#6372 More user friendly and current logging for SecureSocket

This commit is contained in:
Nick Bolton 2018-07-28 01:14:35 +01:00
parent 46a5166fba
commit 89cc8a8daa
1 changed files with 31 additions and 22 deletions

View File

@ -38,6 +38,7 @@
#define MAX_ERROR_SIZE 65535 #define MAX_ERROR_SIZE 65535
static const float s_retryDelay = 0.01f; static const float s_retryDelay = 0.01f;
const char* k_tlsString = "TLSv1.2";
enum { enum {
kMsgSize = 128 kMsgSize = 128
@ -277,7 +278,7 @@ int
SecureSocket::secureWrite(const void* buffer, int size, int& wrote) SecureSocket::secureWrite(const void* buffer, int size, int& wrote)
{ {
if (m_ssl->m_ssl != NULL) { if (m_ssl->m_ssl != NULL) {
LOG((CLOG_DEBUG2 "writing secure socket:%p", this)); LOG((CLOG_DEBUG2 "writing secure socket: %p", this));
wrote = SSL_write(m_ssl->m_ssl, buffer, size); wrote = SSL_write(m_ssl->m_ssl, buffer, size);
@ -320,7 +321,7 @@ bool
SecureSocket::loadCertificates(String& filename) SecureSocket::loadCertificates(String& filename)
{ {
if (filename.empty()) { if (filename.empty()) {
showError("ssl certificate is not specified"); showError("tls certificate is not specified");
return false; return false;
} }
else { else {
@ -329,7 +330,7 @@ SecureSocket::loadCertificates(String& filename)
file.close(); file.close();
if (!exist) { if (!exist) {
String errorMsg("ssl certificate doesn't exist: "); String errorMsg("tls certificate doesn't exist: ");
errorMsg.append(filename); errorMsg.append(filename);
showError(errorMsg.c_str()); showError(errorMsg.c_str());
return false; return false;
@ -339,19 +340,19 @@ SecureSocket::loadCertificates(String& filename)
int r = 0; int r = 0;
r = SSL_CTX_use_certificate_file(m_ssl->m_context, filename.c_str(), SSL_FILETYPE_PEM); r = SSL_CTX_use_certificate_file(m_ssl->m_context, filename.c_str(), SSL_FILETYPE_PEM);
if (r <= 0) { if (r <= 0) {
showError("could not use ssl certificate"); showError("could not use tls certificate");
return false; return false;
} }
r = SSL_CTX_use_PrivateKey_file(m_ssl->m_context, filename.c_str(), SSL_FILETYPE_PEM); r = SSL_CTX_use_PrivateKey_file(m_ssl->m_context, filename.c_str(), SSL_FILETYPE_PEM);
if (r <= 0) { if (r <= 0) {
showError("could not use ssl private key"); showError("could not use tls private key");
return false; return false;
} }
r = SSL_CTX_check_private_key(m_ssl->m_context); r = SSL_CTX_check_private_key(m_ssl->m_context);
if (!r) { if (!r) {
showError("could not verify ssl private key"); showError("could not verify tls private key");
return false; return false;
} }
@ -425,7 +426,7 @@ SecureSocket::secureAccept(int socket)
if (isFatal()) { if (isFatal()) {
// tell user and sleep so the socket isn't hammered. // tell user and sleep so the socket isn't hammered.
LOG((CLOG_ERR "failed to accept secure socket")); LOG((CLOG_ERR "failed to accept secure socket"));
LOG((CLOG_INFO "client connection may not be secure")); LOG((CLOG_WARN "client connection may not be secure"));
m_secureReady = false; m_secureReady = false;
ARCH->sleep(1); ARCH->sleep(1);
retry = 0; retry = 0;
@ -518,12 +519,12 @@ SecureSocket::showCertificate()
cert = SSL_get_peer_certificate(m_ssl->m_ssl); cert = SSL_get_peer_certificate(m_ssl->m_ssl);
if (cert != NULL) { if (cert != NULL) {
line = X509_NAME_oneline(X509_get_subject_name(cert), 0, 0); line = X509_NAME_oneline(X509_get_subject_name(cert), 0, 0);
LOG((CLOG_INFO "server ssl certificate info: %s", line)); LOG((CLOG_INFO "server tls certificate info: %s", line));
OPENSSL_free(line); OPENSSL_free(line);
X509_free(cert); X509_free(cert);
} }
else { else {
showError("server has no ssl certificate"); showError("server has no tls certificate");
return false; return false;
} }
@ -547,7 +548,7 @@ SecureSocket::checkResult(int status, int& retry)
case SSL_ERROR_ZERO_RETURN: case SSL_ERROR_ZERO_RETURN:
// connection closed // connection closed
isFatal(true); isFatal(true);
LOG((CLOG_DEBUG "ssl connection closed")); LOG((CLOG_DEBUG "tls connection closed"));
break; break;
case SSL_ERROR_WANT_READ: case SSL_ERROR_WANT_READ:
@ -575,10 +576,10 @@ SecureSocket::checkResult(int status, int& retry)
break; break;
case SSL_ERROR_SYSCALL: case SSL_ERROR_SYSCALL:
LOG((CLOG_ERR "ssl error occurred (system call failure)")); LOG((CLOG_ERR "tls error occurred (system call failure)"));
if (ERR_peek_error() == 0) { if (ERR_peek_error() == 0) {
if (status == 0) { if (status == 0) {
LOG((CLOG_ERR "eof violates ssl protocol")); LOG((CLOG_ERR "eof violates tls protocol"));
} }
else if (status == -1) { else if (status == -1) {
// underlying socket I/O reproted an error // underlying socket I/O reproted an error
@ -595,12 +596,12 @@ SecureSocket::checkResult(int status, int& retry)
break; break;
case SSL_ERROR_SSL: case SSL_ERROR_SSL:
LOG((CLOG_ERR "ssl error occurred (generic failure)")); LOG((CLOG_ERR "tls error occurred (generic failure)"));
isFatal(true); isFatal(true);
break; break;
default: default:
LOG((CLOG_ERR "ssl error occurred (unknown failure)")); LOG((CLOG_ERR "tls error occurred (unknown failure)"));
isFatal(true); isFatal(true);
break; break;
} }
@ -616,12 +617,12 @@ void
SecureSocket::showError(const char* reason) SecureSocket::showError(const char* reason)
{ {
if (reason != NULL) { if (reason != NULL) {
LOG((CLOG_ERR "%s", reason)); LOG((CLOG_ERR "secure socket error: %s", reason));
} }
String error = getError(); String error = getError();
if (!error.empty()) { if (!error.empty()) {
LOG((CLOG_ERR "%s", error.c_str())); LOG((CLOG_ERR "openssl error: %s", error.c_str()));
} }
} }
@ -828,11 +829,11 @@ SecureSocket::showSecureCipherInfo()
void void
SecureSocket::showSecureLibInfo() SecureSocket::showSecureLibInfo()
{ {
LOG((CLOG_INFO "%s",SSLeay_version(SSLEAY_VERSION))); LOG((CLOG_DEBUG "openssl version: %s", SSLeay_version(SSLEAY_VERSION)));
LOG((CLOG_DEBUG1 "openSSL : %s",SSLeay_version(SSLEAY_CFLAGS))); LOG((CLOG_DEBUG1 "openssl flags: %s", SSLeay_version(SSLEAY_CFLAGS)));
LOG((CLOG_DEBUG1 "openSSL : %s",SSLeay_version(SSLEAY_BUILT_ON))); LOG((CLOG_DEBUG1 "openssl built on: %s", SSLeay_version(SSLEAY_BUILT_ON)));
LOG((CLOG_DEBUG1 "openSSL : %s",SSLeay_version(SSLEAY_PLATFORM))); LOG((CLOG_DEBUG1 "openssl platform: %s", SSLeay_version(SSLEAY_PLATFORM)));
LOG((CLOG_DEBUG1 "%s",SSLeay_version(SSLEAY_DIR))); LOG((CLOG_DEBUG1 "openssl dir: %s", SSLeay_version(SSLEAY_DIR)));
return; return;
} }
@ -844,8 +845,16 @@ SecureSocket::showSecureConnectInfo()
if (cipher != NULL) { if (cipher != NULL) {
char msg[kMsgSize]; char msg[kMsgSize];
SSL_CIPHER_description(cipher, msg, kMsgSize); SSL_CIPHER_description(cipher, msg, kMsgSize);
LOG((CLOG_INFO "%s", msg)); LOG((CLOG_DEBUG "openssl cipher: %s", msg));
// show user a simpler version of the openssl cipher output
if (std::string(msg).find(k_tlsString) != std::string::npos) {
LOG((CLOG_INFO "network encryption protocol: %s", k_tlsString));
} }
}
else {
LOG((CLOG_ERR "could not get secure socket cipher"));
}
return; return;
} }