1
Improve misleading SSL/TLS trace messages.
5
Author: Rich Megginson (rmeggins@redhat.com)
7
--- openldap.old/libraries/libldap/tls_m.c.3 2010-11-11 18:39:48.000000000 -0700
8
+++ openldap.new/libraries/libldap/tls_m.c 2010-11-11 20:17:35.000000000 -0700
10
Debug( LDAP_DEBUG_TRACE,
11
"cache hits: %ld, cache misses: %ld, cache not reusable: %ld\n",
12
ssl3stats->hch_sid_cache_hits, ssl3stats->hch_sid_cache_misses,
13
ssl3stats->hch_sid_cache_not_ok );
19
+tlsm_handshake_complete_cb( PRFileDesc *fd, void *client_data )
21
+ tlsm_dump_security_status( fd );
24
#ifdef READ_PASSWORD_FROM_FILE
26
tlsm_get_pin_from_file(const char *token_name, tlsm_ctx *ctx)
29
char *contents = NULL;
36
tlsm_auth_cert_handler(void *arg, PRFileDesc *fd,
37
PRBool checksig, PRBool isServer)
39
SECStatus ret = SSL_AuthCertificate(arg, fd, checksig, isServer);
41
- tlsm_dump_security_status( fd );
42
- Debug( LDAP_DEBUG_TRACE,
43
- "TLS certificate verification: %s\n",
44
- ret == SECSuccess ? "ok" : "bad", 0, 0 );
46
if ( ret != SECSuccess ) {
47
PRErrorCode errcode = PORT_GetError();
48
- Debug( LDAP_DEBUG_ANY,
49
- "TLS certificate verification: Error, %d: %s\n",
50
- errcode, PR_ErrorToString( errcode, PR_LANGUAGE_I_DEFAULT ), 0 ) ;
51
+ /* we bypass NSS's hostname checks and do our own - tlsm_session_chkhost will handle it */
52
+ if ( errcode == SSL_ERROR_BAD_CERT_DOMAIN ) {
53
+ Debug( LDAP_DEBUG_TRACE,
54
+ "TLS certificate verification: defer\n",
57
+ Debug( LDAP_DEBUG_ANY,
58
+ "TLS certificate verification: Error, %d: %s\n",
59
+ errcode, PR_ErrorToString( errcode, PR_LANGUAGE_I_DEFAULT ), 0 ) ;
62
+ Debug( LDAP_DEBUG_TRACE,
63
+ "TLS certificate verification: ok\n",
71
tlsm_authenticate_to_slot( tlsm_ctx *ctx, PK11SlotInfo *slot )
73
@@ -1181,16 +1193,21 @@
76
tlsm_init_ca_certs( tlsm_ctx *ctx, const char *cacertfile, const char *cacertdir )
78
PRBool isca = PR_TRUE;
79
PRStatus status = PR_FAILURE;
80
PRErrorCode errcode = PR_SUCCESS;
82
+ if ( !cacertfile && !cacertdir ) {
83
+ /* no checking - not good, but allowed */
88
int rc = tlsm_add_cert_from_file( ctx, cacertfile, isca );
90
errcode = PR_GetError();
91
Debug( LDAP_DEBUG_ANY,
92
"TLS: %s is not a valid CA certificate file - error %d:%s.\n",
94
PR_ErrorToString( errcode, PR_LANGUAGE_I_DEFAULT ) );
95
@@ -1394,19 +1411,21 @@
96
rc = (initctx == NULL) ? SECFailure : SECSuccess;
99
rc = NSS_Initialize( realcertdir, prefix, prefix, SECMOD_DB, NSS_INIT_READONLY );
102
if ( rc != SECSuccess ) {
103
errcode = PORT_GetError();
104
- Debug( LDAP_DEBUG_TRACE,
105
- "TLS: could not initialize moznss using security dir %s prefix %s - error %d.\n",
106
- realcertdir, prefix, errcode );
107
+ if ( securitydirs[ii] != lt->lt_cacertdir) {
108
+ Debug( LDAP_DEBUG_TRACE,
109
+ "TLS: could not initialize moznss using security dir %s prefix %s - error %d.\n",
110
+ realcertdir, prefix, errcode );
114
Debug( LDAP_DEBUG_TRACE, "TLS: using moznss security dir %s prefix %s.\n",
115
realcertdir, prefix, 0 );
119
if ( realcertdir != securitydir ) {
120
@@ -1453,16 +1472,31 @@
121
errcode = PORT_GetError();
122
Debug( LDAP_DEBUG_ANY,
123
"TLS: could not initialize moznss PEM module - error %d:%s.\n",
124
errcode, PR_ErrorToString( errcode, PR_LANGUAGE_I_DEFAULT ), 0 );
128
if ( tlsm_init_ca_certs( ctx, lt->lt_cacertfile, lt->lt_cacertdir ) ) {
129
+ /* if we tried to use lt->lt_cacertdir as an NSS key/cert db, errcode
130
+ will be a value other than 1 - print an error message so that the
131
+ user will know that failed too */
132
+ if ( ( errcode != 1 ) && ( lt->lt_cacertdir ) ) {
133
+ char *realcertdir = NULL;
134
+ char *prefix = NULL;
135
+ tlsm_get_certdb_prefix( lt->lt_cacertdir, &realcertdir, &prefix );
136
+ Debug( LDAP_DEBUG_TRACE,
137
+ "TLS: could not initialize moznss using security dir %s prefix %s - error %d.\n",
138
+ realcertdir, prefix ? prefix : "", errcode );
139
+ if ( realcertdir != lt->lt_cacertdir ) {
140
+ PL_strfree( realcertdir );
142
+ PL_strfree( prefix );
147
ctx->tc_using_pem = PR_TRUE;
150
#ifdef HAVE_NSS_INITCONTEXT
151
if ( !ctx->tc_initctx ) {
152
@@ -2040,16 +2074,24 @@
153
ctx->tc_certdb ) != SECSuccess ) {
154
PRErrorCode err = PR_GetError();
155
Debug( LDAP_DEBUG_ANY,
156
"TLS: error: could not set auth cert handler for moznss - error %d:%s\n",
157
err, PR_ErrorToString( err, PR_LANGUAGE_I_DEFAULT ), NULL );
161
+ if ( SSL_HandshakeCallback( ctx->tc_model, tlsm_handshake_complete_cb, ctx ) ) {
162
+ PRErrorCode err = PR_GetError();
163
+ Debug( LDAP_DEBUG_ANY,
164
+ "TLS: error: could not set handshake callback for moznss - error %d:%s\n",
165
+ err, PR_ErrorToString( err, PR_LANGUAGE_I_DEFAULT ), NULL );
173
tlsm_session *session;
174
Sockbuf_IO_Desc *sbiod;
175
/* there seems to be no portable way to determine if the
176
sockbuf sd has been set to nonblocking mode - the