Commit 22322f28 authored by mlamb's avatar mlamb

Add ssl_cry() function to display error message plus any detailed error...

Add ssl_cry() function to display error message plus any detailed error messages that OpenSSL might care to provide.
This can help to debug SSL communication issues.

Example output with a couple of problematic SSL client sessions (new log messages start with "-->" to indicate that they are providing additional detail to a previous log message):

Mongoose "2.9, $Rev: 517 $" started on port(s) "80,443s", serving directory "."
[1274991792] [error] [client 10.50.50.50] worker_thread: SSL handshake error
[1274991792] [error] [client 10.50.50.50]   --> error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number
[1274991882] [error] [client 10.50.50.50] worker_thread: SSL handshake error
[1274991882] [error] [client 10.50.50.50]   --> error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher
parent ddde5d9d
......@@ -269,6 +269,9 @@ struct ssl_func {
#define SSL_CTX_set_default_passwd_cb(x,y) \
(* (void (*)(SSL_CTX *, mg_callback_t)) ssl_sw[13].ptr)((x),(y))
#define SSL_CTX_free(x) (* (void (*)(SSL_CTX *)) ssl_sw[14].ptr)(x)
#define ERR_get_error() (* (unsigned long (*)(void)) ssl_sw[15].ptr)()
#define ERR_error_string(x, y) (* (char * (*)(unsigned long, char *)) ssl_sw[16].ptr)((x), (y))
#define SSL_load_error_strings() (* (void (*)(void)) ssl_sw[17].ptr)()
#define CRYPTO_num_locks() (* (int (*)(void)) crypto_sw[0].ptr)()
#define CRYPTO_set_locking_callback(x) \
......@@ -299,6 +302,9 @@ static struct ssl_func ssl_sw[] = {
{"SSL_CTX_use_certificate_file",NULL},
{"SSL_CTX_set_default_passwd_cb",NULL},
{"SSL_CTX_free", NULL},
{"ERR_get_error", NULL},
{"ERR_error_string", NULL},
{"SSL_load_error_strings", NULL},
{NULL, NULL}
};
......@@ -471,12 +477,32 @@ cry(struct mg_connection *conn, const char *fmt, ...)
(void) fprintf(fp, "%s", buf);
fputc('\n', fp);
funlockfile(fp);
(void) fclose(fp);
// (void) fclose(fp);
}
}
conn->request_info.log_message = NULL;
}
/*
* Print OpenSSL error messages, if any, to the error log.
*/
static void ssl_cry(struct mg_connection *conn, const char *fmt, ...) {
char buf[BUFSIZ];
va_list ap;
/* first just log the mongoose-level error message passed in via fmt, etc. */
va_start(ap, fmt);
(void) vsnprintf(buf, sizeof(buf), fmt, ap);
va_end(ap);
cry(conn, buf);
/* then loop through any unlogged OpenSSL errors */
unsigned long err;
while ((err = ERR_get_error()) != 0) {
cry(conn, " OpenSSL: %s", ERR_error_string(err, NULL));
}
}
/*
* Return fake connection structure. Used for logging, if connection
* is not applicable at the moment of logging.
......@@ -3874,20 +3900,21 @@ set_ssl_option(struct mg_context *ctx, const char *pem)
/* Initialize SSL crap */
SSL_library_init();
SSL_load_error_strings();
if ((CTX = SSL_CTX_new(SSLv23_server_method())) == NULL)
cry(fc(ctx), "SSL_CTX_new error");
ssl_cry(fc(ctx), "SSL_CTX_new error");
else if (ctx->callbacks[MG_EVENT_SSL_PASSWORD] != NULL)
SSL_CTX_set_default_passwd_cb(CTX,
ctx->callbacks[MG_EVENT_SSL_PASSWORD]);
if (CTX != NULL && SSL_CTX_use_certificate_file(
CTX, pem, SSL_FILETYPE_PEM) == 0) {
cry(fc(ctx), "%s: cannot open %s", __func__, pem);
ssl_cry(fc(ctx), "%s: cannot open %s", __func__, pem);
return (MG_ERROR);
} else if (CTX != NULL && SSL_CTX_use_PrivateKey_file(
CTX, pem, SSL_FILETYPE_PEM) == 0) {
cry(fc(ctx), "%s: cannot open %s", NULL, pem);
ssl_cry(fc(ctx), "%s: cannot open %s", NULL, pem);
return (MG_ERROR);
}
......@@ -3897,7 +3924,7 @@ set_ssl_option(struct mg_context *ctx, const char *pem)
*/
size = sizeof(pthread_mutex_t) * CRYPTO_num_locks();
if ((ssl_mutexes = (pthread_mutex_t *) malloc(size)) == NULL) {
cry(fc(ctx), "%s: cannot allocate mutexes", __func__);
ssl_cry(fc(ctx), "%s: cannot allocate mutexes", __func__);
return (MG_ERROR);
}
......@@ -4363,12 +4390,12 @@ worker_thread(struct mg_context *ctx)
if (conn.client.is_ssl &&
(conn.ssl = SSL_new(conn.ctx->ssl_ctx)) == NULL) {
cry(&conn, "%s: SSL_new: %d", __func__, ERRNO);
ssl_cry(&conn, "%s: SSL_new: %d", __func__, ERRNO);
} else if (conn.client.is_ssl &&
SSL_set_fd(conn.ssl, conn.client.sock) != 1) {
cry(&conn, "%s: SSL_set_fd: %d", __func__, ERRNO);
ssl_cry(&conn, "%s: SSL_set_fd: %d", __func__, ERRNO);
} else if (conn.client.is_ssl && SSL_accept(conn.ssl) != 1) {
cry(&conn, "%s: SSL handshake error", __func__);
ssl_cry(&conn, "%s: SSL handshake error", __func__);
} else {
process_new_connection(&conn);
}
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment