[sr-dev] git:master:e2cc98eb: tls: try to print sni on tls error
Daniel-Constantin Mierla
miconda at gmail.com
Mon Nov 22 09:01:57 CET 2021
Module: kamailio
Branch: master
Commit: e2cc98eb5aca42b82eb18c35adfa2d16ff4a3f60
URL: https://github.com/kamailio/kamailio/commit/e2cc98eb5aca42b82eb18c35adfa2d16ff4a3f60
Author: Daniel-Constantin Mierla <miconda at gmail.com>
Committer: Daniel-Constantin Mierla <miconda at gmail.com>
Date: 2021-11-22T09:01:09+01:00
tls: try to print sni on tls error
---
Modified: src/modules/tls/tls_server.c
Modified: src/modules/tls/tls_util.h
---
Diff: https://github.com/kamailio/kamailio/commit/e2cc98eb5aca42b82eb18c35adfa2d16ff4a3f60.diff
Patch: https://github.com/kamailio/kamailio/commit/e2cc98eb5aca42b82eb18c35adfa2d16ff4a3f60.patch
---
diff --git a/src/modules/tls/tls_server.c b/src/modules/tls/tls_server.c
index f75b111168..7004096adf 100644
--- a/src/modules/tls/tls_server.c
+++ b/src/modules/tls/tls_server.c
@@ -285,7 +285,7 @@ static int tls_complete_init(struct tcp_connection* c)
data->state = state;
if (unlikely(data->ssl == 0 || data->rwbio == 0)) {
- TLS_ERR("Failed to create SSL or BIO structure:");
+ TLS_ERR_SSL("Failed to create SSL or BIO structure:", data->ssl);
if (data->ssl)
SSL_free(data->ssl);
if (data->rwbio)
@@ -446,7 +446,7 @@ EVP_PKEY * tls_lookup_private_key(SSL_CTX*);
int tls_accept(struct tcp_connection *c, int* error)
{
int ret;
- SSL *ssl;
+ SSL *ssl = NULL;
X509* cert;
struct tls_extra_data* tls_c;
int tls_log;
@@ -792,7 +792,7 @@ int tls_h_encode_f(struct tcp_connection *c,
snd_flags_t* send_flags)
{
int n, offs;
- SSL* ssl;
+ SSL* ssl = NULL;
struct tls_extra_data* tls_c;
static unsigned char wr_buf[TLS_WR_MBUF_SZ];
struct tls_mbuf rd, wr;
@@ -929,7 +929,7 @@ int tls_h_encode_f(struct tcp_connection *c,
case SSL_ERROR_SSL:
/* protocol level error */
ERR("protocol level error\n");
- TLS_ERR(err_src);
+ TLS_ERR_SSL(err_src, ssl);
memset(ip_buf, 0, sizeof(buf));
ip_addr2sbuf(&(c->rcv.src_ip), ip_buf, sizeof(ip_buf));
ERR("source IP: %s\n", ip_buf);
@@ -970,7 +970,7 @@ int tls_h_encode_f(struct tcp_connection *c,
}
goto error;
default:
- TLS_ERR(err_src);
+ TLS_ERR_SSL(err_src, ssl);
BUG("unexpected SSL error %d\n", ssl_error);
goto bug;
}
@@ -1053,6 +1053,7 @@ int tls_h_read_f(struct tcp_connection* c, rd_conn_flags_t* flags)
int x;
int tls_dbg;
+ ssl = NULL;
TLS_RD_TRACE("(%p, %p (%d)) start (%s -> %s:%d*)\n",
c, flags, *flags,
su2a(&c->rcv.src_su, sizeof(c->rcv.src_su)),
@@ -1327,7 +1328,7 @@ int tls_h_read_f(struct tcp_connection* c, rd_conn_flags_t* flags)
case SSL_ERROR_SSL:
/* protocol level error */
ERR("protocol level error\n");
- TLS_ERR(err_src);
+ TLS_ERR_SSL(err_src, ssl);
memset(ip_buf, 0, sizeof(ip_buf));
ip_addr2sbuf(&(c->rcv.src_ip), ip_buf, sizeof(ip_buf));
ERR("src addr: %s:%d\n", ip_buf, c->rcv.src_port);
@@ -1368,7 +1369,7 @@ int tls_h_read_f(struct tcp_connection* c, rd_conn_flags_t* flags)
}
goto error;
default:
- TLS_ERR(err_src);
+ TLS_ERR_SSL(err_src, ssl);
BUG("unexpected SSL error %d\n", ssl_error);
goto bug;
}
diff --git a/src/modules/tls/tls_util.h b/src/modules/tls/tls_util.h
index 8ff63dd0f1..86e036cce9 100644
--- a/src/modules/tls/tls_util.h
+++ b/src/modules/tls/tls_util.h
@@ -26,20 +26,29 @@
#ifndef _TLS_UTIL_H
#define _TLS_UTIL_H
+#include <openssl/ssl.h>
#include <openssl/err.h>
#include "../../core/dprint.h"
#include "../../core/str.h"
#include "tls_domain.h"
-static inline int tls_err_ret(char *s, tls_domains_cfg_t **tls_domains_cfg) {
+static inline int tls_err_ret(char *s, SSL* ssl,
+ tls_domains_cfg_t **tls_domains_cfg)
+{
long err;
int ret = 0;
+ const char *sn = NULL;
+
if ((*tls_domains_cfg)->srv_default->ctx &&
(*tls_domains_cfg)->srv_default->ctx[0])
{
+ if(ssl) {
+ sn = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name);
+ }
while((err = ERR_get_error())) {
ret = 1;
- ERR("%s%s\n", s ? s : "", ERR_error_string(err, 0));
+ ERR("%s%s (sni: %s)\n", s ? s : "", ERR_error_string(err, 0),
+ (sn) ? sn : "unknown");
}
}
return ret;
@@ -47,15 +56,19 @@ static inline int tls_err_ret(char *s, tls_domains_cfg_t **tls_domains_cfg) {
#define TLS_ERR_RET(r, s) \
do { \
- (r) = tls_err_ret((s), tls_domains_cfg); \
+ (r) = tls_err_ret((s), NULL, tls_domains_cfg); \
} while(0)
#define TLS_ERR(s) \
do { \
- tls_err_ret((s), tls_domains_cfg); \
+ tls_err_ret((s), NULL, tls_domains_cfg); \
} while(0)
+#define TLS_ERR_SSL(s, ssl) \
+do { \
+ tls_err_ret((s), (ssl), tls_domains_cfg); \
+} while(0)
/*
* Make a shared memory copy of ASCII zero terminated string
More information about the sr-dev
mailing list