TS-2658: additional SSL certificate logging After a successful SSL handshake, log the peer certificate to the debug log. This is useful for debugging SSL certificate authentication and other SSL connection issues.
Project: http://git-wip-us.apache.org/repos/asf/trafficserver/repo Commit: http://git-wip-us.apache.org/repos/asf/trafficserver/commit/7d3f9c82 Tree: http://git-wip-us.apache.org/repos/asf/trafficserver/tree/7d3f9c82 Diff: http://git-wip-us.apache.org/repos/asf/trafficserver/diff/7d3f9c82 Branch: refs/heads/lua_config Commit: 7d3f9c82e32032540908b4413c252c58e87d128c Parents: 6986354 Author: James Peach <[email protected]> Authored: Wed Mar 19 11:21:25 2014 -0700 Committer: James Peach <[email protected]> Committed: Mon Mar 24 16:22:48 2014 -0700 ---------------------------------------------------------------------- CHANGES | 6 ++- iocore/net/P_SSLNetVConnection.h | 2 - iocore/net/SSLNetVConnection.cc | 77 +++++++++++++++++++++-------------- 3 files changed, 50 insertions(+), 35 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/trafficserver/blob/7d3f9c82/CHANGES ---------------------------------------------------------------------- diff --git a/CHANGES b/CHANGES index c6d664f..da8b67e 100644 --- a/CHANGES +++ b/CHANGES @@ -1,10 +1,12 @@ -*- coding: utf-8 -*- Changes with Apache Traffic Server 5.0.0 - + + *) [TS-2658] Additional debug logging for SSL certificates. + *) [TS-2431] Migrate Taobao SPDY plugin to ATS core. *) [TS-2651] atscppapi: race conditions in destruction of async providers - + *) [TS-2646] regex_remap: Add a new option, @caseless. *) [TS-2647] atscppapi: Bug fixes in headers and atscppapi http://git-wip-us.apache.org/repos/asf/trafficserver/blob/7d3f9c82/iocore/net/P_SSLNetVConnection.h ---------------------------------------------------------------------- diff --git a/iocore/net/P_SSLNetVConnection.h b/iocore/net/P_SSLNetVConnection.h index fcb0e8c..47861e4 100644 --- a/iocore/net/P_SSLNetVConnection.h +++ b/iocore/net/P_SSLNetVConnection.h @@ -101,8 +101,6 @@ public: virtual ~SSLNetVConnection() { } SSL *ssl; - X509 *client_cert; - X509 *server_cert; static int advertise_next_protocol(SSL * ssl, const unsigned char ** out, unsigned * outlen, void *); static int select_next_protocol(SSL * ssl, const unsigned char ** out, unsigned char * outlen, const unsigned char * in, unsigned inlen, void *); http://git-wip-us.apache.org/repos/asf/trafficserver/blob/7d3f9c82/iocore/net/SSLNetVConnection.cc ---------------------------------------------------------------------- diff --git a/iocore/net/SSLNetVConnection.cc b/iocore/net/SSLNetVConnection.cc index 3925de9..02f3f4a 100644 --- a/iocore/net/SSLNetVConnection.cc +++ b/iocore/net/SSLNetVConnection.cc @@ -56,6 +56,30 @@ make_ssl_connection(SSL_CTX * ctx, SSLNetVConnection * netvc) return ssl; } +static void +debug_certificate_name(const char * msg, X509_NAME * name) +{ + BIO * bio; + + if (name == NULL) { + return; + } + + bio = BIO_new(BIO_s_mem()); + if (bio == NULL) { + return; + } + + if (X509_NAME_print_ex(bio, name, 0 /* indent */, XN_FLAG_ONELINE) > 0) { + long len; + char * ptr; + len = BIO_get_mem_data(bio, &ptr); + Debug("ssl", "%s %.*s", msg, (int)len, ptr); + } + + BIO_free(bio); +} + static inline int do_SSL_write(SSL * ssl, void *buf, int size) { @@ -538,22 +562,18 @@ SSLNetVConnection::sslServerHandShakeEvent(int &err) switch (ssl_error) { case SSL_ERROR_NONE: - Debug("ssl", "handshake completed successfully"); - client_cert = SSL_get_peer_certificate(ssl); - if (client_cert != NULL) { -/* str = X509_NAME_oneline (X509_get_subject_name (client_cert), 0, 0); - Free (str); - - str = X509_NAME_oneline (X509_get_issuer_name (client_cert), 0, 0); - Free (str); - - // Add any extra client cert verification stuff here. SSL - // is set up in SSLNetProcessor::start to automatically verify - // the client cert's CA, if required. -*/ - X509_free(client_cert); + if (is_debug_tag_set("ssl")) { + X509 * cert = SSL_get_peer_certificate(ssl); + + Debug("ssl", "SSL server handshake completed successfully"); + if (cert) { + debug_certificate_name("client certificate subject CN is", X509_get_subject_name(cert)); + debug_certificate_name("client certificate issuer CN is", X509_get_issuer_name(cert)); + X509_free(cert); + } } - sslHandShakeComplete = 1; + + sslHandShakeComplete = true; { const unsigned char * proto = NULL; @@ -623,23 +643,18 @@ SSLNetVConnection::sslClientHandShakeEvent(int &err) ret = SSL_connect(ssl); switch (SSL_get_error(ssl, ret)) { case SSL_ERROR_NONE: - Debug("ssl", "SSLNetVConnection::sslClientHandShakeEvent, handshake completed successfully"); - server_cert = SSL_get_peer_certificate(ssl); - -/* str = X509_NAME_oneline (X509_get_subject_name (server_cert),0,0); - Free (str); - - str = X509_NAME_oneline (X509_get_issuer_name (server_cert),0,0); - Free (str); -*/ - -/* Add certificate verification stuff here before - deallocating the certificate. -*/ - - X509_free(server_cert); - sslHandShakeComplete = 1; + if (is_debug_tag_set("ssl")) { + X509 * cert = SSL_get_peer_certificate(ssl); + + Debug("ssl", "SSL client handshake completed successfully"); + if (cert) { + debug_certificate_name("server certificate subject CN is", X509_get_subject_name(cert)); + debug_certificate_name("server certificate issuer CN is", X509_get_issuer_name(cert)); + X509_free(cert); + } + } + sslHandShakeComplete = true; return EVENT_DONE; case SSL_ERROR_WANT_WRITE:
