Menu
▾
▴
[Sblim-commit] Git: SFCB - Small Footprint CIM Broker branch, master, updated. SFCB_1_4_0-199-gc5daa60
|
From: Dave H. <hel...@us...> - 2012-03-08 03:58:50
|
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "SFCB - Small Footprint CIM Broker".
The branch, master has been updated
via c5daa606337010b51fc2e6700be6db08fabd5c2f (commit)
from 98ad8ffee77d6a23482560af9e3f8b8fb86d8970 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit c5daa606337010b51fc2e6700be6db08fabd5c2f
Author: Dave Heller <hel...@us...>
Date: Wed Mar 7 22:49:12 2012 -0500
[ 3498719 ] Better SSL error reporting for sfcb
-----------------------------------------------------------------------
Summary of changes:
diff --git a/ChangeLog b/ChangeLog
index 28a8655..44c8b6c 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,8 @@
+2012-03-07 Dave Heller <hel...@us...>
+
+ * httpAdapter.c:
+ [ 3498719 ] Better SSL error reporting for sfcb
+
2012-03-07 Chris Buccella <buc...@li...>
* cimAccountPassthroughProvider.c:
diff --git a/NEWS b/NEWS
index 06613b2..ba548c8 100644
--- a/NEWS
+++ b/NEWS
@@ -9,6 +9,7 @@ New features:
Bugs fixed:
- 3495804 Cleanup: httpProcId still defined, wrong define in cimXmlGen
+- 3498719 Better SSL error reporting for sfcb
Changes in 1.4.2
================
diff --git a/httpAdapter.c b/httpAdapter.c
index 1614e16..f9d2830 100644
--- a/httpAdapter.c
+++ b/httpAdapter.c
@@ -1283,6 +1283,7 @@ handleHttpRequest(int connFd, int sslMode)
if (!(conn_fd.ssl = SSL_new(ctx)))
intSSLerror("Error creating SSL object");
SSL_set_bio(conn_fd.ssl, sb, sb);
+ char *error_string;
while (1) {
int sslacc,
sslerr;
@@ -1291,6 +1292,7 @@ handleHttpRequest(int connFd, int sslMode)
/*
* accepted
*/
+ _SFCB_TRACE(1, ("--- SSL connection accepted"));
break;
}
sslerr = SSL_get_error(conn_fd.ssl, sslacc);
@@ -1302,10 +1304,16 @@ handleHttpRequest(int connFd, int sslMode)
FD_ZERO(&httpfds);
FD_SET(connFd, &httpfds);
if (sslerr == SSL_ERROR_WANT_WRITE) {
+ _SFCB_TRACE(2, (
+ "--- Waiting for SSL handshake (WANT_WRITE): timeout=%ld",
+ httpSelectTimeout.tv_sec));
isReady =
select(connFd + 1, NULL, &httpfds, NULL,
&httpSelectTimeout);
} else {
+ _SFCB_TRACE(2, (
+ "--- Waiting for SSL handshake (WANT_READ): timeout=%ld",
+ httpSelectTimeout.tv_sec));
isReady =
select(connFd + 1, &httpfds, NULL, NULL,
&httpSelectTimeout);
@@ -1313,13 +1321,119 @@ handleHttpRequest(int connFd, int sslMode)
if (isReady == 0) {
intSSLerror("Timeout error accepting SSL connection");
} else if (isReady < 0) {
+ mlogf(M_ERROR, M_SHOW, "--- Error accepting SSL connection: %s\n",
+ strerror(errno));
intSSLerror("Error accepting SSL connection");
}
+ // Error determination as follows: First, check the SSL error queue. If
+ // empty, attempt to determine the correct error string some other way.
+ // Finally, if the system errno is nonzero, report that as well.
+ } else if (sslerr == SSL_ERROR_ZERO_RETURN){
+ int syserrno = errno;
+ unsigned long sslqerr = ERR_get_error();
+ if (sslqerr != 0) {
+ error_string = ERR_error_string(sslqerr, NULL);
+ } else {
+ error_string = "TLS/SSL connection has been closed";
+ }
+ mlogf(M_ERROR, M_SHOW,
+ "--- SSL_ERROR_ZERO_RETURN during handshake: %s\n",
+ error_string);
+ if (syserrno)
+ mlogf(M_ERROR, M_SHOW, "--- system errno reports: %s\n",
+ strerror(syserrno));
+ intSSLerror("SSL_ERROR_ZERO_RETURN error during SSL handshake");
+ break;
+ } else if (sslerr == SSL_ERROR_WANT_X509_LOOKUP){
+ int syserrno = errno;
+ unsigned long sslqerr = ERR_get_error();
+ if (sslqerr != 0) {
+ error_string = ERR_error_string(sslqerr, NULL);
+ } else {
+ error_string = "The client_cert_cb function has not completed";
+ }
+ mlogf(M_ERROR, M_SHOW,
+ "--- SSL_ERROR_WANT_X509_LOOKUP during handshake: %s\n",
+ error_string);
+ if (syserrno)
+ mlogf(M_ERROR, M_SHOW, "--- system errno reports: %s\n",
+ strerror(syserrno));
+ intSSLerror("SSL_ERROR_WANT_X509_LOOKUP error during SSL handshake");
+ break;
+ } else if (sslerr == SSL_ERROR_WANT_CONNECT){
+ int syserrno = errno;
+ unsigned long sslqerr = ERR_get_error();
+ if (sslqerr != 0) {
+ error_string = ERR_error_string(sslqerr, NULL);
+ } else {
+ error_string = "The connect operation did not complete";
+ }
+ mlogf(M_ERROR, M_SHOW,
+ "--- SSL_ERROR_WANT_CONNECT during handshake: %s\n",
+ error_string);
+ if (syserrno)
+ mlogf(M_ERROR, M_SHOW, "--- system errno reports: %s\n",
+ strerror(syserrno));
+ intSSLerror("SSL_ERROR_WANT_CONNECT error during SSL handshake");
+ break;
+ } else if (sslerr == SSL_ERROR_SYSCALL){
+ int syserrno = errno;
+ unsigned long sslqerr = ERR_get_error();
+ if (sslqerr != 0) {
+ error_string = ERR_error_string(sslqerr, NULL);
+ } else {
+ if (sslacc == 0) {
+ error_string = "EOF occurred: client may have aborted";
+ } else if (sslacc == -1) {
+ error_string = "BIO reported an I/O error";
+ } else { /* possible? */
+ error_string = "Unknown I/O error";
+ }
+ }
+ mlogf(M_ERROR, M_SHOW,
+ "--- SSL_ERROR_SYSCALL during handshake: %s\n",
+ error_string);
+ if (syserrno)
+ mlogf(M_ERROR, M_SHOW, "--- system errno reports: %s\n",
+ strerror(syserrno));
+ intSSLerror("SSL_ERROR_SYSCALL error during SSL handshake");
+ break;
+ } else if (sslerr == SSL_ERROR_SSL){
+ /* most certificate verification errors will occur here */
+ int syserrno = errno;
+ unsigned long sslqerr = ERR_get_error();
+ if (sslqerr != 0) {
+ error_string = ERR_error_string(sslqerr, NULL);
+ } else {
+ error_string = "Unknown SSL library error";
+ }
+ mlogf(M_ERROR, M_SHOW,
+ "--- SSL_ERROR_SSL during handshake: %s\n",
+ error_string);
+ if (syserrno)
+ mlogf(M_ERROR, M_SHOW, "--- system errno reports: %s\n",
+ strerror(syserrno));
+ intSSLerror("SSL_ERROR_SSL error during SSL handshake");
+ break;
} else {
/*
* unexpected error
*/
- intSSLerror("Error accepting SSL connection");
+ int syserrno = errno;
+ unsigned long sslqerr = ERR_get_error();
+ if (sslqerr != 0) {
+ error_string = ERR_error_string(sslqerr, NULL);
+ } else {
+ error_string = "Undefined SSL library error";
+ }
+ mlogf(M_ERROR, M_SHOW,
+ "--- Undefined SSL_ERROR during handshake: %s\n",
+ error_string);
+ if (syserrno)
+ mlogf(M_ERROR, M_SHOW, "--- system errno reports: %s\n",
+ strerror(syserrno));
+ intSSLerror("Undefined error accepting SSL connection");
+ break;
}
}
flags ^= O_NONBLOCK;
@@ -1982,10 +2096,22 @@ httpDaemon(int argc, char *argv[], int sslMode)
static int
get_cert(int preverify_ok, X509_STORE_CTX * x509_ctx)
{
- if (preverify_ok) {
- x509 = X509_STORE_CTX_get_current_cert(x509_ctx);
- }
- return preverify_ok;
+ _SFCB_ENTER(TRACE_HTTPDAEMON, "get_cert");
+
+ char buf[256];
+ int err, depth;
+
+ x509 = X509_STORE_CTX_get_current_cert(x509_ctx);
+ err = X509_STORE_CTX_get_error(x509_ctx);
+ depth = X509_STORE_CTX_get_error_depth(x509_ctx);
+
+ _SFCB_TRACE(2, ("--- Verify peer certificate chain: level %d:", depth));
+ X509_NAME_oneline(X509_get_subject_name(x509), buf, 256);
+ _SFCB_TRACE(2, ("--- subject=%s", buf));
+ X509_NAME_oneline(X509_get_issuer_name(x509), buf, 256);
+ _SFCB_TRACE(2, ("--- issuer= %s", buf));
+
+ _SFCB_RETURN(preverify_ok);
}
typedef int (*Validate) (X509 * certificate, char **principal,
hooks/post-receive
--
SFCB - Small Footprint CIM Broker
|
