Added setting verbose_ssl

author Timo Sirainen <tss@iki.fi>

Sun, 23 Feb 2003 19:44:46 +0000 (21:44 +0200)

committer Timo Sirainen <tss@iki.fi>

Sun, 23 Feb 2003 19:44:46 +0000 (21:44 +0200)
author Timo Sirainen <tss@iki.fi>
Sun, 23 Feb 2003 19:44:46 +0000 (21:44 +0200)
committer Timo Sirainen <tss@iki.fi>
Sun, 23 Feb 2003 19:44:46 +0000 (21:44 +0200)
diff --git a/src/imap-login/client.c b/src/imap-login/client.c

index 543cdb9593f678e49caf0b251ed4ae0579d9a049..cfefe21082a13beac2c62acc5a3679ee5fd6f559 100644 (file)
--- a/src/imap-login/client.c
+++ b/src/imap-login/client.c
@@ -125,7 +125,7 @@ static int cmd_starttls(struct imap_client *client)
                 client->common.io = NULL;
         }
  
-       fd_ssl = ssl_proxy_new(client->common.fd);
+       fd_ssl = ssl_proxy_new(client->common.fd, &client->common.ip);
         if (fd_ssl != -1) {
                 client->tls = TRUE;
                  client_set_title(client);
diff --git a/src/login-common/common.h b/src/login-common/common.h

index 5a2a04d641e10c4c1dfcfc9ce2754f54ce013853..153855d100d3aa1ef730f62e3216a46182d6906a 100644 (file)
--- a/src/login-common/common.h
+++ b/src/login-common/common.h
@@ -5,6 +5,7 @@
  #include "../auth/auth-login-interface.h"
  
  extern int disable_plaintext_auth, process_per_connection, verbose_proctitle;
+extern int verbose_ssl;
  extern unsigned int max_logging_users;
  extern unsigned int login_process_uid;
  
diff --git a/src/login-common/main.c b/src/login-common/main.c

index 24275af5bfff930b7a4ca6796b4359752f7ef9c9..f0b24ea5978a2ae0f671688c7f3a2a2403773483 100644 (file)
--- a/src/login-common/main.c
+++ b/src/login-common/main.c
@@ -16,6 +16,7 @@
  #include <syslog.h>
  
  int disable_plaintext_auth, process_per_connection, verbose_proctitle;
+int verbose_ssl;
  unsigned int max_logging_users;
  unsigned int login_process_uid;
  
@@ -119,7 +120,7 @@ static void login_accept_ssl(void *context __attr_unused__)
         if (process_per_connection)
                 main_close_listen();
  
-       fd_ssl = ssl_proxy_new(fd);
+       fd_ssl = ssl_proxy_new(fd, &ip);
         if (fd_ssl == -1)
                 net_disconnect(fd);
         else
@@ -163,7 +164,8 @@ static void main_init(void)
  
         disable_plaintext_auth = getenv("DISABLE_PLAINTEXT_AUTH") != NULL;
         process_per_connection = getenv("PROCESS_PER_CONNECTION") != NULL;
-        verbose_proctitle = getenv("VERBOSE_PROCTITLE") != NULL;
+       verbose_proctitle = getenv("VERBOSE_PROCTITLE") != NULL;
+        verbose_ssl = getenv("VERBOSE_SSL") != NULL;
  
         value = getenv("MAX_LOGGING_USERS");
         max_logging_users = value == NULL ? 0 : strtoul(value, NULL, 10);
diff --git a/src/login-common/ssl-proxy-gnutls.c b/src/login-common/ssl-proxy-gnutls.c

index 285109e99f38d3f022364dc770ae91eadb055e42..5346ad117d89f54eb757f5df5796dbd9e2b22abc 100644 (file)
--- a/src/login-common/ssl-proxy-gnutls.c
+++ b/src/login-common/ssl-proxy-gnutls.c
@@ -19,6 +19,8 @@ struct ssl_proxy {
         int refcount;
  
         gnutls_session session;
+       struct ip_addr ip;
+
         int fd_ssl, fd_plain;
         struct io *io_ssl, *io_plain;
         int io_ssl_dir;
@@ -60,20 +62,32 @@ static const char *get_alert_text(struct ssl_proxy *proxy)
  static int handle_ssl_error(struct ssl_proxy *proxy, int error)
  {
         if (!gnutls_error_is_fatal(error)) {
+               if (!verbose_ssl)
+                       return 0;
+
                 if (error == GNUTLS_E_WARNING_ALERT_RECEIVED) {
-                       i_warning("Received SSL warning alert: %s",
-                                 get_alert_text(proxy));
+                       i_warning("Received SSL warning alert: %s [%s]",
+                                 get_alert_text(proxy),
+                                 net_ip2host(&proxy->ip));
+               } else {
+                       i_warning("Non-fatal SSL error: %s: %s",
+                                 get_alert_text(proxy),
+                                 net_ip2host(&proxy->ip));
                 }
                 return 0;
         }
  
-       /* fatal error occured */
-       if (error == GNUTLS_E_FATAL_ALERT_RECEIVED) {
-               i_warning("Received SSL fatal alert: %s",
-                         get_alert_text(proxy));
-       } else {
-               i_warning("Error reading from SSL client: %s",
-                         gnutls_strerror(error));
+       if (verbose_ssl) {
+               /* fatal error occured */
+               if (error == GNUTLS_E_FATAL_ALERT_RECEIVED) {
+                       i_warning("Received SSL fatal alert: %s [%s]",
+                                 get_alert_text(proxy),
+                                 net_ip2host(&proxy->ip));
+               } else {
+                       i_warning("Error reading from SSL client: %s [%s]",
+                                 gnutls_strerror(error),
+                                 net_ip2host(&proxy->ip));
+               }
         }
  
          gnutls_alert_send_appropriate(proxy->session, error);
@@ -290,7 +304,7 @@ static gnutls_session initialize_state(void)
         return session;
  }
  
-int ssl_proxy_new(int fd)
+int ssl_proxy_new(int fd, struct ip_addr *ip)
  {
          struct ssl_proxy *proxy;
         gnutls_session session;
@@ -316,6 +330,7 @@ int ssl_proxy_new(int fd)
         proxy->session = session;
         proxy->fd_ssl = fd;
         proxy->fd_plain = sfd[0];
+       proxy->ip = *ip;
  
         proxy->refcount++;
         ssl_handshake(proxy);
diff --git a/src/login-common/ssl-proxy-openssl.c b/src/login-common/ssl-proxy-openssl.c

index d129266352e8fa92a5c468c99be2a2887eabe4cc..59c6a4b7cc15a8aa183b0b3b8c3c48024957ea43 100644 (file)
--- a/src/login-common/ssl-proxy-openssl.c
+++ b/src/login-common/ssl-proxy-openssl.c
@@ -24,6 +24,7 @@ struct ssl_proxy {
         int refcount;
  
         SSL *ssl;
+       struct ip_addr ip;
          enum ssl_state state;
  
         int fd_ssl, fd_plain;
@@ -150,9 +151,12 @@ static const char *ssl_last_error(void)
         return buf;
  }
  
-static void ssl_handle_error(struct ssl_proxy *proxy, int err, const char *func)
+static void ssl_handle_error(struct ssl_proxy *proxy, int ret, const char *func)
  {
-       err = SSL_get_error(proxy->ssl, err);
+       const char *errstr;
+       int err;
+
+       err = SSL_get_error(proxy->ssl, ret);
  
         switch (err) {
         case SSL_ERROR_WANT_READ:
@@ -163,7 +167,19 @@ static void ssl_handle_error(struct ssl_proxy *proxy, int err, const char *func)
                 break;
         case SSL_ERROR_SYSCALL:
                 /* eat up the error queue */
-               /*i_warning("%s failed: %s", func, ssl_last_error());*/
+               if (verbose_ssl) {
+                       if (ERR_peek_error() != 0)
+                               errstr = ssl_last_error();
+                       else {
+                               if (ret == 0)
+                                       errstr = "EOF";
+                               else
+                                       errstr = strerror(errno);
+                       }
+
+                       i_warning("%s syscall failed: %s [%s]",
+                                 func, errstr, net_ip2host(&proxy->ip));
+               }
                 ssl_proxy_destroy(proxy);
                 break;
         case SSL_ERROR_ZERO_RETURN:
@@ -171,12 +187,15 @@ static void ssl_handle_error(struct ssl_proxy *proxy, int err, const char *func)
                 ssl_proxy_destroy(proxy);
                 break;
         case SSL_ERROR_SSL:
-               /*i_warning("%s failed: %s", func, ssl_last_error());*/
+               if (verbose_ssl) {
+                       i_warning("%s failed: %s [%s]", func, ssl_last_error(),
+                                 net_ip2host(&proxy->ip));
+               }
                 ssl_proxy_destroy(proxy);
                 break;
         default:
-               i_warning("%s failed: unknown failure %d (%s)",
-                         func, err, ssl_last_error());
+               i_warning("%s failed: unknown failure %d (%s) [%s]",
+                         func, err, ssl_last_error(), net_ip2host(&proxy->ip));
                 ssl_proxy_destroy(proxy);
                 break;
         }
@@ -272,7 +291,7 @@ static void ssl_set_direction(struct ssl_proxy *proxy, int dir)
          proxy->io_ssl_dir = dir;
  }
  
-int ssl_proxy_new(int fd)
+int ssl_proxy_new(int fd, struct ip_addr *ip)
  {
         struct ssl_proxy *proxy;
         SSL *ssl;
@@ -307,6 +326,7 @@ int ssl_proxy_new(int fd)
         proxy->ssl = ssl;
         proxy->fd_ssl = fd;
         proxy->fd_plain = sfd[0];
+       proxy->ip = *ip;
  
         proxy->state = SSL_STATE_HANDSHAKE;
         ssl_set_direction(proxy, IO_READ);
diff --git a/src/login-common/ssl-proxy.h b/src/login-common/ssl-proxy.h

index 82d2b883d574073034c6815e03014ef3539897d2..80ca7a5ed550fef30593be00ae80f88b678ad0ba 100644 (file)
--- a/src/login-common/ssl-proxy.h
+++ b/src/login-common/ssl-proxy.h
@@ -1,12 +1,14 @@
  #ifndef __SSL_PROXY_H
  #define __SSL_PROXY_H
  
+struct ip_addr;
+
  extern int ssl_initialized;
  
  /* establish SSL connection with the given fd, returns a new fd which you
     must use from now on, or -1 if error occured. Unless -1 is returned,
     the given fd must be simply forgotten. */
-int ssl_proxy_new(int fd);
+int ssl_proxy_new(int fd, struct ip_addr *ip);
  
  void ssl_proxy_init(void);
  void ssl_proxy_deinit(void);
diff --git a/src/master/master-settings.c b/src/master/master-settings.c

index c31409f7b330901fffbe7b5e9000b07a5390255e..715614dacebc2c4a1cd44a7ffbcee67c30b552e1 100644 (file)
--- a/src/master/master-settings.c
+++ b/src/master/master-settings.c
@@ -39,6 +39,7 @@ static struct setting_def setting_defs[] = {
         /* login */
         DEF(SET_STR, login_dir),
         DEF(SET_BOOL, login_chroot),
+       DEF(SET_BOOL, verbose_ssl),
  
         /* mail */
         DEF(SET_STR, valid_chroot_dirs),
@@ -145,6 +146,7 @@ struct settings default_settings = {
         /* login */
         MEMBER(login_dir) "login",
         MEMBER(login_chroot) TRUE,
+       MEMBER(verbose_ssl) FALSE,
  
         /* mail */
         MEMBER(valid_chroot_dirs) NULL,
diff --git a/src/master/master-settings.h b/src/master/master-settings.h

index 5821920dcd4b82c926ab5b7fea0b02b2d5cb8648..2be8048e787cfd1b35a7acd26447c58d9043a39d 100644 (file)
--- a/src/master/master-settings.h
+++ b/src/master/master-settings.h
@@ -25,6 +25,7 @@ struct settings {
         /* login */
         const char *login_dir;
         int login_chroot;
+       int verbose_ssl;
  
         /* mail */
         const char *valid_chroot_dirs;
diff --git a/src/pop3-login/client.c b/src/pop3-login/client.c

index 9626a8da69f8b0ad96101aec721b59daff1a72ab..e8d1eb51157c3c2757f360ee01bde0aa3243055d 100644 (file)
--- a/src/pop3-login/client.c
+++ b/src/pop3-login/client.c
@@ -80,7 +80,7 @@ static int cmd_stls(struct pop3_client *client)
                 client->common.io = NULL;
         }
  
-       fd_ssl = ssl_proxy_new(client->common.fd);
+       fd_ssl = ssl_proxy_new(client->common.fd, &client->common.ip);
         if (fd_ssl != -1) {
                 client->tls = TRUE;
                  client_set_title(client);
author	Timo Sirainen <tss@iki.fi>
	Sun, 23 Feb 2003 19:44:46 +0000 (21:44 +0200)
committer	Timo Sirainen <tss@iki.fi>
	Sun, 23 Feb 2003 19:44:46 +0000 (21:44 +0200)
src/imap-login/client.c		patch \| blob \| blame \| history
src/login-common/common.h		patch \| blob \| blame \| history
src/login-common/main.c		patch \| blob \| blame \| history
src/login-common/ssl-proxy-gnutls.c		patch \| blob \| blame \| history
src/login-common/ssl-proxy-openssl.c		patch \| blob \| blame \| history
src/login-common/ssl-proxy.h		patch \| blob \| blame \| history
src/master/master-settings.c		patch \| blob \| blame \| history
src/master/master-settings.h		patch \| blob \| blame \| history
src/pop3-login/client.c		patch \| blob \| blame \| history