Added additional SSL logging abotu connection information as well as client and server cipher availability #4793

This commit is contained in:
Adam Potolsky 2015-06-12 14:33:28 -07:00
parent 5696497bc0
commit 4b0dec69bf
2 changed files with 84 additions and 21 deletions

View File

@ -42,6 +42,10 @@ enum {
kMaxRetryCount = 100000 kMaxRetryCount = 100000
}; };
enum {
kMsgSize = 128
};
static const char kFingerprintDirName[] = "SSL/Fingerprints"; static const char kFingerprintDirName[] = "SSL/Fingerprints";
//static const char kFingerprintLocalFilename[] = "Local.txt"; //static const char kFingerprintLocalFilename[] = "Local.txt";
static const char kFingerprintTrustedServersFilename[] = "TrustedServers.txt"; static const char kFingerprintTrustedServersFilename[] = "TrustedServers.txt";
@ -240,11 +244,9 @@ SecureSocket::initContext(bool server)
// load all error messages // load all error messages
SSL_load_error_strings(); SSL_load_error_strings();
LOG((CLOG_INFO "%s",SSLeay_version (SSLEAY_VERSION))); if (CLOG->getFilter() >= kINFO) {
LOG((CLOG_DEBUG2 "OpenSSL : %s",SSLeay_version (SSLEAY_CFLAGS))); showSecureLibInfo();
LOG((CLOG_DEBUG2 "OpenSSL : %s",SSLeay_version (SSLEAY_BUILT_ON))); }
LOG((CLOG_DEBUG2 "OpenSSL : %s",SSLeay_version (SSLEAY_PLATFORM)));
LOG((CLOG_DEBUG2 "%s",SSLeay_version (SSLEAY_DIR)));
// SSLv23_method uses TLSv1, with the ability to fall back to SSLv3 // SSLv23_method uses TLSv1, with the ability to fall back to SSLv3
if (server) { if (server) {
@ -304,14 +306,8 @@ SecureSocket::secureAccept(int socket)
if (retry == 0) { if (retry == 0) {
m_secureReady = true; m_secureReady = true;
LOG((CLOG_INFO "accepted secure socket")); LOG((CLOG_INFO "accepted secure socket"));
const SSL_CIPHER* cipher = SSL_get_current_cipher(m_ssl->m_ssl); showSecureCipherInfo();
if(cipher != NULL) { showSecureConnectInfo();
char * cipherVersion = SSL_CIPHER_description(cipher, NULL, 0);
if(cipherVersion != NULL) {
LOG((CLOG_INFO "%s", cipherVersion));
OPENSSL_free(cipherVersion);
}
}
return 1; return 1;
} }
@ -369,14 +365,8 @@ SecureSocket::secureConnect(int socket)
return -1; // Fingerprint failed, error return -1; // Fingerprint failed, error
} }
LOG((CLOG_DEBUG2 "connected secure socket")); LOG((CLOG_DEBUG2 "connected secure socket"));
const SSL_CIPHER* cipher = SSL_get_current_cipher(m_ssl->m_ssl); showSecureCipherInfo();
if(cipher != NULL) { showSecureConnectInfo();
char * cipherVersion = SSL_CIPHER_description(cipher, NULL, 0);
if(cipherVersion != NULL) {
LOG((CLOG_INFO "%s", cipherVersion));
OPENSSL_free(cipherVersion);
}
}
return 1; return 1;
} }
@ -626,3 +616,72 @@ SecureSocket::serviceAccept(ISocketMultiplexerJob* job,
// If status < 0, error happened // If status < 0, error happened
return NULL; return NULL;
} }
void
showCipherStackDesc(STACK_OF(SSL_CIPHER) * stack) {
char msg[kMsgSize];
int i = 0;
for ( ; i < sk_SSL_CIPHER_num(stack) ; i++) {
const SSL_CIPHER * cipher = sk_SSL_CIPHER_value(stack,i);
SSL_CIPHER_description(cipher, msg, kMsgSize);
// Why does SSL put a newline in the description?
int pos = (int)strlen(msg) - 1;
if (msg[pos] == '\n') {
msg[pos] = '\0';
}
LOG((CLOG_DEBUG1 "%s",msg));
}
}
void
SecureSocket::showSecureCipherInfo()
{
STACK_OF(SSL_CIPHER) * sStack = SSL_get_ciphers(m_ssl->m_ssl);
int i = 0;
if (sStack == NULL) {
LOG((CLOG_WARN "No ciphers available on server"));
}
else {
LOG((CLOG_DEBUG1 "Ciphers available on server:"));
showCipherStackDesc(sStack);
}
// m_ssl->m_ssl->session->ciphers is not forward compatable, In future release
// of OpenSSL, it's not visible, need to use SSL_get_client_ciphers() instead
STACK_OF(SSL_CIPHER) * cStack = m_ssl->m_ssl->session->ciphers;
if (cStack == NULL) {
LOG((CLOG_WARN "No ciphers available from client"));
}
else {
LOG((CLOG_DEBUG1 "Ciphers available on client:"));
showCipherStackDesc(cStack);
}
return;
}
void
SecureSocket::showSecureLibInfo()
{
LOG((CLOG_INFO "%s",SSLeay_version(SSLEAY_VERSION)));
LOG((CLOG_DEBUG2 "OpenSSL : %s",SSLeay_version(SSLEAY_CFLAGS)));
LOG((CLOG_DEBUG2 "OpenSSL : %s",SSLeay_version(SSLEAY_BUILT_ON)));
LOG((CLOG_DEBUG2 "OpenSSL : %s",SSLeay_version(SSLEAY_PLATFORM)));
LOG((CLOG_DEBUG2 "%s",SSLeay_version(SSLEAY_DIR)));
return;
}
void
SecureSocket::showSecureConnectInfo()
{
const SSL_CIPHER* cipher = SSL_get_current_cipher(m_ssl->m_ssl);
if (cipher != NULL) {
char msg[kMsgSize];
SSL_CIPHER_description(cipher, msg, kMsgSize);
LOG((CLOG_INFO "%s", msg));
}
return;
}

View File

@ -79,6 +79,10 @@ private:
serviceAccept(ISocketMultiplexerJob*, serviceAccept(ISocketMultiplexerJob*,
bool, bool, bool); bool, bool, bool);
void showSecureConnectInfo();
void showSecureLibInfo();
void showSecureCipherInfo();
private: private:
Ssl* m_ssl; Ssl* m_ssl;
bool m_secureReady; bool m_secureReady;