[sr-dev] git:master:e2cc98eb: tls: try to print sni on tls error

Mon Nov 22 09:01:57 CET 2021

Module: kamailio
Branch: master
Commit: e2cc98eb5aca42b82eb18c35adfa2d16ff4a3f60
URL: https://github.com/kamailio/kamailio/commit/e2cc98eb5aca42b82eb18c35adfa2d16ff4a3f60

Author: Daniel-Constantin Mierla <miconda at gmail.com>
Committer: Daniel-Constantin Mierla <miconda at gmail.com>
Date: 2021-11-22T09:01:09+01:00

tls: try to print sni on tls error

---

Modified: src/modules/tls/tls_server.c
Modified: src/modules/tls/tls_util.h

---

Diff:  https://github.com/kamailio/kamailio/commit/e2cc98eb5aca42b82eb18c35adfa2d16ff4a3f60.diff
Patch: https://github.com/kamailio/kamailio/commit/e2cc98eb5aca42b82eb18c35adfa2d16ff4a3f60.patch

---

diff --git a/src/modules/tls/tls_server.c b/src/modules/tls/tls_server.c
index f75b111168..7004096adf 100644
--- a/src/modules/tls/tls_server.c
+++ b/src/modules/tls/tls_server.c
@@ -285,7 +285,7 @@ static int tls_complete_init(struct tcp_connection* c)
 	data->state = state;
 
 	if (unlikely(data->ssl == 0 || data->rwbio == 0)) {
-		TLS_ERR("Failed to create SSL or BIO structure:");
+		TLS_ERR_SSL("Failed to create SSL or BIO structure:", data->ssl);
 		if (data->ssl)
 			SSL_free(data->ssl);
 		if (data->rwbio)
@@ -446,7 +446,7 @@ EVP_PKEY * tls_lookup_private_key(SSL_CTX*);
 int tls_accept(struct tcp_connection *c, int* error)
 {
 	int ret;
-	SSL *ssl;
+	SSL *ssl = NULL;
 	X509* cert;
 	struct tls_extra_data* tls_c;
 	int tls_log;
@@ -792,7 +792,7 @@ int tls_h_encode_f(struct tcp_connection *c,
 						snd_flags_t* send_flags)
 {
 	int n, offs;
-	SSL* ssl;
+	SSL* ssl = NULL;
 	struct tls_extra_data* tls_c;
 	static unsigned char wr_buf[TLS_WR_MBUF_SZ];
 	struct tls_mbuf rd, wr;
@@ -929,7 +929,7 @@ int tls_h_encode_f(struct tcp_connection *c,
 			case SSL_ERROR_SSL:
 				/* protocol level error */
 				ERR("protocol level error\n");
-				TLS_ERR(err_src);
+				TLS_ERR_SSL(err_src, ssl);
 				memset(ip_buf, 0, sizeof(buf));
 				ip_addr2sbuf(&(c->rcv.src_ip), ip_buf, sizeof(ip_buf));
 				ERR("source IP: %s\n", ip_buf);
@@ -970,7 +970,7 @@ int tls_h_encode_f(struct tcp_connection *c,
 				}
 				goto error;
 			default:
-				TLS_ERR(err_src);
+				TLS_ERR_SSL(err_src, ssl);
 				BUG("unexpected SSL error %d\n", ssl_error);
 				goto bug;
 		}
@@ -1053,6 +1053,7 @@ int tls_h_read_f(struct tcp_connection* c, rd_conn_flags_t* flags)
 	int x;
 	int tls_dbg;
 
+	ssl = NULL;
 	TLS_RD_TRACE("(%p, %p (%d)) start (%s -> %s:%d*)\n",
 					c, flags, *flags,
 					su2a(&c->rcv.src_su, sizeof(c->rcv.src_su)),
@@ -1327,7 +1328,7 @@ int tls_h_read_f(struct tcp_connection* c, rd_conn_flags_t* flags)
 		case SSL_ERROR_SSL:
 			/* protocol level error */
 			ERR("protocol level error\n");
-			TLS_ERR(err_src);
+			TLS_ERR_SSL(err_src, ssl);
 			memset(ip_buf, 0, sizeof(ip_buf));
 			ip_addr2sbuf(&(c->rcv.src_ip), ip_buf, sizeof(ip_buf));
 			ERR("src addr: %s:%d\n", ip_buf, c->rcv.src_port);
@@ -1368,7 +1369,7 @@ int tls_h_read_f(struct tcp_connection* c, rd_conn_flags_t* flags)
 			}
 			goto error;
 		default:
-			TLS_ERR(err_src);
+			TLS_ERR_SSL(err_src, ssl);
 			BUG("unexpected SSL error %d\n", ssl_error);
 			goto bug;
 	}
diff --git a/src/modules/tls/tls_util.h b/src/modules/tls/tls_util.h
index 8ff63dd0f1..86e036cce9 100644
--- a/src/modules/tls/tls_util.h
+++ b/src/modules/tls/tls_util.h
@@ -26,20 +26,29 @@
 #ifndef _TLS_UTIL_H
 #define _TLS_UTIL_H
 
+#include <openssl/ssl.h>
 #include <openssl/err.h>
 #include "../../core/dprint.h"
 #include "../../core/str.h"
 #include "tls_domain.h"
 
-static inline int tls_err_ret(char *s, tls_domains_cfg_t **tls_domains_cfg) {
+static inline int tls_err_ret(char *s, SSL* ssl,
+		tls_domains_cfg_t **tls_domains_cfg)
+{
 	long err;
 	int ret = 0;
+	const char *sn = NULL;
+
 	if ((*tls_domains_cfg)->srv_default->ctx &&
 		(*tls_domains_cfg)->srv_default->ctx[0])
 	{
+		if(ssl) {
+			sn = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name);
+		}
 		while((err = ERR_get_error())) {
 			ret = 1;
-			ERR("%s%s\n", s ? s : "", ERR_error_string(err, 0));
+			ERR("%s%s (sni: %s)\n", s ? s : "", ERR_error_string(err, 0),
+					(sn) ? sn : "unknown");
 		}
 	}
 	return ret;
@@ -47,15 +56,19 @@ static inline int tls_err_ret(char *s, tls_domains_cfg_t **tls_domains_cfg) {
 
 #define TLS_ERR_RET(r, s) \
 do { \
-	(r) = tls_err_ret((s), tls_domains_cfg); \
+	(r) = tls_err_ret((s), NULL, tls_domains_cfg); \
 } while(0)
 
 
 #define TLS_ERR(s) \
 do { \
-	tls_err_ret((s), tls_domains_cfg); \
+	tls_err_ret((s), NULL, tls_domains_cfg); \
 } while(0)
 
+#define TLS_ERR_SSL(s, ssl) \
+do { \
+	tls_err_ret((s), (ssl), tls_domains_cfg); \
+} while(0)
 
 /*
  * Make a shared memory copy of ASCII zero terminated string


