Added additional SSL logging abotu connection information as well as client and server cipher availability #4793
This commit is contained in:
parent
5696497bc0
commit
16a2815504
|
@ -42,6 +42,10 @@ enum {
|
||||||
kMaxRetryCount = 100000
|
kMaxRetryCount = 100000
|
||||||
};
|
};
|
||||||
|
|
||||||
|
enum {
|
||||||
|
kMsgSize = 128
|
||||||
|
};
|
||||||
|
|
||||||
static const char kFingerprintDirName[] = "SSL/Fingerprints";
|
static const char kFingerprintDirName[] = "SSL/Fingerprints";
|
||||||
//static const char kFingerprintLocalFilename[] = "Local.txt";
|
//static const char kFingerprintLocalFilename[] = "Local.txt";
|
||||||
static const char kFingerprintTrustedServersFilename[] = "TrustedServers.txt";
|
static const char kFingerprintTrustedServersFilename[] = "TrustedServers.txt";
|
||||||
|
@ -240,11 +244,9 @@ SecureSocket::initContext(bool server)
|
||||||
// load all error messages
|
// load all error messages
|
||||||
SSL_load_error_strings();
|
SSL_load_error_strings();
|
||||||
|
|
||||||
LOG((CLOG_INFO "%s",SSLeay_version (SSLEAY_VERSION)));
|
if (CLOG->getFilter() >= kINFO) {
|
||||||
LOG((CLOG_DEBUG2 "OpenSSL : %s",SSLeay_version (SSLEAY_CFLAGS)));
|
showSecureLibInfo();
|
||||||
LOG((CLOG_DEBUG2 "OpenSSL : %s",SSLeay_version (SSLEAY_BUILT_ON)));
|
}
|
||||||
LOG((CLOG_DEBUG2 "OpenSSL : %s",SSLeay_version (SSLEAY_PLATFORM)));
|
|
||||||
LOG((CLOG_DEBUG2 "%s",SSLeay_version (SSLEAY_DIR)));
|
|
||||||
|
|
||||||
// SSLv23_method uses TLSv1, with the ability to fall back to SSLv3
|
// SSLv23_method uses TLSv1, with the ability to fall back to SSLv3
|
||||||
if (server) {
|
if (server) {
|
||||||
|
@ -304,14 +306,8 @@ SecureSocket::secureAccept(int socket)
|
||||||
if (retry == 0) {
|
if (retry == 0) {
|
||||||
m_secureReady = true;
|
m_secureReady = true;
|
||||||
LOG((CLOG_INFO "accepted secure socket"));
|
LOG((CLOG_INFO "accepted secure socket"));
|
||||||
const SSL_CIPHER* cipher = SSL_get_current_cipher(m_ssl->m_ssl);
|
showSecureCipherInfo();
|
||||||
if(cipher != NULL) {
|
showSecureConnectInfo();
|
||||||
char * cipherVersion = SSL_CIPHER_description(cipher, NULL, 0);
|
|
||||||
if(cipherVersion != NULL) {
|
|
||||||
LOG((CLOG_INFO "%s", cipherVersion));
|
|
||||||
OPENSSL_free(cipherVersion);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
return 1;
|
return 1;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -369,14 +365,8 @@ SecureSocket::secureConnect(int socket)
|
||||||
return -1; // Fingerprint failed, error
|
return -1; // Fingerprint failed, error
|
||||||
}
|
}
|
||||||
LOG((CLOG_DEBUG2 "connected secure socket"));
|
LOG((CLOG_DEBUG2 "connected secure socket"));
|
||||||
const SSL_CIPHER* cipher = SSL_get_current_cipher(m_ssl->m_ssl);
|
showSecureCipherInfo();
|
||||||
if(cipher != NULL) {
|
showSecureConnectInfo();
|
||||||
char * cipherVersion = SSL_CIPHER_description(cipher, NULL, 0);
|
|
||||||
if(cipherVersion != NULL) {
|
|
||||||
LOG((CLOG_INFO "%s", cipherVersion));
|
|
||||||
OPENSSL_free(cipherVersion);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
return 1;
|
return 1;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -626,3 +616,72 @@ SecureSocket::serviceAccept(ISocketMultiplexerJob* job,
|
||||||
// If status < 0, error happened
|
// If status < 0, error happened
|
||||||
return NULL;
|
return NULL;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
void
|
||||||
|
showCipherStackDesc(STACK_OF(SSL_CIPHER) * stack) {
|
||||||
|
char msg[kMsgSize];
|
||||||
|
int i = 0;
|
||||||
|
for ( ; i < sk_SSL_CIPHER_num(stack) ; i++) {
|
||||||
|
const SSL_CIPHER * cipher = sk_SSL_CIPHER_value(stack,i);
|
||||||
|
|
||||||
|
SSL_CIPHER_description(cipher, msg, kMsgSize);
|
||||||
|
|
||||||
|
// Why does SSL put a newline in the description?
|
||||||
|
int pos = (int)strlen(msg) - 1;
|
||||||
|
if (msg[pos] == '\n') {
|
||||||
|
msg[pos] = '\0';
|
||||||
|
}
|
||||||
|
|
||||||
|
LOG((CLOG_DEBUG1 "%s",msg));
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
void
|
||||||
|
SecureSocket::showSecureCipherInfo()
|
||||||
|
{
|
||||||
|
STACK_OF(SSL_CIPHER) * sStack = SSL_get_ciphers(m_ssl->m_ssl);
|
||||||
|
|
||||||
|
if (sStack == NULL) {
|
||||||
|
LOG((CLOG_WARN "No ciphers available on server"));
|
||||||
|
}
|
||||||
|
else {
|
||||||
|
LOG((CLOG_DEBUG1 "Ciphers available on server:"));
|
||||||
|
showCipherStackDesc(sStack);
|
||||||
|
}
|
||||||
|
|
||||||
|
// m_ssl->m_ssl->session->ciphers is not forward compatable, In future release
|
||||||
|
// of OpenSSL, it's not visible, need to use SSL_get_client_ciphers() instead
|
||||||
|
STACK_OF(SSL_CIPHER) * cStack = m_ssl->m_ssl->session->ciphers;
|
||||||
|
if (cStack == NULL) {
|
||||||
|
LOG((CLOG_WARN "No ciphers available from client"));
|
||||||
|
}
|
||||||
|
else {
|
||||||
|
LOG((CLOG_DEBUG1 "Ciphers available on client:"));
|
||||||
|
showCipherStackDesc(cStack);
|
||||||
|
}
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
void
|
||||||
|
SecureSocket::showSecureLibInfo()
|
||||||
|
{
|
||||||
|
LOG((CLOG_INFO "%s",SSLeay_version(SSLEAY_VERSION)));
|
||||||
|
LOG((CLOG_DEBUG2 "OpenSSL : %s",SSLeay_version(SSLEAY_CFLAGS)));
|
||||||
|
LOG((CLOG_DEBUG2 "OpenSSL : %s",SSLeay_version(SSLEAY_BUILT_ON)));
|
||||||
|
LOG((CLOG_DEBUG2 "OpenSSL : %s",SSLeay_version(SSLEAY_PLATFORM)));
|
||||||
|
LOG((CLOG_DEBUG2 "%s",SSLeay_version(SSLEAY_DIR)));
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
void
|
||||||
|
SecureSocket::showSecureConnectInfo()
|
||||||
|
{
|
||||||
|
const SSL_CIPHER* cipher = SSL_get_current_cipher(m_ssl->m_ssl);
|
||||||
|
|
||||||
|
if (cipher != NULL) {
|
||||||
|
char msg[kMsgSize];
|
||||||
|
SSL_CIPHER_description(cipher, msg, kMsgSize);
|
||||||
|
LOG((CLOG_INFO "%s", msg));
|
||||||
|
}
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
|
@ -79,6 +79,10 @@ private:
|
||||||
serviceAccept(ISocketMultiplexerJob*,
|
serviceAccept(ISocketMultiplexerJob*,
|
||||||
bool, bool, bool);
|
bool, bool, bool);
|
||||||
|
|
||||||
|
void showSecureConnectInfo();
|
||||||
|
void showSecureLibInfo();
|
||||||
|
void showSecureCipherInfo();
|
||||||
|
|
||||||
private:
|
private:
|
||||||
Ssl* m_ssl;
|
Ssl* m_ssl;
|
||||||
bool m_secureReady;
|
bool m_secureReady;
|
||||||
|
|
Loading…
Reference in New Issue