# HG changeset patch # User Timo Sirainen # Date 1335378496 -10800 # Node ID 36cde186aec6ffb2a5ee3a6f990531bf2101ab27 # Parent 3893f2b7e4abf0d67a61011f55a5e912bf8e2fd4 *-login: If client certificate isn't valid, log the reason why. diff -r 3893f2b7e4ab -r 36cde186aec6 src/login-common/login-proxy.c --- a/src/login-common/login-proxy.c Wed Apr 25 21:26:25 2012 +0300 +++ b/src/login-common/login-proxy.c Wed Apr 25 21:28:16 2012 +0300 @@ -516,8 +516,9 @@ if (ssl_proxy_has_broken_client_cert(proxy->ssl_server_proxy)) { client_log_err(proxy->client, t_strdup_printf( - "proxy: Received invalid SSL certificate from %s:%u", - proxy->host, proxy->port)); + "proxy: Received invalid SSL certificate from %s:%u: %s", + proxy->host, proxy->port, + ssl_proxy_get_cert_error(proxy->ssl_server_proxy))); } else if (!ssl_proxy_has_valid_client_cert(proxy->ssl_server_proxy)) { client_log_err(proxy->client, t_strdup_printf( "proxy: SSL certificate not received from %s:%u", diff -r 3893f2b7e4ab -r 36cde186aec6 src/login-common/ssl-proxy-openssl.c --- a/src/login-common/ssl-proxy-openssl.c Wed Apr 25 21:26:25 2012 +0300 +++ b/src/login-common/ssl-proxy-openssl.c Wed Apr 25 21:28:16 2012 +0300 @@ -66,6 +66,7 @@ ssl_handshake_callback_t *handshake_callback; void *handshake_context; + const char *cert_error; char *last_error; unsigned int handshaked:1; unsigned int destroyed:1; @@ -754,6 +755,12 @@ #endif } +const char *ssl_proxy_get_cert_error(struct ssl_proxy *proxy) +{ + return proxy->cert_error != NULL ? proxy->cert_error : + "(Unknown error)"; +} + void ssl_proxy_free(struct ssl_proxy **_proxy) { struct ssl_proxy *proxy = *_proxy; @@ -849,32 +856,40 @@ { SSL *ssl; struct ssl_proxy *proxy; + char buf[1024]; + X509_NAME *subject; ssl = X509_STORE_CTX_get_ex_data(ctx, SSL_get_ex_data_X509_STORE_CTX_idx()); proxy = SSL_get_ex_data(ssl, extdata_index); proxy->cert_received = TRUE; - if (proxy->set->verbose_ssl || - (proxy->set->auth_verbose && !preverify_ok)) { - char buf[1024]; - X509_NAME *subject; - - subject = X509_get_subject_name(ctx->current_cert); - (void)X509_NAME_oneline(subject, buf, sizeof(buf)); - buf[sizeof(buf)-1] = '\0'; /* just in case.. */ - if (!preverify_ok) - i_info("Invalid certificate: %s: %s", X509_verify_cert_error_string(ctx->error),buf); - else - i_info("Valid certificate: %s", buf); - } - if (ctx->error == X509_V_ERR_UNABLE_TO_GET_CRL && proxy->client_proxy) { + if (proxy->client_proxy && ctx->error == X509_V_ERR_UNABLE_TO_GET_CRL) { /* no CRL given with the CA list. don't worry about it. */ preverify_ok = 1; } if (!preverify_ok) proxy->cert_broken = TRUE; + subject = X509_get_subject_name(ctx->current_cert); + (void)X509_NAME_oneline(subject, buf, sizeof(buf)); + buf[sizeof(buf)-1] = '\0'; /* just in case.. */ + + if (proxy->cert_error == NULL) { + proxy->cert_error = p_strdup_printf(proxy->client->pool, "%s: %s", + X509_verify_cert_error_string(ctx->error), buf); + } + + if (proxy->set->verbose_ssl || + (proxy->set->auth_verbose && !preverify_ok)) { + if (preverify_ok) + i_info("Valid certificate: %s", buf); + else { + i_info("Invalid certificate: %s: %s", + X509_verify_cert_error_string(ctx->error), buf); + } + } + /* Return success anyway, because if ssl_require_client_cert=no we could still allow authentication. */ return 1; diff -r 3893f2b7e4ab -r 36cde186aec6 src/login-common/ssl-proxy.c --- a/src/login-common/ssl-proxy.c Wed Apr 25 21:26:25 2012 +0300 +++ b/src/login-common/ssl-proxy.c Wed Apr 25 21:28:16 2012 +0300 @@ -79,6 +79,11 @@ return NULL; } +const char *ssl_proxy_get_cert_error(struct ssl_proxy *proxy ATTR_UNUSED) +{ + return ""; +} + void ssl_proxy_free(struct ssl_proxy **proxy ATTR_UNUSED) {} unsigned int ssl_proxy_get_count(void) diff -r 3893f2b7e4ab -r 36cde186aec6 src/login-common/ssl-proxy.h --- a/src/login-common/ssl-proxy.h Wed Apr 25 21:26:25 2012 +0300 +++ b/src/login-common/ssl-proxy.h Wed Apr 25 21:28:16 2012 +0300 @@ -30,6 +30,7 @@ const char *ssl_proxy_get_last_error(const struct ssl_proxy *proxy) ATTR_PURE; const char *ssl_proxy_get_security_string(struct ssl_proxy *proxy); const char *ssl_proxy_get_compression(struct ssl_proxy *proxy); +const char *ssl_proxy_get_cert_error(struct ssl_proxy *proxy); void ssl_proxy_free(struct ssl_proxy **proxy); /* Return number of active SSL proxies */