diff options
| author | Alexander Barton <alex@barton.de> | 2024-01-02 22:13:42 +0100 |
|---|---|---|
| committer | Alexander Barton <alex@barton.de> | 2024-03-23 20:19:01 +0100 |
| commit | 02bb99b0242ade8af78f957aa1657561374ef1d6 (patch) | |
| tree | f4218fe66dd85ed96d4446be6cabbc65750088d0 /src | |
| parent | 3db3b47fc7172a69b7d99d66eddb07a323dc6e74 (diff) | |
| download | ngircd-02bb99b0242ade8af78f957aa1657561374ef1d6.tar.gz ngircd-02bb99b0242ade8af78f957aa1657561374ef1d6.zip | |
S2S-TLS/OpenSSL: Streamline logging
This includes simplifying cb_connserver_login_ssl() a bit, we do not have to code for invalid state which was ruled out by an assert() and therefore can get rid of the goto altogether (and don't log the same error twice with different messages).
Diffstat (limited to 'src')
| -rw-r--r-- | src/ngircd/conn-ssl.c | 15 | ||||
| -rw-r--r-- | src/ngircd/conn.c | 25 |
2 files changed, 20 insertions, 20 deletions
diff --git a/src/ngircd/conn-ssl.c b/src/ngircd/conn-ssl.c index 22b5d07e..ae864f50 100644 --- a/src/ngircd/conn-ssl.c +++ b/src/ngircd/conn-ssl.c @@ -155,13 +155,13 @@ LogOpenSSL_CertInfo(int level, X509 * cert, const char *msg) mem = BIO_new(BIO_s_mem()); if (!mem) return; - X509_NAME_print_ex(mem, X509_get_subject_name(cert), 4, + X509_NAME_print_ex(mem, X509_get_subject_name(cert), 0, XN_FLAG_ONELINE); - X509_NAME_print_ex(mem, X509_get_issuer_name(cert), 4, XN_FLAG_ONELINE); + X509_NAME_print_ex(mem, X509_get_issuer_name(cert), 2, XN_FLAG_ONELINE); if (BIO_write(mem, "", 1) == 1) { len = BIO_get_mem_data(mem, &memptr); if (memptr && len > 0) - Log(level, "%s: \"%s\"", msg, memptr); + Log(level, "%s: \"%s\".", msg, memptr); } (void)BIO_set_close(mem, BIO_CLOSE); BIO_free(mem); @@ -832,9 +832,12 @@ ConnSSL_HandleError(CONNECTION * c, const int code, const char *fname) "SSL error, client disconnected [in %s()]!", fname); break; - case -1: /* low level socket I/O error, check errno */ - Log(LOG_ERR, "SSL error: %s [in %s()]!", - strerror(real_errno), fname); + case -1: + /* Low level socket I/O error, check errno. But + * we don't need to log this here, the generic + * connection layer will take care of it. */ + LogDebug("SSL error: %s [in %s()]!", + strerror(real_errno), fname); } } break; diff --git a/src/ngircd/conn.c b/src/ngircd/conn.c index fab483e1..10042943 100644 --- a/src/ngircd/conn.c +++ b/src/ngircd/conn.c @@ -2591,28 +2591,25 @@ cb_connserver_login_ssl(int sock, short unused) serveridx = Conf_GetServer(idx); assert(serveridx >= 0); - if (serveridx < 0) - goto err; - - Log( LOG_INFO, "SSL connection %d with \"%s:%d\" established.", idx, - My_Connections[idx].host, Conf_Server[Conf_GetServer( idx )].port ); + /* The SSL handshake is done, but validation results were ignored so + * far, so let's see where we are: */ + LogDebug("SSL handshake on socket %d done.", idx); if (!Conn_OPTION_ISSET(&My_Connections[idx], CONN_SSL_PEERCERT_OK)) { if (Conf_Server[serveridx].SSLVerify) { Log(LOG_ERR, - "SSLVerify enabled for %d, but peer certificate check failed", - idx); - goto err; + "Peer certificate check failed for \"%s\" on connection %d!", + My_Connections[idx].host, idx); + Conn_Close(idx, "Valid certificate required", + NULL, false); + return; } Log(LOG_WARNING, - "Peer certificate check failed for %d, but SSLVerify is disabled, continuing", - idx); + "Peer certificate check failed for \"%s\" on connection %d, but \"SSLVerify\" is disabled. Continuing ...", + My_Connections[idx].host, idx); } + LogDebug("Server certificate accepted, continuing server login ..."); server_login(idx); - return; - err: - Log(LOG_ERR, "SSL connection on socket %d failed!", sock); - Conn_Close(idx, "Can't connect!", NULL, false); } |