From da871ff712dde152c5325257808e997f336dadc4 Mon Sep 17 00:00:00 2001 From: Phillip Whelan Date: Fri, 11 Mar 2022 06:31:23 -0300 Subject: [PATCH] tls: improve TLS handshake error message (#4561) * openssl/tls: log handshake error. Signed-off-by: Phillip Whelan * tls: use ERR_error_string_n over ERR_error_string. Signed-off-by: Phillip Whelan * tls: reformat multiline comment to align to 80 columns. Signed-off-by: Phillip Whelan --- src/tls/openssl.c | 44 ++++++++++++++++++++++++++++++-------------- 1 file changed, 30 insertions(+), 14 deletions(-) diff --git a/src/tls/openssl.c b/src/tls/openssl.c index f974f3db165..b78bc83e2fd 100644 --- a/src/tls/openssl.c +++ b/src/tls/openssl.c @@ -68,6 +68,8 @@ static int tls_init(void) OPENSSL_add_all_algorithms_noconf(); SSL_load_error_strings(); SSL_library_init(); +#else + SSL_load_error_strings(); #endif return 0; } @@ -214,6 +216,7 @@ static void *tls_context_create(int verify, int debug, int ret; SSL_CTX *ssl_ctx; struct tls_context *ctx; + char err_buf[256]; /* * Init library ? based in the documentation on OpenSSL >= 1.1.0 is not longer @@ -260,20 +263,18 @@ static void *tls_context_create(int verify, int debug, if (ca_path) { ret = SSL_CTX_load_verify_locations(ctx->ctx, NULL, ca_path); if (ret != 1) { - flb_error("[tls] ca_path'%s' %lu: %s", - ca_path, - ERR_get_error(), - ERR_error_string(ERR_get_error(), NULL)); + ERR_error_string_n(ERR_get_error(), err_buf, sizeof(err_buf)-1); + flb_error("[tls] ca_path '%s' %lu: %s", + ca_path, ERR_get_error(), err_buf); goto error; } } else if (ca_file) { ret = SSL_CTX_load_verify_locations(ctx->ctx, ca_file, NULL); if (ret != 1) { + ERR_error_string_n(ERR_get_error(), err_buf, sizeof(err_buf)-1); flb_error("[tls] ca_file '%s' %lu: %s", - ca_file, - ERR_get_error(), - ERR_error_string(ERR_get_error(), NULL)); + ca_file, ERR_get_error(), err_buf); goto error; } } @@ -284,11 +285,10 @@ static void *tls_context_create(int verify, int debug, /* crt_file */ if (crt_file) { ret = SSL_CTX_use_certificate_chain_file(ssl_ctx, crt_file); - if (ret != 1) { + if (ret != 1) { + ERR_error_string_n(ERR_get_error(), err_buf, sizeof(err_buf)-1); flb_error("[tls] crt_file '%s' %lu: %s", - crt_file, - ERR_get_error(), - ERR_error_string(ERR_get_error(), NULL)); + crt_file, ERR_get_error(), err_buf); goto error; } } @@ -302,10 +302,9 @@ static void *tls_context_create(int verify, int debug, ret = SSL_CTX_use_PrivateKey_file(ssl_ctx, key_file, SSL_FILETYPE_PEM); if (ret != 1) { + ERR_error_string_n(ERR_get_error(), err_buf, sizeof(err_buf)-1); flb_error("[tls] key_file '%s' %lu: %s", - key_file, - ERR_get_error(), - ERR_error_string(ERR_get_error(), NULL)); + crt_file, ERR_get_error(), err_buf); } /* Make sure the key and certificate file match */ @@ -395,6 +394,7 @@ static int tls_net_read(struct flb_upstream_conn *u_conn, void *buf, size_t len) { int ret; + char err_buf[256]; struct tls_session *session = (struct tls_session *) u_conn->tls_session; struct tls_context *ctx; @@ -411,6 +411,10 @@ static int tls_net_read(struct flb_upstream_conn *u_conn, else if (ret == SSL_ERROR_WANT_WRITE) { ret = FLB_TLS_WANT_WRITE; } + else if (ret < 0) { + ERR_error_string_n(ret, err_buf, sizeof(err_buf)-1); + flb_error("[tls] error: %s", err_buf); + } else { ret = -1; } @@ -424,6 +428,7 @@ static int tls_net_write(struct flb_upstream_conn *u_conn, const void *data, size_t len) { int ret; + char err_buf[256]; size_t total = 0; struct tls_session *session = (struct tls_session *) u_conn->tls_session; struct tls_context *ctx; @@ -444,6 +449,8 @@ static int tls_net_write(struct flb_upstream_conn *u_conn, ret = FLB_TLS_WANT_READ; } else { + ERR_error_string_n(ret, err_buf, sizeof(err_buf)-1); + flb_error("[tls] error: %s", err_buf); ret = -1; } } @@ -457,6 +464,7 @@ static int tls_net_write(struct flb_upstream_conn *u_conn, static int tls_net_handshake(struct flb_tls *tls, void *ptr_session) { int ret = 0; + char err_buf[256]; struct tls_session *session = ptr_session; struct tls_context *ctx; @@ -474,6 +482,14 @@ static int tls_net_handshake(struct flb_tls *tls, void *ptr_session) if (ret != SSL_ERROR_WANT_READ && ret != SSL_ERROR_WANT_WRITE) { ret = SSL_get_error(session->ssl, ret); + // The SSL_ERROR_SYSCALL with errno value of 0 indicates unexpected + // EOF from the peer. This is fixed in OpenSSL 3.0. + if (ret == 0) { + flb_error("[tls] error: unexpected EOF"); + } else { + ERR_error_string_n(ret, err_buf, sizeof(err_buf)-1); + flb_error("[tls] error: %s", err_buf); + } pthread_mutex_unlock(&ctx->mutex); return -1; }