[Asterisk-code-review] tcptls.c: Log more informative OpenSSL errors (asterisk[17])

George Joseph asteriskteam at digium.com
Fri Feb 21 09:01:43 CST 2020


George Joseph has submitted this change. ( https://gerrit.asterisk.org/c/asterisk/+/13826 )

Change subject: tcptls.c: Log more informative OpenSSL errors
......................................................................

tcptls.c: Log more informative OpenSSL errors

Dump OpenSSL's error stack to the error log when things fail.

ASTERISK-28750 #close
Reported by: Martin Zeh

Change-Id: Ib63cd0df20275586e68ac4c2ddad222ed7bd9c0a
---
M main/tcptls.c
1 file changed, 29 insertions(+), 0 deletions(-)

Approvals:
  Benjamin Keith Ford: Looks good to me, but someone else must approve
  George Joseph: Looks good to me, approved; Approved for Submit



diff --git a/main/tcptls.c b/main/tcptls.c
index be07e2d..c9ebeb9 100644
--- a/main/tcptls.c
+++ b/main/tcptls.c
@@ -37,6 +37,7 @@
 #ifdef DO_SSL
 #include <openssl/asn1.h>               /* for ASN1_STRING_to_UTF8 */
 #include <openssl/crypto.h>             /* for OPENSSL_free */
+#include <openssl/err.h>                /* for ERR_print_errors_fp */
 #include <openssl/opensslconf.h>        /* for OPENSSL_NO_SSL3_METHOD, OPENS... */
 #include <openssl/opensslv.h>           /* for OPENSSL_VERSION_NUMBER */
 #include <openssl/safestack.h>          /* for STACK_OF */
@@ -106,6 +107,27 @@
 
 	return ret;
 }
+
+static void write_openssl_error_to_log(void)
+{
+	FILE *fp;
+	char *buffer;
+	size_t length;
+
+	fp = open_memstream(&buffer, &length);
+	if (!fp) {
+		return;
+	}
+
+	ERR_print_errors_fp(fp);
+	fclose(fp);
+
+	if (length) {
+		ast_log(LOG_ERROR, "%.*s\n", (int) length, buffer);
+	}
+
+	ast_free(buffer);
+}
 #endif
 
 /*! \brief
@@ -345,10 +367,13 @@
 	if (access(cert_file, F_OK) == 0) {
 		if (SSL_CTX_use_certificate_chain_file(cfg->ssl_ctx, cert_file) == 0) {
 			ast_log(LOG_WARNING, "TLS/SSL error loading public %s key (certificate) from <%s>.\n", key_type, cert_file);
+			write_openssl_error_to_log();
 		} else if (SSL_CTX_use_PrivateKey_file(cfg->ssl_ctx, cert_file, SSL_FILETYPE_PEM) == 0) {
 			ast_log(LOG_WARNING, "TLS/SSL error loading private %s key from <%s>.\n", key_type, cert_file);
+			write_openssl_error_to_log();
 		} else if (SSL_CTX_check_private_key(cfg->ssl_ctx) == 0) {
 			ast_log(LOG_WARNING, "TLS/SSL error matching private %s key and certificate in <%s>.\n", key_type, cert_file);
+			write_openssl_error_to_log();
 		}
 	}
 }
@@ -451,6 +476,7 @@
 			if (!client) {
 				/* Clients don't need a certificate, but if its setup we can use it */
 				ast_log(LOG_ERROR, "TLS/SSL error loading cert file. <%s>\n", cfg->certfile);
+				write_openssl_error_to_log();
 				cfg->enabled = 0;
 				SSL_CTX_free(cfg->ssl_ctx);
 				cfg->ssl_ctx = NULL;
@@ -461,6 +487,7 @@
 			if (!client) {
 				/* Clients don't need a private key, but if its setup we can use it */
 				ast_log(LOG_ERROR, "TLS/SSL error loading private key file. <%s>\n", tmpprivate);
+				write_openssl_error_to_log();
 				cfg->enabled = 0;
 				SSL_CTX_free(cfg->ssl_ctx);
 				cfg->ssl_ctx = NULL;
@@ -483,6 +510,7 @@
 		if (SSL_CTX_set_cipher_list(cfg->ssl_ctx, cfg->cipher) == 0 ) {
 			if (!client) {
 				ast_log(LOG_ERROR, "TLS/SSL cipher error <%s>\n", cfg->cipher);
+				write_openssl_error_to_log();
 				cfg->enabled = 0;
 				SSL_CTX_free(cfg->ssl_ctx);
 				cfg->ssl_ctx = NULL;
@@ -493,6 +521,7 @@
 	if (!ast_strlen_zero(cfg->cafile) || !ast_strlen_zero(cfg->capath)) {
 		if (SSL_CTX_load_verify_locations(cfg->ssl_ctx, S_OR(cfg->cafile, NULL), S_OR(cfg->capath,NULL)) == 0) {
 			ast_log(LOG_ERROR, "TLS/SSL CA file(%s)/path(%s) error\n", cfg->cafile, cfg->capath);
+			write_openssl_error_to_log();
 		}
 	}
 

-- 
To view, visit https://gerrit.asterisk.org/c/asterisk/+/13826
To unsubscribe, or for help writing mail filters, visit https://gerrit.asterisk.org/settings

Gerrit-Project: asterisk
Gerrit-Branch: 17
Gerrit-Change-Id: Ib63cd0df20275586e68ac4c2ddad222ed7bd9c0a
Gerrit-Change-Number: 13826
Gerrit-PatchSet: 1
Gerrit-Owner: Sean Bright <sean.bright at gmail.com>
Gerrit-Reviewer: Benjamin Keith Ford <bford at digium.com>
Gerrit-Reviewer: Friendly Automation
Gerrit-Reviewer: George Joseph <gjoseph at digium.com>
Gerrit-MessageType: merged
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-code-review/attachments/20200221/88479a58/attachment.html>


More information about the asterisk-code-review mailing list