summaryrefslogtreecommitdiff
path: root/platform/src
diff options
context:
space:
mode:
Diffstat (limited to 'platform/src')
-rw-r--r--platform/src/ssl_stream.cpp12
-rw-r--r--platform/src/ssl_trusted_cert_storage.cpp40
-rw-r--r--platform/src/ssl_utils.cpp42
3 files changed, 78 insertions, 16 deletions
diff --git a/platform/src/ssl_stream.cpp b/platform/src/ssl_stream.cpp
index 7b154bb..f28bb32 100644
--- a/platform/src/ssl_stream.cpp
+++ b/platform/src/ssl_stream.cpp
@@ -47,7 +47,7 @@
static int SSL_CTX_EX_DATA_IDX_SSLMGR;
static int SSL_EX_DATA_IDX_SSLSTREAM;
-static unsigned int ssl_ja3_debug;
+static unsigned int ssl_debug;
#define MAX_NET_RETRIES 50
#define LATENCY_WARNING_THRESHOLD_MS 1000
@@ -289,6 +289,12 @@ struct fs_spec
enum ssl_stream_stat id;
const char* name;
};
+
+unsigned int is_ssl_debug()
+{
+ return ssl_debug;
+}
+
int sslver_str2num(const char * version_str)
{
int sslversion = -1;
@@ -634,7 +640,7 @@ struct ssl_mgr * ssl_manager_init(const char * ini_profile, const char * section
goto error_out;
}
- MESA_load_profile_uint_def(ini_profile, section, "ssl_ja3_debug", &(ssl_ja3_debug), 0);
+ MESA_load_profile_uint_def(ini_profile, section, "ssl_debug", &(ssl_debug), 0);
MESA_load_profile_string_def(ini_profile, section, "ssl_min_version", version_str, sizeof(version_str), "ssl3");
mgr->ssl_min_version = sslver_str2num(version_str);
@@ -820,7 +826,7 @@ static void peek_client_hello_cb(evutil_socket_t fd, short what, void * arg)
{
case CHELLO_PARSE_SUCCESS:
{
- if (ssl_ja3_debug)
+ if (is_ssl_debug())
{
char *addr = tfe_string_addr_create_by_fd(fd, CONN_DIR_DOWNSTREAM);
struct ssl_ja3 *fingerprint = ssl_ja3_generate_fingerprint(buf, n);
diff --git a/platform/src/ssl_trusted_cert_storage.cpp b/platform/src/ssl_trusted_cert_storage.cpp
index 4111cd7..0f1a60f 100644
--- a/platform/src/ssl_trusted_cert_storage.cpp
+++ b/platform/src/ssl_trusted_cert_storage.cpp
@@ -1,6 +1,7 @@
#include "ssl_trusted_cert_storage.h"
#include "ssl_fetch_cert.h"
+#include "ssl_stream.h"
#include "MESA_htable_aux.h"
#include <MESA/MESA_htable.h>
@@ -473,23 +474,36 @@ int ssl_trusted_cert_storage_verify_conn(struct ssl_trusted_cert_storage* storag
ret=1;
}
- TFE_LOG_DEBUG(g_default_logger,
- "sni:%s, cet_real_untrust:%d, verify_host_fail:%d, verify_issure_fail:%d, verify_self_signed_fail:%d, verify_expiry_date_fail:%d, verify_other_fail:%d",
- (hostname ? hostname : "NULL"),
- ((param->real_untrust & 0xff) ? 1 : 0),
- ((param->real_untrust & 0x01) ? 1 : 0),
- ((param->real_untrust & 0x02) ? 1 : 0),
- ((param->real_untrust & 0x04) ? 1 : 0),
- ((param->real_untrust & 0x08) ? 1 : 0),
- ((param->real_untrust & 0x10) ? 1 : 0));
+ if (is_ssl_debug())
+ {
+ TFE_LOG_DEBUG(g_default_logger,
+ "sni:%s, cet_real_untrust:%d, verify_host_fail:%d, verify_issure_fail:%d, verify_self_signed_fail:%d, verify_expiry_date_fail:%d, verify_other_fail:%d",
+ (hostname ? hostname : "NULL"),
+ ((param->real_untrust & 0xff) ? 1 : 0),
+ ((param->real_untrust & 0x01) ? 1 : 0),
+ ((param->real_untrust & 0x02) ? 1 : 0),
+ ((param->real_untrust & 0x04) ? 1 : 0),
+ ((param->real_untrust & 0x08) ? 1 : 0),
+ ((param->real_untrust & 0x10) ? 1 : 0));
+ ssl_chain_dump(hostname, "server_chain", cert_chain);
+ }
// case cert verify success
- if (param->real_untrust == 0) {
- ssl_fetch_trusted_cert_from_chain(cert_chain, storage->effective_store, hostname);
+ if (param->real_untrust == 0)
+ {
+ STACK_OF(X509) *trust_chain = X509_STORE_CTX_get1_chain(ctx);
+ if (trust_chain)
+ {
+ if (is_ssl_debug())
+ {
+ ssl_chain_dump(hostname, "trust_chain", trust_chain);
+ }
+ ssl_fetch_trusted_cert_from_chain(trust_chain, storage->effective_store, hostname);
+ sk_X509_pop_free(trust_chain, X509_free);
+ }
}
X509_STORE_CTX_free(ctx);
pthread_rwlock_unlock(&(storage->rwlock));
return ret;
-}
-
+} \ No newline at end of file
diff --git a/platform/src/ssl_utils.cpp b/platform/src/ssl_utils.cpp
index 4580f9b..4a6bd05 100644
--- a/platform/src/ssl_utils.cpp
+++ b/platform/src/ssl_utils.cpp
@@ -2395,3 +2395,45 @@ struct ssl_chello* ssl_chello_parse(const unsigned char* buff, size_t buff_len,
}
}
+void ssl_chain_dump(const char *sni, const char *chain_type, STACK_OF(X509) *chain)
+{
+ int j = 0;
+ char *subj = NULL;
+ char *issuer = NULL;
+ char *fingerprint = NULL;
+ X509 *cert = NULL;
+
+ if (chain == NULL)
+ {
+ return;
+ }
+
+ for (j = 0; j < sk_X509_num(chain); j++)
+ {
+ cert = sk_X509_value(chain, j);
+ if (cert == NULL)
+ continue;
+
+ subj = ssl_x509_subject(cert);
+ issuer = ssl_x509_issuer(cert);
+ fingerprint = ssl_x509_fingerprint(cert, 0);
+
+ TFE_LOG_DEBUG(g_default_logger, "sni:%s chain_type:%s depth=%d: subject:%s issuer:%s fingerprint:%s",
+ sni ? sni : "null", chain_type, j, subj ? subj : "null", issuer ? issuer : "null", fingerprint ? fingerprint : "null");
+ if (subj)
+ {
+ free(subj);
+ subj = NULL;
+ }
+ if (issuer)
+ {
+ free(issuer);
+ issuer = NULL;
+ }
+ if (fingerprint)
+ {
+ free(fingerprint);
+ fingerprint = NULL;
+ }
+ }
+} \ No newline at end of file
generated by cgit v1.2.3 (git 2.39.1) at 2025-12-30 16:10:52 +0000