long cli_st_write_cb(void * data, const uchar * key, uint size, void * us
 		ret = MESA_htable_add(cache->cli_st_hash, key, size, cli_st);
 		assert(ret >= 0);
 	}
-	if(cli_st->fail_count<FAIL_AS_PINNING_COUNT && cli_st->last_update_time-now>FAIL_AS_PINNING_TIME)
+	if(cli_st->last_update_time-now>FAIL_TIME_WINDOW)
 	{
-		cli_st->fail_count=0;
+		if(cli_st->suspect_pinning_count<FAIL_AS_PINNING_COUNT)		cli_st->suspect_pinning_count=0;
+		if(cli_st->protocol_error_count<FAIL_AS_PROTO_ERR_COUNT)	cli_st->protocol_error_count=0;
 	}
-	if(status->pinning_status!=PINNING_ST_NOT_PINNING && cli_st->fail_count<FAIL_AS_PINNING_COUNT)
+	if(status->pinning_status!=PINNING_ST_NOT_PINNING && cli_st->suspect_pinning_count<FAIL_AS_PINNING_COUNT)
 	{
 		if(status->pinning_status==PINNING_ST_PINNING)
 		{
-			cli_st->fail_count=FAIL_AS_PINNING_COUNT;
+			cli_st->suspect_pinning_count=FAIL_AS_PINNING_COUNT;
 		}
 		else
 		{
-			cli_st->fail_count++;
+			cli_st->suspect_pinning_count++;
 		}
-		cli_st->last_update_time=now;
+		if(cli_st->suspect_pinning_count==FAIL_AS_PINNING_COUNT)
-		if(cli_st->fail_count==FAIL_AS_PINNING_COUNT)
 		{
 			cache->stat.pinning_cli_cnt++;
 		}
 	}
 	else if(status->pinning_status==PINNING_ST_PINNING)
 	{
-		cli_st->fail_count=FAIL_AS_PINNING_COUNT;
+		cli_st->suspect_pinning_count=FAIL_AS_PINNING_COUNT;
-		cli_st->last_update_time=now;
+	}
+	if(status->has_protocol_errors)
+	{
+		cli_st->protocol_error_count++;
+		if(cli_st->protocol_error_count==FAIL_AS_PROTO_ERR_COUNT)
+		{
+			cache->stat.proto_err_cli_cnt++;
+		}
 	}
-
 	if(status->is_mutual_auth==1&&cli_st->is_mutual_auth==0)
 	{
 		cache->stat.mutual_auth_cli_cnt++;	
 		cli_st->is_mutual_auth=1;
 	}
+	cli_st->last_update_time=now;	
 	return 1;
 }
 
@@ -224,7 +237,7 @@ void ssl_service_cache_write(struct ssl_service_cache* svc_cache, const struct s
 		return;
 	}
 	struct ssl_service_write_args write_args={svc_cache, status};
-	if(status->is_mutual_auth||status->pinning_status!=PINNING_ST_NOT_PINNING)
+	if(status->is_mutual_auth||status->pinning_status!=PINNING_ST_NOT_PINNING||status->has_protocol_errors)
 	{
 		cli_st_key_sz=ssl_svc_client_st_mk_key(chello, cli_st_key, sizeof(cli_st_key));
 		MESA_htable_search_cb(svc_cache->cli_st_hash, (unsigned char*)cli_st_key, (unsigned int) cli_st_key_sz, cli_st_write_cb, &write_args, &cli_st_cb_ret);	

platform/src/ssl_stream.cpp

@@ -1000,10 +1000,10 @@ unsigned long ssl_stream_log_error(struct bufferevent * bev, enum tfe_conn_dir d
 		default:
 			fs_id=-1;
 	}
-	ret_sslerr=ERR_GET_REASON(sslerr);
 	if(fs_id>=0)
 	{
 		mgr->stat_val[fs_id]++;
+		ret_sslerr=ERR_GET_REASON(sslerr);
 	}
 	if (!errno && !sslerr)
 	{
@@ -1100,10 +1100,16 @@ static void ssl_server_connected_eventcb(struct bufferevent * bev, short events,
 	const char* sni=s_upstream->client_hello->sni?s_upstream->client_hello->sni:"null";
 	long jiffies_ms;
 	char* addr_string=NULL;	
+	unsigned long sslerr=0;
 	if (events & BEV_EVENT_ERROR)
 	{
 		ATOMIC_INC(&(ctx->mgr->stat_val[SSL_UP_ERR]));
-		ssl_stream_log_error(bev, CONN_DIR_UPSTREAM, ctx->mgr);
+		sslerr=ssl_stream_log_error(bev, CONN_DIR_UPSTREAM, ctx->mgr);
+		if(sslerr)
+		{
+			s_stream->up_parts.svc_status.has_protocol_errors=1;			
+			ssl_service_cache_write(mgr->svc_cache, s_stream->up_parts.client_hello, &(s_stream->up_parts.svc_status));
+		}
 		snprintf(error_str, sizeof(error_str), "connect to original server failed : sni=%s", sni);
 		promise_failed(p, FUTURE_ERROR_EXCEPTION, error_str);
 	}
@@ -1229,10 +1235,11 @@ static void peek_chello_on_succ(future_result_t * result, void * user)
 	ret=ssl_service_cache_read(ctx->mgr->svc_cache, chello, svc_status);
 	if(ret==1)
 	{
-		TFE_LOG_DEBUG(ctx->mgr->logger, "SNI: %s service status pinning:%d, mauth:%d, ct:%d, ev:%d",
+		TFE_LOG_DEBUG(ctx->mgr->logger, "SNI: %s service status pinning:%d, mauth:%d, err:%d, ct:%d, ev:%d",
 									chello->sni,
 									svc_status->pinning_status,
 									svc_status->is_mutual_auth,
+									svc_status->has_protocol_errors,
 									svc_status->is_ct,
 									svc_status->is_ev);
 	}
@@ -1672,19 +1679,29 @@ static void ssl_client_connected_eventcb(struct bufferevent * bev, short events,
 	{
 		ATOMIC_INC(&(mgr->stat_val[SSL_DOWN_ERR]));
 		sslerr=ssl_stream_log_error(bev, CONN_DIR_DOWNSTREAM, mgr);
-		if(sslerr==SSL_R_SSLV3_ALERT_CERTIFICATE_UNKNOWN)
+		if(sslerr==SSL_R_SSLV3_ALERT_CERTIFICATE_UNKNOWN && 
+			s_upstream->is_server_cert_verify_passed && 
+			s_upstream->verify_result.is_hostmatched)
 		{
 			s_upstream->svc_status.pinning_status=PINNING_ST_PINNING;
 			ssl_service_cache_write(mgr->svc_cache, s_upstream->client_hello, &s_upstream->svc_status);
 		}
+		else if(sslerr>0 && sslerr!=SSL_R_SSLV3_ALERT_CERTIFICATE_UNKNOWN)
+		{
+			s_upstream->svc_status.has_protocol_errors=1;
+			ssl_service_cache_write(mgr->svc_cache, s_upstream->client_hello, &s_upstream->svc_status);
+		}
 		snprintf(error_str, sizeof(error_str), "connect to client failed : sni=%s", sni);
 		promise_failed(p, FUTURE_ERROR_EXCEPTION, error_str);
 	}
 	else if(events & BEV_EVENT_EOF)
 	{		
 		ATOMIC_INC(&(mgr->stat_val[SSL_DOWN_ERR]));	
-		s_stream->peer->up_parts.svc_status.pinning_status=PINNING_ST_MAYBE_PINNING;
+		if(!s_upstream->verify_result.is_hostmatched || !s_upstream->is_server_cert_verify_passed )
-		ssl_service_cache_write(mgr->svc_cache, s_stream->peer->up_parts.client_hello, &(s_stream->peer->up_parts.svc_status));
+		{
+			s_upstream->svc_status.pinning_status=PINNING_ST_MAYBE_PINNING;
+			ssl_service_cache_write(mgr->svc_cache, s_stream->peer->up_parts.client_hello, &(s_stream->peer->up_parts.svc_status));
+		}
 		snprintf(error_str, sizeof(error_str), "client side closed : sni=%s", sni);
 		promise_failed(p, FUTURE_ERROR_EXCEPTION, error_str);
 	}
@@ -2010,6 +2027,10 @@ int ssl_stream_get_integer_opt(struct ssl_stream *upstream, enum SSL_STREAM_OPT
 		case	SSL_STREAM_OPT_PINNING_STATUS:
 			*opt_val=svc->pinning_status;
 			break;
+		case	SSL_STREAM_OPT_HAS_PROTOCOL_ERRORS:
+			*opt_val=svc->has_protocol_errors;
+			break;
+
 		default:
 			return 0;
 	}

plugin/business/ssl-policy/src/ssl_policy.cpp

@@ -21,6 +21,7 @@ struct intercept_param
 	int bypass_ct_cert;
 	int bypass_mutual_auth;
 	int bypass_pinning;
+	int bypass_protocol_errors;
 	int no_verify_cn;
 	int no_verify_issuer;
 	int no_verify_self_signed;
@@ -84,6 +85,9 @@ void intercept_param_new_cb(int table_id, const char* key, const char* table_lin
 		if(item && item->type==cJSON_Number) param->bypass_mutual_auth=item->valueint;
 		item=cJSON_GetObjectItem(exclusions, "pinning");
 		if(item && item->type==cJSON_Number) param->bypass_pinning=item->valueint;
+		item=cJSON_GetObjectItem(exclusions, "protocol_errors");
+		if(item && item->type==cJSON_Number) param->bypass_protocol_errors=item->valueint;
+
 	}
 	cert_verify=cJSON_GetObjectItem(json, "cert_verify");
 	if(cert_verify)
@@ -178,7 +182,7 @@ enum ssl_stream_action ssl_policy_enforce(struct ssl_stream *upstream, void* u_p
 		TFE_LOG_INFO(enforcer->logger, "Failed to get intercept parameter of policy %d.", param->policy_id);
 		return SSL_ACTION_PASSTHROUGH;
 	}
-	int pinning_staus=0, is_ev=0, is_ct=0, is_mauth=0;
+	int pinning_staus=0, is_ev=0, is_ct=0, is_mauth=0, has_error=0;
  	if(!param->mirror_client_version)
 	{
 		ret=ssl_stream_set_integer_opt(upstream, SSL_STREAM_OPT_PROTOCOL_MIN_VERSION, SSL3_VERSION);
@@ -200,11 +204,13 @@ enum ssl_stream_action ssl_policy_enforce(struct ssl_stream *upstream, void* u_p
 	assert(ret==1);
 	ret=ssl_stream_get_integer_opt(upstream, SSL_STREAM_OPT_IS_MUTUAL_AUTH, &is_mauth);
 	ret=ssl_stream_get_integer_opt(upstream, SSL_STREAM_OPT_IS_CT_CERT, &is_ct);
+	ret=ssl_stream_get_integer_opt(upstream, SSL_STREAM_OPT_HAS_PROTOCOL_ERRORS, &has_error);
 	assert(ret=1);
 	if( (pinning_staus==1 && param->bypass_pinning) ||
 		(is_mauth && param->bypass_mutual_auth) ||
 		(is_ev && param->bypass_ev_cert) ||
-		(is_ct && param->bypass_ct_cert) )
+		(is_ct && param->bypass_ct_cert) ||
+		(has_error && param->bypass_protocol_errors))
 	{
 		action=SSL_ACTION_PASSTHROUGH;
 	}