<p>George Joseph <strong>submitted</strong> this change.</p><p><a href="https://gerrit.asterisk.org/c/asterisk/+/13827">View Change</a></p><div style="white-space:pre-wrap">Approvals:
Benjamin Keith Ford: Looks good to me, but someone else must approve
George Joseph: Looks good to me, approved; Approved for Submit
</div><pre style="font-family: monospace,monospace; white-space: pre-wrap;">tcptls.c: Log more informative OpenSSL errors<br><br>Dump OpenSSL's error stack to the error log when things fail.<br><br>ASTERISK-28750 #close<br>Reported by: Martin Zeh<br><br>Change-Id: Ib63cd0df20275586e68ac4c2ddad222ed7bd9c0a<br>---<br>M main/tcptls.c<br>1 file changed, 29 insertions(+), 0 deletions(-)<br><br></pre><pre style="font-family: monospace,monospace; white-space: pre-wrap;"><span>diff --git a/main/tcptls.c b/main/tcptls.c</span><br><span>index be07e2d..c9ebeb9 100644</span><br><span>--- a/main/tcptls.c</span><br><span>+++ b/main/tcptls.c</span><br><span>@@ -37,6 +37,7 @@</span><br><span> #ifdef DO_SSL</span><br><span> #include <openssl/asn1.h> /* for ASN1_STRING_to_UTF8 */</span><br><span> #include <openssl/crypto.h> /* for OPENSSL_free */</span><br><span style="color: hsl(120, 100%, 40%);">+#include <openssl/err.h> /* for ERR_print_errors_fp */</span><br><span> #include <openssl/opensslconf.h> /* for OPENSSL_NO_SSL3_METHOD, OPENS... */</span><br><span> #include <openssl/opensslv.h> /* for OPENSSL_VERSION_NUMBER */</span><br><span> #include <openssl/safestack.h> /* for STACK_OF */</span><br><span>@@ -106,6 +107,27 @@</span><br><span> </span><br><span> return ret;</span><br><span> }</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+static void write_openssl_error_to_log(void)</span><br><span style="color: hsl(120, 100%, 40%);">+{</span><br><span style="color: hsl(120, 100%, 40%);">+ FILE *fp;</span><br><span style="color: hsl(120, 100%, 40%);">+ char *buffer;</span><br><span style="color: hsl(120, 100%, 40%);">+ size_t length;</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+ fp = open_memstream(&buffer, &length);</span><br><span style="color: hsl(120, 100%, 40%);">+ if (!fp) {</span><br><span style="color: hsl(120, 100%, 40%);">+ return;</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+ ERR_print_errors_fp(fp);</span><br><span style="color: hsl(120, 100%, 40%);">+ fclose(fp);</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+ if (length) {</span><br><span style="color: hsl(120, 100%, 40%);">+ ast_log(LOG_ERROR, "%.*s\n", (int) length, buffer);</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+ ast_free(buffer);</span><br><span style="color: hsl(120, 100%, 40%);">+}</span><br><span> #endif</span><br><span> </span><br><span> /*! \brief</span><br><span>@@ -345,10 +367,13 @@</span><br><span> if (access(cert_file, F_OK) == 0) {</span><br><span> if (SSL_CTX_use_certificate_chain_file(cfg->ssl_ctx, cert_file) == 0) {</span><br><span> ast_log(LOG_WARNING, "TLS/SSL error loading public %s key (certificate) from <%s>.\n", key_type, cert_file);</span><br><span style="color: hsl(120, 100%, 40%);">+ write_openssl_error_to_log();</span><br><span> } else if (SSL_CTX_use_PrivateKey_file(cfg->ssl_ctx, cert_file, SSL_FILETYPE_PEM) == 0) {</span><br><span> ast_log(LOG_WARNING, "TLS/SSL error loading private %s key from <%s>.\n", key_type, cert_file);</span><br><span style="color: hsl(120, 100%, 40%);">+ write_openssl_error_to_log();</span><br><span> } else if (SSL_CTX_check_private_key(cfg->ssl_ctx) == 0) {</span><br><span> ast_log(LOG_WARNING, "TLS/SSL error matching private %s key and certificate in <%s>.\n", key_type, cert_file);</span><br><span style="color: hsl(120, 100%, 40%);">+ write_openssl_error_to_log();</span><br><span> }</span><br><span> }</span><br><span> }</span><br><span>@@ -451,6 +476,7 @@</span><br><span> if (!client) {</span><br><span> /* Clients don't need a certificate, but if its setup we can use it */</span><br><span> ast_log(LOG_ERROR, "TLS/SSL error loading cert file. <%s>\n", cfg->certfile);</span><br><span style="color: hsl(120, 100%, 40%);">+ write_openssl_error_to_log();</span><br><span> cfg->enabled = 0;</span><br><span> SSL_CTX_free(cfg->ssl_ctx);</span><br><span> cfg->ssl_ctx = NULL;</span><br><span>@@ -461,6 +487,7 @@</span><br><span> if (!client) {</span><br><span> /* Clients don't need a private key, but if its setup we can use it */</span><br><span> ast_log(LOG_ERROR, "TLS/SSL error loading private key file. <%s>\n", tmpprivate);</span><br><span style="color: hsl(120, 100%, 40%);">+ write_openssl_error_to_log();</span><br><span> cfg->enabled = 0;</span><br><span> SSL_CTX_free(cfg->ssl_ctx);</span><br><span> cfg->ssl_ctx = NULL;</span><br><span>@@ -483,6 +510,7 @@</span><br><span> if (SSL_CTX_set_cipher_list(cfg->ssl_ctx, cfg->cipher) == 0 ) {</span><br><span> if (!client) {</span><br><span> ast_log(LOG_ERROR, "TLS/SSL cipher error <%s>\n", cfg->cipher);</span><br><span style="color: hsl(120, 100%, 40%);">+ write_openssl_error_to_log();</span><br><span> cfg->enabled = 0;</span><br><span> SSL_CTX_free(cfg->ssl_ctx);</span><br><span> cfg->ssl_ctx = NULL;</span><br><span>@@ -493,6 +521,7 @@</span><br><span> if (!ast_strlen_zero(cfg->cafile) || !ast_strlen_zero(cfg->capath)) {</span><br><span> if (SSL_CTX_load_verify_locations(cfg->ssl_ctx, S_OR(cfg->cafile, NULL), S_OR(cfg->capath,NULL)) == 0) {</span><br><span> ast_log(LOG_ERROR, "TLS/SSL CA file(%s)/path(%s) error\n", cfg->cafile, cfg->capath);</span><br><span style="color: hsl(120, 100%, 40%);">+ write_openssl_error_to_log();</span><br><span> }</span><br><span> }</span><br><span> </span><br><span></span><br></pre><p>To view, visit <a href="https://gerrit.asterisk.org/c/asterisk/+/13827">change 13827</a>. To unsubscribe, or for help writing mail filters, visit <a href="https://gerrit.asterisk.org/settings">settings</a>.</p><div itemscope itemtype="http://schema.org/EmailMessage"><div itemscope itemprop="action" itemtype="http://schema.org/ViewAction"><link itemprop="url" href="https://gerrit.asterisk.org/c/asterisk/+/13827"/><meta itemprop="name" content="View Change"/></div></div>
<div style="display:none"> Gerrit-Project: asterisk </div>
<div style="display:none"> Gerrit-Branch: master </div>
<div style="display:none"> Gerrit-Change-Id: Ib63cd0df20275586e68ac4c2ddad222ed7bd9c0a </div>
<div style="display:none"> Gerrit-Change-Number: 13827 </div>
<div style="display:none"> Gerrit-PatchSet: 1 </div>
<div style="display:none"> Gerrit-Owner: Sean Bright <sean.bright@gmail.com> </div>
<div style="display:none"> Gerrit-Reviewer: Benjamin Keith Ford <bford@digium.com> </div>
<div style="display:none"> Gerrit-Reviewer: Friendly Automation </div>
<div style="display:none"> Gerrit-Reviewer: George Joseph <gjoseph@digium.com> </div>
<div style="display:none"> Gerrit-MessageType: merged </div>