Mercurial > dovecot > core-2.2
changeset 1235:2660b47fd9bc HEAD
Added setting verbose_ssl
author | Timo Sirainen <tss@iki.fi> |
---|---|
date | Sun, 23 Feb 2003 21:44:46 +0200 |
parents | 23f28ecd2c21 |
children | 5c73e63c75f7 |
files | src/imap-login/client.c src/login-common/common.h src/login-common/main.c src/login-common/ssl-proxy-gnutls.c src/login-common/ssl-proxy-openssl.c src/login-common/ssl-proxy.h src/master/master-settings.c src/master/master-settings.h src/pop3-login/client.c |
diffstat | 9 files changed, 65 insertions(+), 22 deletions(-) [+] |
line wrap: on
line diff
--- a/src/imap-login/client.c Sun Feb 23 15:13:09 2003 +0200 +++ b/src/imap-login/client.c Sun Feb 23 21:44:46 2003 +0200 @@ -125,7 +125,7 @@ client->common.io = NULL; } - fd_ssl = ssl_proxy_new(client->common.fd); + fd_ssl = ssl_proxy_new(client->common.fd, &client->common.ip); if (fd_ssl != -1) { client->tls = TRUE; client_set_title(client);
--- a/src/login-common/common.h Sun Feb 23 15:13:09 2003 +0200 +++ b/src/login-common/common.h Sun Feb 23 21:44:46 2003 +0200 @@ -5,6 +5,7 @@ #include "../auth/auth-login-interface.h" extern int disable_plaintext_auth, process_per_connection, verbose_proctitle; +extern int verbose_ssl; extern unsigned int max_logging_users; extern unsigned int login_process_uid;
--- a/src/login-common/main.c Sun Feb 23 15:13:09 2003 +0200 +++ b/src/login-common/main.c Sun Feb 23 21:44:46 2003 +0200 @@ -16,6 +16,7 @@ #include <syslog.h> int disable_plaintext_auth, process_per_connection, verbose_proctitle; +int verbose_ssl; unsigned int max_logging_users; unsigned int login_process_uid; @@ -119,7 +120,7 @@ if (process_per_connection) main_close_listen(); - fd_ssl = ssl_proxy_new(fd); + fd_ssl = ssl_proxy_new(fd, &ip); if (fd_ssl == -1) net_disconnect(fd); else @@ -163,7 +164,8 @@ disable_plaintext_auth = getenv("DISABLE_PLAINTEXT_AUTH") != NULL; process_per_connection = getenv("PROCESS_PER_CONNECTION") != NULL; - verbose_proctitle = getenv("VERBOSE_PROCTITLE") != NULL; + verbose_proctitle = getenv("VERBOSE_PROCTITLE") != NULL; + verbose_ssl = getenv("VERBOSE_SSL") != NULL; value = getenv("MAX_LOGGING_USERS"); max_logging_users = value == NULL ? 0 : strtoul(value, NULL, 10);
--- a/src/login-common/ssl-proxy-gnutls.c Sun Feb 23 15:13:09 2003 +0200 +++ b/src/login-common/ssl-proxy-gnutls.c Sun Feb 23 21:44:46 2003 +0200 @@ -19,6 +19,8 @@ int refcount; gnutls_session session; + struct ip_addr ip; + int fd_ssl, fd_plain; struct io *io_ssl, *io_plain; int io_ssl_dir; @@ -60,20 +62,32 @@ static int handle_ssl_error(struct ssl_proxy *proxy, int error) { if (!gnutls_error_is_fatal(error)) { + if (!verbose_ssl) + return 0; + if (error == GNUTLS_E_WARNING_ALERT_RECEIVED) { - i_warning("Received SSL warning alert: %s", - get_alert_text(proxy)); + i_warning("Received SSL warning alert: %s [%s]", + get_alert_text(proxy), + net_ip2host(&proxy->ip)); + } else { + i_warning("Non-fatal SSL error: %s: %s", + get_alert_text(proxy), + net_ip2host(&proxy->ip)); } return 0; } - /* fatal error occured */ - if (error == GNUTLS_E_FATAL_ALERT_RECEIVED) { - i_warning("Received SSL fatal alert: %s", - get_alert_text(proxy)); - } else { - i_warning("Error reading from SSL client: %s", - gnutls_strerror(error)); + if (verbose_ssl) { + /* fatal error occured */ + if (error == GNUTLS_E_FATAL_ALERT_RECEIVED) { + i_warning("Received SSL fatal alert: %s [%s]", + get_alert_text(proxy), + net_ip2host(&proxy->ip)); + } else { + i_warning("Error reading from SSL client: %s [%s]", + gnutls_strerror(error), + net_ip2host(&proxy->ip)); + } } gnutls_alert_send_appropriate(proxy->session, error); @@ -290,7 +304,7 @@ return session; } -int ssl_proxy_new(int fd) +int ssl_proxy_new(int fd, struct ip_addr *ip) { struct ssl_proxy *proxy; gnutls_session session; @@ -316,6 +330,7 @@ proxy->session = session; proxy->fd_ssl = fd; proxy->fd_plain = sfd[0]; + proxy->ip = *ip; proxy->refcount++; ssl_handshake(proxy);
--- a/src/login-common/ssl-proxy-openssl.c Sun Feb 23 15:13:09 2003 +0200 +++ b/src/login-common/ssl-proxy-openssl.c Sun Feb 23 21:44:46 2003 +0200 @@ -24,6 +24,7 @@ int refcount; SSL *ssl; + struct ip_addr ip; enum ssl_state state; int fd_ssl, fd_plain; @@ -150,9 +151,12 @@ return buf; } -static void ssl_handle_error(struct ssl_proxy *proxy, int err, const char *func) +static void ssl_handle_error(struct ssl_proxy *proxy, int ret, const char *func) { - err = SSL_get_error(proxy->ssl, err); + const char *errstr; + int err; + + err = SSL_get_error(proxy->ssl, ret); switch (err) { case SSL_ERROR_WANT_READ: @@ -163,7 +167,19 @@ break; case SSL_ERROR_SYSCALL: /* eat up the error queue */ - /*i_warning("%s failed: %s", func, ssl_last_error());*/ + if (verbose_ssl) { + if (ERR_peek_error() != 0) + errstr = ssl_last_error(); + else { + if (ret == 0) + errstr = "EOF"; + else + errstr = strerror(errno); + } + + i_warning("%s syscall failed: %s [%s]", + func, errstr, net_ip2host(&proxy->ip)); + } ssl_proxy_destroy(proxy); break; case SSL_ERROR_ZERO_RETURN: @@ -171,12 +187,15 @@ ssl_proxy_destroy(proxy); break; case SSL_ERROR_SSL: - /*i_warning("%s failed: %s", func, ssl_last_error());*/ + if (verbose_ssl) { + i_warning("%s failed: %s [%s]", func, ssl_last_error(), + net_ip2host(&proxy->ip)); + } ssl_proxy_destroy(proxy); break; default: - i_warning("%s failed: unknown failure %d (%s)", - func, err, ssl_last_error()); + i_warning("%s failed: unknown failure %d (%s) [%s]", + func, err, ssl_last_error(), net_ip2host(&proxy->ip)); ssl_proxy_destroy(proxy); break; } @@ -272,7 +291,7 @@ proxy->io_ssl_dir = dir; } -int ssl_proxy_new(int fd) +int ssl_proxy_new(int fd, struct ip_addr *ip) { struct ssl_proxy *proxy; SSL *ssl; @@ -307,6 +326,7 @@ proxy->ssl = ssl; proxy->fd_ssl = fd; proxy->fd_plain = sfd[0]; + proxy->ip = *ip; proxy->state = SSL_STATE_HANDSHAKE; ssl_set_direction(proxy, IO_READ);
--- a/src/login-common/ssl-proxy.h Sun Feb 23 15:13:09 2003 +0200 +++ b/src/login-common/ssl-proxy.h Sun Feb 23 21:44:46 2003 +0200 @@ -1,12 +1,14 @@ #ifndef __SSL_PROXY_H #define __SSL_PROXY_H +struct ip_addr; + extern int ssl_initialized; /* establish SSL connection with the given fd, returns a new fd which you must use from now on, or -1 if error occured. Unless -1 is returned, the given fd must be simply forgotten. */ -int ssl_proxy_new(int fd); +int ssl_proxy_new(int fd, struct ip_addr *ip); void ssl_proxy_init(void); void ssl_proxy_deinit(void);
--- a/src/master/master-settings.c Sun Feb 23 15:13:09 2003 +0200 +++ b/src/master/master-settings.c Sun Feb 23 21:44:46 2003 +0200 @@ -39,6 +39,7 @@ /* login */ DEF(SET_STR, login_dir), DEF(SET_BOOL, login_chroot), + DEF(SET_BOOL, verbose_ssl), /* mail */ DEF(SET_STR, valid_chroot_dirs), @@ -145,6 +146,7 @@ /* login */ MEMBER(login_dir) "login", MEMBER(login_chroot) TRUE, + MEMBER(verbose_ssl) FALSE, /* mail */ MEMBER(valid_chroot_dirs) NULL,
--- a/src/master/master-settings.h Sun Feb 23 15:13:09 2003 +0200 +++ b/src/master/master-settings.h Sun Feb 23 21:44:46 2003 +0200 @@ -25,6 +25,7 @@ /* login */ const char *login_dir; int login_chroot; + int verbose_ssl; /* mail */ const char *valid_chroot_dirs;
--- a/src/pop3-login/client.c Sun Feb 23 15:13:09 2003 +0200 +++ b/src/pop3-login/client.c Sun Feb 23 21:44:46 2003 +0200 @@ -80,7 +80,7 @@ client->common.io = NULL; } - fd_ssl = ssl_proxy_new(client->common.fd); + fd_ssl = ssl_proxy_new(client->common.fd, &client->common.ip); if (fd_ssl != -1) { client->tls = TRUE; client_set_title(client);