From 16a2815504a8f5cb0d26f2f00579a239864f3e88 Mon Sep 17 00:00:00 2001 From: Adam Potolsky Date: Fri, 12 Jun 2015 14:40:15 -0700 Subject: [PATCH 1/2] Added additional SSL logging abotu connection information as well as client and server cipher availability #4793 --- src/lib/plugin/ns/SecureSocket.cpp | 101 +++++++++++++++++++++++------ src/lib/plugin/ns/SecureSocket.h | 4 ++ 2 files changed, 84 insertions(+), 21 deletions(-) diff --git a/src/lib/plugin/ns/SecureSocket.cpp b/src/lib/plugin/ns/SecureSocket.cpp index 11da4c48..5ba66ad2 100644 --- a/src/lib/plugin/ns/SecureSocket.cpp +++ b/src/lib/plugin/ns/SecureSocket.cpp @@ -42,6 +42,10 @@ enum { kMaxRetryCount = 100000 }; +enum { + kMsgSize = 128 +}; + static const char kFingerprintDirName[] = "SSL/Fingerprints"; //static const char kFingerprintLocalFilename[] = "Local.txt"; static const char kFingerprintTrustedServersFilename[] = "TrustedServers.txt"; @@ -240,11 +244,9 @@ SecureSocket::initContext(bool server) // load all error messages SSL_load_error_strings(); - LOG((CLOG_INFO "%s",SSLeay_version (SSLEAY_VERSION))); - LOG((CLOG_DEBUG2 "OpenSSL : %s",SSLeay_version (SSLEAY_CFLAGS))); - LOG((CLOG_DEBUG2 "OpenSSL : %s",SSLeay_version (SSLEAY_BUILT_ON))); - LOG((CLOG_DEBUG2 "OpenSSL : %s",SSLeay_version (SSLEAY_PLATFORM))); - LOG((CLOG_DEBUG2 "%s",SSLeay_version (SSLEAY_DIR))); + if (CLOG->getFilter() >= kINFO) { + showSecureLibInfo(); + } // SSLv23_method uses TLSv1, with the ability to fall back to SSLv3 if (server) { @@ -304,14 +306,8 @@ SecureSocket::secureAccept(int socket) if (retry == 0) { m_secureReady = true; LOG((CLOG_INFO "accepted secure socket")); - const SSL_CIPHER* cipher = SSL_get_current_cipher(m_ssl->m_ssl); - if(cipher != NULL) { - char * cipherVersion = SSL_CIPHER_description(cipher, NULL, 0); - if(cipherVersion != NULL) { - LOG((CLOG_INFO "%s", cipherVersion)); - OPENSSL_free(cipherVersion); - } - } + showSecureCipherInfo(); + showSecureConnectInfo(); return 1; } @@ -369,14 +365,8 @@ SecureSocket::secureConnect(int socket) return -1; // Fingerprint failed, error } LOG((CLOG_DEBUG2 "connected secure socket")); - const SSL_CIPHER* cipher = SSL_get_current_cipher(m_ssl->m_ssl); - if(cipher != NULL) { - char * cipherVersion = SSL_CIPHER_description(cipher, NULL, 0); - if(cipherVersion != NULL) { - LOG((CLOG_INFO "%s", cipherVersion)); - OPENSSL_free(cipherVersion); - } - } + showSecureCipherInfo(); + showSecureConnectInfo(); return 1; } @@ -626,3 +616,72 @@ SecureSocket::serviceAccept(ISocketMultiplexerJob* job, // If status < 0, error happened return NULL; } + +void +showCipherStackDesc(STACK_OF(SSL_CIPHER) * stack) { + char msg[kMsgSize]; + int i = 0; + for ( ; i < sk_SSL_CIPHER_num(stack) ; i++) { + const SSL_CIPHER * cipher = sk_SSL_CIPHER_value(stack,i); + + SSL_CIPHER_description(cipher, msg, kMsgSize); + + // Why does SSL put a newline in the description? + int pos = (int)strlen(msg) - 1; + if (msg[pos] == '\n') { + msg[pos] = '\0'; + } + + LOG((CLOG_DEBUG1 "%s",msg)); + } +} + +void +SecureSocket::showSecureCipherInfo() +{ + STACK_OF(SSL_CIPHER) * sStack = SSL_get_ciphers(m_ssl->m_ssl); + + if (sStack == NULL) { + LOG((CLOG_WARN "No ciphers available on server")); + } + else { + LOG((CLOG_DEBUG1 "Ciphers available on server:")); + showCipherStackDesc(sStack); + } + + // m_ssl->m_ssl->session->ciphers is not forward compatable, In future release + // of OpenSSL, it's not visible, need to use SSL_get_client_ciphers() instead + STACK_OF(SSL_CIPHER) * cStack = m_ssl->m_ssl->session->ciphers; + if (cStack == NULL) { + LOG((CLOG_WARN "No ciphers available from client")); + } + else { + LOG((CLOG_DEBUG1 "Ciphers available on client:")); + showCipherStackDesc(cStack); + } + return; +} + +void +SecureSocket::showSecureLibInfo() +{ + LOG((CLOG_INFO "%s",SSLeay_version(SSLEAY_VERSION))); + LOG((CLOG_DEBUG2 "OpenSSL : %s",SSLeay_version(SSLEAY_CFLAGS))); + LOG((CLOG_DEBUG2 "OpenSSL : %s",SSLeay_version(SSLEAY_BUILT_ON))); + LOG((CLOG_DEBUG2 "OpenSSL : %s",SSLeay_version(SSLEAY_PLATFORM))); + LOG((CLOG_DEBUG2 "%s",SSLeay_version(SSLEAY_DIR))); + return; +} + +void +SecureSocket::showSecureConnectInfo() +{ + const SSL_CIPHER* cipher = SSL_get_current_cipher(m_ssl->m_ssl); + + if (cipher != NULL) { + char msg[kMsgSize]; + SSL_CIPHER_description(cipher, msg, kMsgSize); + LOG((CLOG_INFO "%s", msg)); + } + return; +} diff --git a/src/lib/plugin/ns/SecureSocket.h b/src/lib/plugin/ns/SecureSocket.h index e1906991..0c0f3b10 100644 --- a/src/lib/plugin/ns/SecureSocket.h +++ b/src/lib/plugin/ns/SecureSocket.h @@ -79,6 +79,10 @@ private: serviceAccept(ISocketMultiplexerJob*, bool, bool, bool); + void showSecureConnectInfo(); + void showSecureLibInfo(); + void showSecureCipherInfo(); + private: Ssl* m_ssl; bool m_secureReady; From afb0e2a2ea80dffff87c54177a0f658c69a13433 Mon Sep 17 00:00:00 2001 From: Adam Potolsky Date: Fri, 12 Jun 2015 15:07:53 -0700 Subject: [PATCH 2/2] Added log level protection, changed log levels for some logging #4793 --- src/lib/plugin/ns/SecureSocket.cpp | 24 ++++++++++++++---------- 1 file changed, 14 insertions(+), 10 deletions(-) diff --git a/src/lib/plugin/ns/SecureSocket.cpp b/src/lib/plugin/ns/SecureSocket.cpp index 5ba66ad2..639220ed 100644 --- a/src/lib/plugin/ns/SecureSocket.cpp +++ b/src/lib/plugin/ns/SecureSocket.cpp @@ -306,7 +306,9 @@ SecureSocket::secureAccept(int socket) if (retry == 0) { m_secureReady = true; LOG((CLOG_INFO "accepted secure socket")); - showSecureCipherInfo(); + if (CLOG->getFilter() >= kDEBUG1) { + showSecureCipherInfo(); + } showSecureConnectInfo(); return 1; } @@ -365,7 +367,9 @@ SecureSocket::secureConnect(int socket) return -1; // Fingerprint failed, error } LOG((CLOG_DEBUG2 "connected secure socket")); - showSecureCipherInfo(); + if (CLOG->getFilter() >= kDEBUG1) { + showSecureCipherInfo(); + } showSecureConnectInfo(); return 1; } @@ -642,10 +646,10 @@ SecureSocket::showSecureCipherInfo() STACK_OF(SSL_CIPHER) * sStack = SSL_get_ciphers(m_ssl->m_ssl); if (sStack == NULL) { - LOG((CLOG_WARN "No ciphers available on server")); + LOG((CLOG_DEBUG1 "local cipher list not available")); } else { - LOG((CLOG_DEBUG1 "Ciphers available on server:")); + LOG((CLOG_DEBUG1 "available local ciphers:")); showCipherStackDesc(sStack); } @@ -653,10 +657,10 @@ SecureSocket::showSecureCipherInfo() // of OpenSSL, it's not visible, need to use SSL_get_client_ciphers() instead STACK_OF(SSL_CIPHER) * cStack = m_ssl->m_ssl->session->ciphers; if (cStack == NULL) { - LOG((CLOG_WARN "No ciphers available from client")); + LOG((CLOG_DEBUG1 "remote cipher list not available")); } else { - LOG((CLOG_DEBUG1 "Ciphers available on client:")); + LOG((CLOG_DEBUG1 "available remote ciphers:")); showCipherStackDesc(cStack); } return; @@ -666,10 +670,10 @@ void SecureSocket::showSecureLibInfo() { LOG((CLOG_INFO "%s",SSLeay_version(SSLEAY_VERSION))); - LOG((CLOG_DEBUG2 "OpenSSL : %s",SSLeay_version(SSLEAY_CFLAGS))); - LOG((CLOG_DEBUG2 "OpenSSL : %s",SSLeay_version(SSLEAY_BUILT_ON))); - LOG((CLOG_DEBUG2 "OpenSSL : %s",SSLeay_version(SSLEAY_PLATFORM))); - LOG((CLOG_DEBUG2 "%s",SSLeay_version(SSLEAY_DIR))); + LOG((CLOG_DEBUG1 "openSSL : %s",SSLeay_version(SSLEAY_CFLAGS))); + LOG((CLOG_DEBUG1 "openSSL : %s",SSLeay_version(SSLEAY_BUILT_ON))); + LOG((CLOG_DEBUG1 "openSSL : %s",SSLeay_version(SSLEAY_PLATFORM))); + LOG((CLOG_DEBUG1 "%s",SSLeay_version(SSLEAY_DIR))); return; }