(somewhat) improved TLS subsystem

- improved TLS error reporting
- improved TLS startup (Diffie-Hellman bits do not need to be generated,
  as we do not support full anon key exchange -- we always need certs)

3 files changed, 15 insertions, 26 deletions

diff --git a/ChangeLog b/ChangeLog
index 8dae0f8f..e6667c52 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,6 @@
+- improved TLS error reporting
+- improved TLS startup (Diffie-Hellman bits do not need to be generated,
+  as we do not support full anon key exchange -- we always need certs)
 ---------------------------------------------------------------------------
 Version 6.1.3  [DEVEL] (rgerhards), 2010-12-??
 - added $IMUDPSchedulingPolicy and $IMUDPSchedulingPriority config settings
diff --git a/runtime/nsd_gtls.c b/runtime/nsd_gtls.c
index 0ee70e56..d6874183 100644
--- a/runtime/nsd_gtls.c
+++ b/runtime/nsd_gtls.c
@@ -50,7 +50,6 @@
 #include "nsd_gtls.h"
 
 /* things to move to some better place/functionality - TODO */
-#define DH_BITS 1024
 #define CRLFILE "crl.pem"
 
 
@@ -81,7 +80,6 @@ static pthread_mutex_t mutGtlsStrerror; /**< a mutex protecting the potentially
 
 /* ------------------------------ GnuTLS specifics ------------------------------ */
 static gnutls_certificate_credentials xcred;
-static gnutls_dh_params dh_params;
 
 #ifdef DEBUG
 #if 0 /* uncomment, if needed some time again -- DEV Debug only */
@@ -609,7 +607,6 @@ gtlsInitSession(nsd_gtls_t *pThis)
 
 	/* request client certificate if any.  */
 	gnutls_certificate_server_set_request( session, GNUTLS_CERT_REQUEST);
-	gnutls_dh_set_prime_bits(session, DH_BITS);
 
 	pThis->sess = session;
 
@@ -618,23 +615,6 @@ finalize_it:
 }
 
 
-static rsRetVal
-generate_dh_params(void)
-{
-	int gnuRet;
-	DEFiRet;
-	/* Generate Diffie Hellman parameters - for use with DHE
-	 * kx algorithms. These should be discarded and regenerated
-	 * once a day, once a week or once a month. Depending on the
-	 * security requirements.
-	 */
-	CHKgnutls(gnutls_dh_params_init( &dh_params));
-	CHKgnutls(gnutls_dh_params_generate2( dh_params, DH_BITS));
-finalize_it:
-	RETiRet;
-}
-
-
 /* set up all global things that are needed for server operations
  * rgerhards, 2008-04-30
  */
@@ -648,8 +628,6 @@ gtlsGlblInitLstn(void)
 		 * considered legacy. -- rgerhards, 2008-05-05
 		 */
 		/*CHKgnutls(gnutls_certificate_set_x509_crl_file(xcred, CRLFILE, GNUTLS_X509_FMT_PEM));*/
-		CHKiRet(generate_dh_params());
-		gnutls_certificate_set_dh_params(xcred, dh_params); /* this is void */
 		bGlblSrvrInitDone = 1; /* we are all set now */
 
 		/* now we need to add our certificate */
@@ -1418,6 +1396,10 @@ AcceptConnReq(nsd_t *pNsd, nsd_t **ppNew)
 		/* we got a handshake, now check authorization */
 		CHKiRet(gtlsChkPeerAuth(pNew));
 	} else {
+		uchar *pGnuErr = gtlsStrerror(gnuRet);
+		errmsg.LogError(0, RS_RET_TLS_HANDSHAKE_ERR, 
+			"gnutls returned error on handshake: %s\n", pGnuErr);
+		free(pGnuErr);
 		ABORT_FINALIZE(RS_RET_TLS_HANDSHAKE_ERR);
 	}
 
diff --git a/tcpsrv.c b/tcpsrv.c
index d86bff6b..c031a591 100644
--- a/tcpsrv.c
+++ b/tcpsrv.c
@@ -577,10 +577,14 @@ processWorksetItem(tcpsrv_t *pThis, nspoll_t *pPoll, int idx, void *pUsr)
 	if(pUsr == pThis->ppLstn) {
 //printf("work item %p: connect\n", pUsr);
 		DBGPRINTF("New connect on NSD %p.\n", pThis->ppLstn[idx]);
-		SessAccept(pThis, pThis->ppLstnPort[idx], &pNewSess, pThis->ppLstn[idx]);
-		if(pPoll != NULL)
-			CHKiRet(nspoll.Ctl(pPoll, pNewSess->pStrm, 0, pNewSess, NSDPOLL_IN, NSDPOLL_ADD));
-		DBGPRINTF("New session created with NSD %p.\n", pNewSess);
+		iRet = SessAccept(pThis, pThis->ppLstnPort[idx], &pNewSess, pThis->ppLstn[idx]);
+		if(iRet == RS_RET_OK) {
+			if(pPoll != NULL)
+				CHKiRet(nspoll.Ctl(pPoll, pNewSess->pStrm, 0, pNewSess, NSDPOLL_IN, NSDPOLL_ADD));
+			DBGPRINTF("New session created with NSD %p.\n", pNewSess);
+		} else {
+			DBGPRINTF("tcpsrv: error %d during accept\n", iRet);
+		}
 	} else {
 //printf("work item %p: receive\n", pUsr);
 		pNewSess = (tcps_sess_t*) pUsr;