Gitiles
Code Review Sign In
git01.mediatek.com / haproxy / 8b068c2993b2483e32ee66eb7498ae16f0692906^! / .
commit8b068c2993b2483e32ee66eb7498ae16f0692906[log] [tgz]
authorThierry FOURNIER / OZON.IO <thierry.fournier@ozon.io>Mon Oct 10 11:59:50 2016 +0200
committerWilly Tarreau <w@1wt.eu>Mon Oct 24 19:13:12 2016 +0200
tree0c8b333e9b2b794b408197063901d689fbc0cfe4
parent4f614290db221f390678e9e4377e4c5060817c75 [diff]
MINOR: ssl: add debug traces

Add some debug trace when haproxy is configured in debug & verbose mode.
This is useful for openssl tests. Typically, the error "SSL handshake
failure" can be caused by a lot of protocol error. This patch details
the encountered error. For exemple:

   OpenSSL error 0x1408a0c1: ssl3_get_client_hello: no shared cipher

Note that my compilator (gcc-4.7) refuse to considers the function
ssl_sock_dump_errors() as inline. The condition "if" ensure that the
content of the function is not executed in normal case. It should be
a pity to call a function just for testing its execution condition, so
I use the macro "forceinline".

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index e5a6f0a..f00b358 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c

@@ -200,6 +200,27 @@
 };
 
 /*
+ * This function gives the detail of the SSL error. It is used only
+ * if the debug mode and the verbose mode are activated. It dump all
+ * the SSL error until the stack was empty.
+ */
+static forceinline void ssl_sock_dump_errors(struct connection *conn)
+{
+	unsigned long ret;
+
+	if (unlikely(global.mode & MODE_DEBUG)) {
+		while(1) {
+			ret = ERR_get_error();
+			if (ret == 0)
+				return;
+			fprintf(stderr, "fd[%04x] OpenSSL error[0x%lx] %s: %s\n",
+			        (unsigned short)conn->t.sock.fd, ret,
+			        ERR_func_error_string(ret), ERR_reason_error_string(ret));
+		}
+	}
+}
+
+/*
  *  This function returns the number of seconds  elapsed
  *  since the Epoch, 1970-01-01 00:00:00 +0000 (UTC) and the
  *  date presented un ASN1_GENERALIZEDTIME.
@@ -1014,6 +1035,7 @@
 		}
 
 		if (objt_listener(conn->target)->bind_conf->ca_ignerr & (1ULL << err)) {
+			ssl_sock_dump_errors(conn);
 			ERR_clear_error();
 			return 1;
 		}
@@ -1027,6 +1049,7 @@
 
 	/* check if certificate error needs to be ignored */
 	if (objt_listener(conn->target)->bind_conf->crt_ignerr & (1ULL << err)) {
+		ssl_sock_dump_errors(conn);
 		ERR_clear_error();
 		return 1;
 	}
@@ -3542,6 +3565,7 @@
 
  out_error:
 	/* Clear openssl global errors stack */
+	ssl_sock_dump_errors(conn);
 	ERR_clear_error();
 
 	/* free resumed session if exists */
@@ -3619,6 +3643,7 @@
 					conn->flags |= CO_FL_ERROR;
 
 				/* Clear openssl global errors stack */
+				ssl_sock_dump_errors(conn);
 				ERR_clear_error();
 			}
 			goto read0;
@@ -3653,6 +3678,7 @@
 	return done;
  out_error:
 	/* Clear openssl global errors stack */
+	ssl_sock_dump_errors(conn);
 	ERR_clear_error();
 
 	conn->flags |= CO_FL_ERROR;
@@ -3749,6 +3775,7 @@
 
  out_error:
 	/* Clear openssl global errors stack */
+	ssl_sock_dump_errors(conn);
 	ERR_clear_error();
 
 	conn->flags |= CO_FL_ERROR;
@@ -3774,6 +3801,7 @@
 	/* no handshake was in progress, try a clean ssl shutdown */
 	if (clean && (SSL_shutdown(conn->xprt_ctx) <= 0)) {
 		/* Clear openssl global errors stack */
+		ssl_sock_dump_errors(conn);
 		ERR_clear_error();
 	}
 
@@ -6021,6 +6049,9 @@
 #ifndef OPENSSL_NO_DH
 	ssl_dh_ptr_index = SSL_CTX_get_ex_new_index(0, NULL, NULL, NULL, NULL);
 #endif
+
+	/* Load SSL string for the verbose & debug mode. */
+	ERR_load_SSL_strings();
 }
 
 __attribute__((destructor))