From f31a0537c649b0ecf40986e5dc8fea6386e6bcb0 Mon Sep 17 00:00:00 2001
From: Rainer Gerhards <rgerhards@adiscon.com>
Date: Mon, 26 May 2008 10:15:49 +0200
Subject: improved gtls error reporting

---
 doc/rsyslog_tls.html | 20 +++++++++++++++-----
 runtime/nsd_gtls.c   | 13 +++++++++++--
 2 files changed, 26 insertions(+), 7 deletions(-)

diff --git a/doc/rsyslog_tls.html b/doc/rsyslog_tls.html
index e1729feb..2d5fd8e9 100644
--- a/doc/rsyslog_tls.html
+++ b/doc/rsyslog_tls.html
@@ -159,7 +159,8 @@ syslog has sufficiently matured.</p>
 a short summary on how to generate the necessary certificates with
 GnuTLS' certtool. You can also generate certificates via other tools,
 but as we currently support GnuTLS as the only TLS library, we thought
-it is a good idea to use their tools.<br></p>
+it is a good idea to use their tools.<br>
+</p>
 <p>Note that this section aims at people who are not involved
 with PKI at all. The main goal is to get them going in a reasonable
 secure way.&nbsp;</p>
@@ -238,14 +239,22 @@ use default server authentication and you use selector lines with IP
 addresses (e.g. "*.* @@192.168.0.1") - in that case you need to select
 a dnsName of 192.168.0.1. But, of course, changing the server IP then
 requires generating a new certificate.</li>
-</ol>After you have generated the certificate, you need to place it
-onto the local machine running rsyslogd. Specify the certificate and
-key via the $DefaultNetstreamDriverCertFile /path/to/cert.pem and
+</ol>
+After you have generated the certificate, you need to place it onto the
+local machine running rsyslogd. Specify the certificate and key via the
+$DefaultNetstreamDriverCertFile /path/to/cert.pem and
 $DefaultNetstreamDriverKeyFile /path/to/key.pem configuration
 directives. Make sure that nobody has access to key.pem, as that would
 breach security. And, once again: do NOT use these files on more than
 one instance. Doing so would prevent you from distinguising between the
 instances and thus would disable useful authentication.
+<h3>Troubleshooting Certificates</h3>
+<p>If you experience trouble with your certificate setup, it may
+be
+useful to get some information on what is contained in a specific
+certificate (file). To obtain that information, do&nbsp;</p>
+<pre>$ certtool --certificate-info --infile cert.pem</pre>
+<p>where "cert.pem" can be replaced by the various certificate pem files (but it does not work with the key files).</p>
 <h2>Conclusion</h2>
 <p>With minumal effort, you can set up a secure logging
 infrastructure employing TLS encrypted syslog message transmission.</p>
@@ -257,7 +266,8 @@ please
 <h2>Revision History</h2>
 <ul>
 <li>2008-05-06 * <a href="http://www.gerhards.net/rainer">Rainer
-Gerhards</a> * Initial Version created</li>
+Gerhards</a> * Initial Version created</li><li>2008-05-26 * <a href="http://www.gerhards.net/rainer">Rainer
+Gerhards</a> * added information about certificates</li>
 </ul>
 <h2>Copyright</h2>
 <p>Copyright (c) 2008 <a href="http://www.adiscon.com/en/people/rainer-gerhards.php">Rainer
diff --git a/runtime/nsd_gtls.c b/runtime/nsd_gtls.c
index aec3f0c5..54fbecd2 100644
--- a/runtime/nsd_gtls.c
+++ b/runtime/nsd_gtls.c
@@ -335,6 +335,7 @@ gtlsAddOurCert(void)
 	int gnuRet;
 	uchar *keyFile;
 	uchar *certFile;
+	uchar *pGnuErr; /* for GnuTLS error reporting */
 	DEFiRet;
 
 	certFile = glbl.GetDfltNetstrmDrvrCertFile();
@@ -344,6 +345,13 @@ gtlsAddOurCert(void)
 	CHKgnutls(gnutls_certificate_set_x509_key_file(xcred, (char*)certFile, (char*)keyFile, GNUTLS_X509_FMT_PEM));
 
 finalize_it:
+	if(iRet != RS_RET_OK) {
+		pGnuErr = gtlsStrerror(gnuRet);
+		errno = 0;
+		errmsg.LogError(NO_ERRCODE, "error adding our certificate. GnuTLS error %d, message: '%s', "
+				"key: '%s', cert: '%s'\n", gnuRet, pGnuErr, certFile, keyFile);
+		free(pGnuErr);
+	}
 	RETiRet;
 }
 
@@ -435,7 +443,6 @@ gtlsGlblInitLstn(void)
 		 * considered legacy. -- rgerhards, 2008-05-05
 		 */
 		/*CHKgnutls(gnutls_certificate_set_x509_crl_file(xcred, CRLFILE, GNUTLS_X509_FMT_PEM));*/
-	//CHKiRet(gtlsAddOurCert());
 		CHKiRet(generate_dh_params());
 		gnutls_certificate_set_dh_params(xcred, dh_params); /* this is void */
 		bGlblSrvrInitDone = 1; /* we are all set now */
@@ -535,6 +542,7 @@ gtlsChkPeerName(nsd_gtls_t *pThis, gnutls_x509_crt *pCert)
 			 */
 			pPeer = pThis->pPermPeers;
 			while(pPeer != NULL && !bFoundPositiveMatch) {
+RUNLOG_VAR("%s", pPeer->pszID);
 				if(!strcmp(szAltName, (char*)pPeer->pszID)) {
 					bFoundPositiveMatch = 1;
 				} else {
@@ -640,6 +648,7 @@ gtlsChkPeerCertValidity(nsd_gtls_t *pThis)
 	gnuRet = gnutls_certificate_verify_peers(pThis->sess);
 	if(gnuRet == GNUTLS_E_NO_CERTIFICATE_FOUND) {
 		errmsg.LogError(NO_ERRCODE, "peer did not provide a certificate, not permitted to talk to it");
+		ABORT_FINALIZE(RS_RET_TLS_NO_CERT);
 	} else if(gnuRet < 1)
 		CHKgnutls(gnuRet);
 
@@ -757,7 +766,7 @@ gtlsSetTransportPtr(nsd_gtls_t *pThis, int sock)
 BEGINobjConstruct(nsd_gtls) /* be sure to specify the object type also in END macro! */
 	iRet = nsd_ptcp.Construct(&pThis->pTcp);
 	pThis->bReportAuthErr = 1;
-CHKiRet(gtlsAddOurCert());
+	CHKiRet(gtlsAddOurCert());
 finalize_it:
 ENDobjConstruct(nsd_gtls)
 
-- 
cgit