<p>George Joseph <strong>merged</strong> this change.</p><p><a href="https://gerrit.asterisk.org/c/asterisk/+/11502">View Change</a></p><div style="white-space:pre-wrap">Approvals:
Kevin Harwell: Looks good to me, but someone else must approve
Joshua Colp: Looks good to me, but someone else must approve
George Joseph: Looks good to me, approved; Approved for Submit
</div><pre style="font-family: monospace,monospace; white-space: pre-wrap;">tcptls.c: Add peer hostname and port to some error messages<br><br>Where possble, hostname and port has been added to error<br>messages, mostly on the server side.<br><br>ASTERISK-26006<br>Reported by: Oleksandr Natalenko<br><br>Change-Id: Iff4f897277bc36ce8c5b493b71d0a4a7b74e62f0<br>---<br>M main/tcptls.c<br>1 file changed, 18 insertions(+), 6 deletions(-)<br><br></pre><pre style="font-family: monospace,monospace; white-space: pre-wrap;"><span>diff --git a/main/tcptls.c b/main/tcptls.c</span><br><span>index 7930c50..be07e2d 100644</span><br><span>--- a/main/tcptls.c</span><br><span>+++ b/main/tcptls.c</span><br><span>@@ -128,7 +128,8 @@</span><br><span> * this seems like a good general policy.</span><br><span> */</span><br><span> if (ast_thread_inhibit_escalations()) {</span><br><span style="color: hsl(0, 100%, 40%);">- ast_log(LOG_ERROR, "Failed to inhibit privilege escalations; killing connection\n");</span><br><span style="color: hsl(120, 100%, 40%);">+ ast_log(LOG_ERROR, "Failed to inhibit privilege escalations; killing connection from peer '%s'\n",</span><br><span style="color: hsl(120, 100%, 40%);">+ ast_sockaddr_stringify(&tcptls_session->remote_address));</span><br><span> ast_tcptls_close_session_file(tcptls_session);</span><br><span> ao2_ref(tcptls_session, -1);</span><br><span> return NULL;</span><br><span>@@ -141,7 +142,8 @@</span><br><span> * the individual protocol handlers, but this seems like a good start.</span><br><span> */</span><br><span> if (ast_thread_user_interface_set(1)) {</span><br><span style="color: hsl(0, 100%, 40%);">- ast_log(LOG_ERROR, "Failed to set user interface status; killing connection\n");</span><br><span style="color: hsl(120, 100%, 40%);">+ ast_log(LOG_ERROR, "Failed to set user interface status; killing connection from peer '%s'\n",</span><br><span style="color: hsl(120, 100%, 40%);">+ ast_sockaddr_stringify(&tcptls_session->remote_address));</span><br><span> ast_tcptls_close_session_file(tcptls_session);</span><br><span> ao2_ref(tcptls_session, -1);</span><br><span> return NULL;</span><br><span>@@ -150,6 +152,11 @@</span><br><span> if (tcptls_session->parent->tls_cfg) {</span><br><span> #ifdef DO_SSL</span><br><span> if (ast_iostream_start_tls(&tcptls_session->stream, tcptls_session->parent->tls_cfg->ssl_ctx, tcptls_session->client) < 0) {</span><br><span style="color: hsl(120, 100%, 40%);">+ SSL *ssl = ast_iostream_get_ssl(tcptls_session->stream);</span><br><span style="color: hsl(120, 100%, 40%);">+ if (ssl) {</span><br><span style="color: hsl(120, 100%, 40%);">+ ast_log(LOG_ERROR, "Unable to set up ssl connection with peer '%s'\n",</span><br><span style="color: hsl(120, 100%, 40%);">+ ast_sockaddr_stringify(&tcptls_session->remote_address));</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span> ast_tcptls_close_session_file(tcptls_session);</span><br><span> ao2_ref(tcptls_session, -1);</span><br><span> return NULL;</span><br><span>@@ -162,7 +169,8 @@</span><br><span> long res;</span><br><span> peer = SSL_get_peer_certificate(ssl);</span><br><span> if (!peer) {</span><br><span style="color: hsl(0, 100%, 40%);">- ast_log(LOG_ERROR, "No peer SSL certificate to verify\n");</span><br><span style="color: hsl(120, 100%, 40%);">+ ast_log(LOG_ERROR, "No SSL certificate to verify from peer '%s'\n",</span><br><span style="color: hsl(120, 100%, 40%);">+ ast_sockaddr_stringify(&tcptls_session->remote_address));</span><br><span> ast_tcptls_close_session_file(tcptls_session);</span><br><span> ao2_ref(tcptls_session, -1);</span><br><span> return NULL;</span><br><span>@@ -170,7 +178,9 @@</span><br><span> </span><br><span> res = SSL_get_verify_result(ssl);</span><br><span> if (res != X509_V_OK) {</span><br><span style="color: hsl(0, 100%, 40%);">- ast_log(LOG_ERROR, "Certificate did not verify: %s\n", X509_verify_cert_error_string(res));</span><br><span style="color: hsl(120, 100%, 40%);">+ ast_log(LOG_ERROR, "Certificate from peer '%s' did not verify: %s\n",</span><br><span style="color: hsl(120, 100%, 40%);">+ ast_sockaddr_stringify(&tcptls_session->remote_address),</span><br><span style="color: hsl(120, 100%, 40%);">+ X509_verify_cert_error_string(res));</span><br><span> X509_free(peer);</span><br><span> ast_tcptls_close_session_file(tcptls_session);</span><br><span> ao2_ref(tcptls_session, -1);</span><br><span>@@ -220,7 +230,8 @@</span><br><span> }</span><br><span> </span><br><span> if (!found) {</span><br><span style="color: hsl(0, 100%, 40%);">- ast_log(LOG_ERROR, "Certificate common name did not match (%s)\n", tcptls_session->parent->hostname);</span><br><span style="color: hsl(120, 100%, 40%);">+ ast_log(LOG_ERROR, "Certificate common name from peer '%s' did not match (%s)\n",</span><br><span style="color: hsl(120, 100%, 40%);">+ ast_sockaddr_stringify(&tcptls_session->remote_address), tcptls_session->parent->hostname);</span><br><span> X509_free(peer);</span><br><span> ast_tcptls_close_session_file(tcptls_session);</span><br><span> ao2_ref(tcptls_session, -1);</span><br><span>@@ -307,7 +318,8 @@</span><br><span> </span><br><span> /* This thread is now the only place that controls the single ref to tcptls_session */</span><br><span> if (ast_pthread_create_detached_background(&launched, NULL, handle_tcptls_connection, tcptls_session)) {</span><br><span style="color: hsl(0, 100%, 40%);">- ast_log(LOG_ERROR, "TCP/TLS unable to launch helper thread: %s\n",</span><br><span style="color: hsl(120, 100%, 40%);">+ ast_log(LOG_ERROR, "TCP/TLS unable to launch helper thread for peer '%s': %s\n",</span><br><span style="color: hsl(120, 100%, 40%);">+ ast_sockaddr_stringify(&tcptls_session->remote_address),</span><br><span> strerror(errno));</span><br><span> ao2_ref(tcptls_session, -1);</span><br><span> }</span><br><span></span><br></pre><p>To view, visit <a href="https://gerrit.asterisk.org/c/asterisk/+/11502">change 11502</a>. To unsubscribe, or for help writing mail filters, visit <a href="https://gerrit.asterisk.org/settings">settings</a>.</p><div itemscope itemtype="http://schema.org/EmailMessage"><div itemscope itemprop="action" itemtype="http://schema.org/ViewAction"><link itemprop="url" href="https://gerrit.asterisk.org/c/asterisk/+/11502"/><meta itemprop="name" content="View Change"/></div></div>
<div style="display:none"> Gerrit-Project: asterisk </div>
<div style="display:none"> Gerrit-Branch: master </div>
<div style="display:none"> Gerrit-Change-Id: Iff4f897277bc36ce8c5b493b71d0a4a7b74e62f0 </div>
<div style="display:none"> Gerrit-Change-Number: 11502 </div>
<div style="display:none"> Gerrit-PatchSet: 1 </div>
<div style="display:none"> Gerrit-Owner: George Joseph <gjoseph@digium.com> </div>
<div style="display:none"> Gerrit-Reviewer: Friendly Automation </div>
<div style="display:none"> Gerrit-Reviewer: George Joseph <gjoseph@digium.com> </div>
<div style="display:none"> Gerrit-Reviewer: Joshua Colp <jcolp@digium.com> </div>
<div style="display:none"> Gerrit-Reviewer: Kevin Harwell <kharwell@digium.com> </div>
<div style="display:none"> Gerrit-MessageType: merged </div>