summaryrefslogtreecommitdiffstats
path: root/runtime/nsd_gtls.c
diff options
context:
space:
mode:
authorRainer Gerhards <rgerhards@adiscon.com>2008-06-20 08:53:58 +0200
committerRainer Gerhards <rgerhards@adiscon.com>2008-06-20 08:53:58 +0200
commit083d52c86199f64306f1af058b3d4771a37c342f (patch)
treeb96860d90d40c7175d12f980431fc48a4e50788b /runtime/nsd_gtls.c
parent8bd173f72327aa905ed1ab979b612edd5509c209 (diff)
downloadrsyslog-083d52c86199f64306f1af058b3d4771a37c342f.tar.gz
rsyslog-083d52c86199f64306f1af058b3d4771a37c342f.tar.xz
rsyslog-083d52c86199f64306f1af058b3d4771a37c342f.zip
bugfix: some error states were swapped
... in gnutls code, resulting in some hard too understand error messages. Also genereally improved certificate error messages a bit. Also, added GnuTLS debugging support.
Diffstat (limited to 'runtime/nsd_gtls.c')
-rw-r--r--runtime/nsd_gtls.c33
1 files changed, 27 insertions, 6 deletions
diff --git a/runtime/nsd_gtls.c b/runtime/nsd_gtls.c
index f55361cc..8c11e539 100644
--- a/runtime/nsd_gtls.c
+++ b/runtime/nsd_gtls.c
@@ -81,6 +81,18 @@ static pthread_mutex_t mutGtlsStrerror; /**< a mutex protecting the potentially
static gnutls_certificate_credentials xcred;
static gnutls_dh_params dh_params;
+#ifdef DEBUG
+/* This defines a log function to be provided to GnuTLS. It hopefully
+ * helps us track down hard to find problems.
+ * rgerhards, 2008-06-20
+ */
+static void logFunction(int level, const char *msg)
+{
+ dbgprintf("GnuTLS log msg, level %d: %s\n", level, msg);
+}
+#endif /* #ifdef DEBUG */
+
+
/* read in the whole content of a file. The caller is responsible for
* freeing the buffer. To prevent DOS, this function can NOT read
* files larger than 1MB (which still is *very* large).
@@ -519,6 +531,12 @@ gtlsGlblInit(void)
ABORT_FINALIZE(RS_RET_GNUTLS_ERR);
}
+# ifdef DEBUG
+ /* intialize log function - set a level only for hard-to-find bugs */
+ gnutls_global_set_log_function(logFunction);
+ gnutls_global_set_log_level(10); /* 0 (no) to 9 (most), 10 everything */
+# endif
+
finalize_it:
RETiRet;
}
@@ -926,19 +944,22 @@ gtlsChkPeerCertValidity(nsd_gtls_t *pThis)
/* provide error details if we have them */
if(stateCert & GNUTLS_CERT_SIGNER_NOT_FOUND) {
pszErrCause = "signer not found";
- } else if(stateCert & GNUTLS_CERT_SIGNER_NOT_FOUND) {
- pszErrCause = "signer is not a CA";
} else if(stateCert & GNUTLS_CERT_SIGNER_NOT_CA) {
+ pszErrCause = "signer is not a CA";
+ } else if(stateCert & GNUTLS_CERT_INSECURE_ALGORITHM) {
pszErrCause = "insecure algorithm";
} else if(stateCert & GNUTLS_CERT_REVOKED) {
pszErrCause = "certificate revoked";
} else {
- pszErrCause = "no specific reason";
+ pszErrCause = "GnuTLS returned no specific reason";
+ dbgprintf("GnuTLS returned no specific reason for GNUTLS_CERT_INVALID, certificate "
+ "status is %d\n", stateCert);
}
+ errno = 0; /* get rid of errno based message expansion on LogError */
errmsg.LogError(NO_ERRCODE, "not permitted to talk to peer, certificate invalid: %s",
pszErrCause);
gtlsGetCertInfo(pThis, &pStr);
- errmsg.LogError(NO_ERRCODE, "info on invalid cert: %s", rsCStrGetSzStr(pStr));
+ errmsg.LogError(NO_ERRCODE, "invalid cert info: %s", rsCStrGetSzStr(pStr));
rsCStrDestruct(&pStr);
ABORT_FINALIZE(RS_RET_CERT_INVALID);
}
@@ -960,7 +981,7 @@ gtlsChkPeerCertValidity(nsd_gtls_t *pThis)
else if(ttCert > ttNow) {
errmsg.LogError(NO_ERRCODE, "not permitted to talk to peer: certificate %d not yet active", i);
gtlsGetCertInfo(pThis, &pStr);
- errmsg.LogError(NO_ERRCODE, "info on invalid cert: %s", rsCStrGetSzStr(pStr));
+ errmsg.LogError(NO_ERRCODE, "invalid cert info: %s", rsCStrGetSzStr(pStr));
rsCStrDestruct(&pStr);
ABORT_FINALIZE(RS_RET_CERT_NOT_YET_ACTIVE);
}
@@ -971,7 +992,7 @@ gtlsChkPeerCertValidity(nsd_gtls_t *pThis)
else if(ttCert < ttNow) {
errmsg.LogError(NO_ERRCODE, "not permitted to talk to peer: certificate %d expired", i);
gtlsGetCertInfo(pThis, &pStr);
- errmsg.LogError(NO_ERRCODE, "info on invalid cert: %s", rsCStrGetSzStr(pStr));
+ errmsg.LogError(NO_ERRCODE, "invalid cert info: %s", rsCStrGetSzStr(pStr));
rsCStrDestruct(&pStr);
ABORT_FINALIZE(RS_RET_CERT_EXPIRED);
}