You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@trafficserver.apache.org by zw...@apache.org on 2014/04/20 21:20:52 UTC
[35/50] [abbrv] git commit: TS-2658: additional SSL certificate
logging
TS-2658: additional SSL certificate logging
After a successful SSL handshake, log the peer certificate to the
debug log. This is useful for debugging SSL certificate authentication
and other SSL connection issues.
Project: http://git-wip-us.apache.org/repos/asf/trafficserver/repo
Commit: http://git-wip-us.apache.org/repos/asf/trafficserver/commit/7d3f9c82
Tree: http://git-wip-us.apache.org/repos/asf/trafficserver/tree/7d3f9c82
Diff: http://git-wip-us.apache.org/repos/asf/trafficserver/diff/7d3f9c82
Branch: refs/heads/lua_config
Commit: 7d3f9c82e32032540908b4413c252c58e87d128c
Parents: 6986354
Author: James Peach <jp...@apache.org>
Authored: Wed Mar 19 11:21:25 2014 -0700
Committer: James Peach <jp...@apache.org>
Committed: Mon Mar 24 16:22:48 2014 -0700
----------------------------------------------------------------------
CHANGES | 6 ++-
iocore/net/P_SSLNetVConnection.h | 2 -
iocore/net/SSLNetVConnection.cc | 77 +++++++++++++++++++++--------------
3 files changed, 50 insertions(+), 35 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/trafficserver/blob/7d3f9c82/CHANGES
----------------------------------------------------------------------
diff --git a/CHANGES b/CHANGES
index c6d664f..da8b67e 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,10 +1,12 @@
-*- coding: utf-8 -*-
Changes with Apache Traffic Server 5.0.0
-
+
+ *) [TS-2658] Additional debug logging for SSL certificates.
+
*) [TS-2431] Migrate Taobao SPDY plugin to ATS core.
*) [TS-2651] atscppapi: race conditions in destruction of async providers
-
+
*) [TS-2646] regex_remap: Add a new option, @caseless.
*) [TS-2647] atscppapi: Bug fixes in headers and atscppapi
http://git-wip-us.apache.org/repos/asf/trafficserver/blob/7d3f9c82/iocore/net/P_SSLNetVConnection.h
----------------------------------------------------------------------
diff --git a/iocore/net/P_SSLNetVConnection.h b/iocore/net/P_SSLNetVConnection.h
index fcb0e8c..47861e4 100644
--- a/iocore/net/P_SSLNetVConnection.h
+++ b/iocore/net/P_SSLNetVConnection.h
@@ -101,8 +101,6 @@ public:
virtual ~SSLNetVConnection() { }
SSL *ssl;
- X509 *client_cert;
- X509 *server_cert;
static int advertise_next_protocol(SSL * ssl, const unsigned char ** out, unsigned * outlen, void *);
static int select_next_protocol(SSL * ssl, const unsigned char ** out, unsigned char * outlen, const unsigned char * in, unsigned inlen, void *);
http://git-wip-us.apache.org/repos/asf/trafficserver/blob/7d3f9c82/iocore/net/SSLNetVConnection.cc
----------------------------------------------------------------------
diff --git a/iocore/net/SSLNetVConnection.cc b/iocore/net/SSLNetVConnection.cc
index 3925de9..02f3f4a 100644
--- a/iocore/net/SSLNetVConnection.cc
+++ b/iocore/net/SSLNetVConnection.cc
@@ -56,6 +56,30 @@ make_ssl_connection(SSL_CTX * ctx, SSLNetVConnection * netvc)
return ssl;
}
+static void
+debug_certificate_name(const char * msg, X509_NAME * name)
+{
+ BIO * bio;
+
+ if (name == NULL) {
+ return;
+ }
+
+ bio = BIO_new(BIO_s_mem());
+ if (bio == NULL) {
+ return;
+ }
+
+ if (X509_NAME_print_ex(bio, name, 0 /* indent */, XN_FLAG_ONELINE) > 0) {
+ long len;
+ char * ptr;
+ len = BIO_get_mem_data(bio, &ptr);
+ Debug("ssl", "%s %.*s", msg, (int)len, ptr);
+ }
+
+ BIO_free(bio);
+}
+
static inline int
do_SSL_write(SSL * ssl, void *buf, int size)
{
@@ -538,22 +562,18 @@ SSLNetVConnection::sslServerHandShakeEvent(int &err)
switch (ssl_error) {
case SSL_ERROR_NONE:
- Debug("ssl", "handshake completed successfully");
- client_cert = SSL_get_peer_certificate(ssl);
- if (client_cert != NULL) {
-/* str = X509_NAME_oneline (X509_get_subject_name (client_cert), 0, 0);
- Free (str);
-
- str = X509_NAME_oneline (X509_get_issuer_name (client_cert), 0, 0);
- Free (str);
-
- // Add any extra client cert verification stuff here. SSL
- // is set up in SSLNetProcessor::start to automatically verify
- // the client cert's CA, if required.
-*/
- X509_free(client_cert);
+ if (is_debug_tag_set("ssl")) {
+ X509 * cert = SSL_get_peer_certificate(ssl);
+
+ Debug("ssl", "SSL server handshake completed successfully");
+ if (cert) {
+ debug_certificate_name("client certificate subject CN is", X509_get_subject_name(cert));
+ debug_certificate_name("client certificate issuer CN is", X509_get_issuer_name(cert));
+ X509_free(cert);
+ }
}
- sslHandShakeComplete = 1;
+
+ sslHandShakeComplete = true;
{
const unsigned char * proto = NULL;
@@ -623,23 +643,18 @@ SSLNetVConnection::sslClientHandShakeEvent(int &err)
ret = SSL_connect(ssl);
switch (SSL_get_error(ssl, ret)) {
case SSL_ERROR_NONE:
- Debug("ssl", "SSLNetVConnection::sslClientHandShakeEvent, handshake completed successfully");
- server_cert = SSL_get_peer_certificate(ssl);
-
-/* str = X509_NAME_oneline (X509_get_subject_name (server_cert),0,0);
- Free (str);
-
- str = X509_NAME_oneline (X509_get_issuer_name (server_cert),0,0);
- Free (str);
-*/
-
-/* Add certificate verification stuff here before
- deallocating the certificate.
-*/
-
- X509_free(server_cert);
- sslHandShakeComplete = 1;
+ if (is_debug_tag_set("ssl")) {
+ X509 * cert = SSL_get_peer_certificate(ssl);
+
+ Debug("ssl", "SSL client handshake completed successfully");
+ if (cert) {
+ debug_certificate_name("server certificate subject CN is", X509_get_subject_name(cert));
+ debug_certificate_name("server certificate issuer CN is", X509_get_issuer_name(cert));
+ X509_free(cert);
+ }
+ }
+ sslHandShakeComplete = true;
return EVENT_DONE;
case SSL_ERROR_WANT_WRITE: