tls: improve TLS handshake error message (#4561)

* openssl/tls: log handshake error. Signed-off-by: Phillip Whelan <[email protected]> * tls: use ERR_error_string_n over ERR_error_string. Signed-off-by: Phillip Whelan <[email protected]> * tls: reformat multiline comment to align to 80 columns. Signed-off-by: Phillip Whelan <[email protected]>
fluent · Mar 11, 2022 · da871ff · da871ff
1 parent a031dac
commit da871ff
Showing 1 changed file with 30 additions and 14 deletions.
diff --git a/src/tls/openssl.c b/src/tls/openssl.c
@@ -68,6 +68,8 @@ static int tls_init(void)
     OPENSSL_add_all_algorithms_noconf();
     SSL_load_error_strings();
     SSL_library_init();
+#else
+    SSL_load_error_strings();
 #endif
     return 0;
 }
@@ -214,6 +216,7 @@ static void *tls_context_create(int verify, int debug,
     int ret;
     SSL_CTX *ssl_ctx;
     struct tls_context *ctx;
+    char err_buf[256];
 
     /*
      * Init library ? based in the documentation on OpenSSL >= 1.1.0 is not longer
@@ -260,20 +263,18 @@ static void *tls_context_create(int verify, int debug,
     if (ca_path) {
         ret = SSL_CTX_load_verify_locations(ctx->ctx, NULL, ca_path);
         if (ret != 1) {
-            flb_error("[tls] ca_path'%s' %lu: %s",
-                      ca_path,
-                      ERR_get_error(),
-                      ERR_error_string(ERR_get_error(), NULL));
+            ERR_error_string_n(ERR_get_error(), err_buf, sizeof(err_buf)-1);
+            flb_error("[tls] ca_path '%s' %lu: %s",
+                      ca_path, ERR_get_error(), err_buf);
             goto error;
         }
     }
     else if (ca_file) {
         ret = SSL_CTX_load_verify_locations(ctx->ctx, ca_file, NULL);
         if (ret != 1) {
+            ERR_error_string_n(ERR_get_error(), err_buf, sizeof(err_buf)-1);
             flb_error("[tls] ca_file '%s' %lu: %s",
-                      ca_file,
-                      ERR_get_error(),
-                      ERR_error_string(ERR_get_error(), NULL));
+                      ca_file, ERR_get_error(), err_buf);
             goto error;
         }
     }
@@ -284,11 +285,10 @@ static void *tls_context_create(int verify, int debug,
     /* crt_file */
     if (crt_file) {
         ret = SSL_CTX_use_certificate_chain_file(ssl_ctx, crt_file);
-		if (ret != 1) {
+        if (ret != 1) {
+            ERR_error_string_n(ERR_get_error(), err_buf, sizeof(err_buf)-1);
             flb_error("[tls] crt_file '%s' %lu: %s",
-                      crt_file,
-                      ERR_get_error(),
-                      ERR_error_string(ERR_get_error(), NULL));
+                      crt_file, ERR_get_error(), err_buf);
             goto error;
         }
     }
@@ -302,10 +302,9 @@ static void *tls_context_create(int verify, int debug,
         ret = SSL_CTX_use_PrivateKey_file(ssl_ctx, key_file,
                                           SSL_FILETYPE_PEM);
         if (ret != 1) {
+            ERR_error_string_n(ERR_get_error(), err_buf, sizeof(err_buf)-1);
             flb_error("[tls] key_file '%s' %lu: %s",
-                      key_file,
-                      ERR_get_error(),
-                      ERR_error_string(ERR_get_error(), NULL));
+                      crt_file, ERR_get_error(), err_buf);
         }
 
         /* Make sure the key and certificate file match */
@@ -395,6 +394,7 @@ static int tls_net_read(struct flb_upstream_conn *u_conn,
                         void *buf, size_t len)
 {
     int ret;
+    char err_buf[256];
     struct tls_session *session = (struct tls_session *) u_conn->tls_session;
     struct tls_context *ctx;
 
@@ -411,6 +411,10 @@ static int tls_net_read(struct flb_upstream_conn *u_conn,
         else if (ret == SSL_ERROR_WANT_WRITE) {
             ret = FLB_TLS_WANT_WRITE;
         }
+        else if (ret < 0) {
+            ERR_error_string_n(ret, err_buf, sizeof(err_buf)-1);
+            flb_error("[tls] error: %s", err_buf);
+        }
         else {
             ret = -1;
         }
@@ -424,6 +428,7 @@ static int tls_net_write(struct flb_upstream_conn *u_conn,
                          const void *data, size_t len)
 {
     int ret;
+    char err_buf[256];
     size_t total = 0;
     struct tls_session *session = (struct tls_session *) u_conn->tls_session;
     struct tls_context *ctx;
@@ -444,6 +449,8 @@ static int tls_net_write(struct flb_upstream_conn *u_conn,
             ret = FLB_TLS_WANT_READ;
         }
         else {
+            ERR_error_string_n(ret, err_buf, sizeof(err_buf)-1);
+            flb_error("[tls] error: %s", err_buf);
             ret = -1;
         }
     }
@@ -457,6 +464,7 @@ static int tls_net_write(struct flb_upstream_conn *u_conn,
 static int tls_net_handshake(struct flb_tls *tls, void *ptr_session)
 {
     int ret = 0;
+    char err_buf[256];
     struct tls_session *session = ptr_session;
     struct tls_context *ctx;
 
@@ -474,6 +482,14 @@ static int tls_net_handshake(struct flb_tls *tls, void *ptr_session)
         if (ret != SSL_ERROR_WANT_READ &&
             ret != SSL_ERROR_WANT_WRITE) {
             ret = SSL_get_error(session->ssl, ret);
+            // The SSL_ERROR_SYSCALL with errno value of 0 indicates unexpected
+            //  EOF from the peer. This is fixed in OpenSSL 3.0.
+            if (ret == 0) {
+            	flb_error("[tls] error: unexpected EOF");
+            } else {
+                ERR_error_string_n(ret, err_buf, sizeof(err_buf)-1);
+                flb_error("[tls] error: %s", err_buf);
+            }
             pthread_mutex_unlock(&ctx->mutex);
             return -1;
         }