Module: kamailio Branch: master Commit: e2cc98eb5aca42b82eb18c35adfa2d16ff4a3f60 URL: https://github.com/kamailio/kamailio/commit/e2cc98eb5aca42b82eb18c35adfa2d1… Author: Daniel-Constantin Mierla &lt;miconda(a)gmail.com&gt; Committer: Daniel-Constantin Mierla &lt;miconda(a)gmail.com&gt; Date: 2021-11-22T09:01:09+01:00 tls: try to print sni on tls error --- Modified: src/modules/tls/tls_server.c Modified: src/modules/tls/tls_util.h --- Diff: https://github.com/kamailio/kamailio/commit/e2cc98eb5aca42b82eb18c35adfa2d1… Patch: https://github.com/kamailio/kamailio/commit/e2cc98eb5aca42b82eb18c35adfa2d1… --- diff --git a/src/modules/tls/tls_server.c b/src/modules/tls/tls_server.c index f75b111168..7004096adf 100644 --- a/src/modules/tls/tls_server.c +++ b/src/modules/tls/tls_server.c @@ -285,7 +285,7 @@ static int tls_complete_init(struct tcp_connection* c) data->state = state; if (unlikely(data->ssl == 0 || data->rwbio == 0)) { - TLS_ERR("Failed to create SSL or BIO structure:"); + TLS_ERR_SSL("Failed to create SSL or BIO structure:", data->ssl); if (data->ssl) SSL_free(data->ssl); if (data->rwbio) @@ -446,7 +446,7 @@ EVP_PKEY * tls_lookup_private_key(SSL_CTX*); int tls_accept(struct tcp_connection *c, int* error) { int ret; - SSL *ssl; + SSL *ssl = NULL; X509* cert; struct tls_extra_data* tls_c; int tls_log; @@ -792,7 +792,7 @@ int tls_h_encode_f(struct tcp_connection *c, snd_flags_t* send_flags) { int n, offs; - SSL* ssl; + SSL* ssl = NULL; struct tls_extra_data* tls_c; static unsigned char wr_buf[TLS_WR_MBUF_SZ]; struct tls_mbuf rd, wr; @@ -929,7 +929,7 @@ int tls_h_encode_f(struct tcp_connection *c, case SSL_ERROR_SSL: /* protocol level error */ ERR("protocol level error\n"); - TLS_ERR(err_src); + TLS_ERR_SSL(err_src, ssl); memset(ip_buf, 0, sizeof(buf)); ip_addr2sbuf(&(c->rcv.src_ip), ip_buf, sizeof(ip_buf)); ERR("source IP: %s\n", ip_buf); @@ -970,7 +970,7 @@ int tls_h_encode_f(struct tcp_connection *c, } goto error; default: - TLS_ERR(err_src); + TLS_ERR_SSL(err_src, ssl); BUG("unexpected SSL error %d\n", ssl_error); goto bug; } @@ -1053,6 +1053,7 @@ int tls_h_read_f(struct tcp_connection* c, rd_conn_flags_t* flags) int x; int tls_dbg; + ssl = NULL; TLS_RD_TRACE("(%p, %p (%d)) start (%s -> %s:%d*)\n", c, flags, *flags, su2a(&c->rcv.src_su, sizeof(c->rcv.src_su)), @@ -1327,7 +1328,7 @@ int tls_h_read_f(struct tcp_connection* c, rd_conn_flags_t* flags) case SSL_ERROR_SSL: /* protocol level error */ ERR("protocol level error\n"); - TLS_ERR(err_src); + TLS_ERR_SSL(err_src, ssl); memset(ip_buf, 0, sizeof(ip_buf)); ip_addr2sbuf(&(c->rcv.src_ip), ip_buf, sizeof(ip_buf)); ERR("src addr: %s:%d\n", ip_buf, c->rcv.src_port); @@ -1368,7 +1369,7 @@ int tls_h_read_f(struct tcp_connection* c, rd_conn_flags_t* flags) } goto error; default: - TLS_ERR(err_src); + TLS_ERR_SSL(err_src, ssl); BUG("unexpected SSL error %d\n", ssl_error); goto bug; } diff --git a/src/modules/tls/tls_util.h b/src/modules/tls/tls_util.h index 8ff63dd0f1..86e036cce9 100644 --- a/src/modules/tls/tls_util.h +++ b/src/modules/tls/tls_util.h @@ -26,20 +26,29 @@ #ifndef _TLS_UTIL_H #define _TLS_UTIL_H +#include <openssl/ssl.h> #include <openssl/err.h> #include "../../core/dprint.h" #include "../../core/str.h" #include "tls_domain.h" -static inline int tls_err_ret(char *s, tls_domains_cfg_t **tls_domains_cfg) { +static inline int tls_err_ret(char *s, SSL* ssl, + tls_domains_cfg_t **tls_domains_cfg) +{ long err; int ret = 0; + const char *sn = NULL; + if ((*tls_domains_cfg)->srv_default->ctx && (*tls_domains_cfg)->srv_default->ctx[0]) { + if(ssl) { + sn = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name); + } while((err = ERR_get_error())) { ret = 1; - ERR("%s%s\n", s ? s : "", ERR_error_string(err, 0)); + ERR("%s%s (sni: %s)\n", s ? s : "", ERR_error_string(err, 0), + (sn) ? sn : "unknown"); } } return ret; @@ -47,15 +56,19 @@ static inline int tls_err_ret(char *s, tls_domains_cfg_t **tls_domains_cfg) { #define TLS_ERR_RET(r, s) \ do { \ - (r) = tls_err_ret((s), tls_domains_cfg); \ + (r) = tls_err_ret((s), NULL, tls_domains_cfg); \ } while(0) #define TLS_ERR(s) \ do { \ - tls_err_ret((s), tls_domains_cfg); \ + tls_err_ret((s), NULL, tls_domains_cfg); \ } while(0) +#define TLS_ERR_SSL(s, ssl) \ +do { \ + tls_err_ret((s), (ssl), tls_domains_cfg); \ +} while(0) /* * Make a shared memory copy of ASCII zero terminated string