MINOR: ssl: Add ocsp stapling callback traces

If OCSP stapling fails because of a missing or invalid OCSP response we
used to silently disable stapling for the given session. We can now know
a bit more what happened regarding OCSP stapling.

diff --git a/include/haproxy/ssl_trace-t.h b/include/haproxy/ssl_trace-t.h
index 0678fb68d4b37439ba1ad22d511dd9bb8f95604b..a033728b08d9fe815e31296f03ac96392397956c 100644 (file)
--- a/include/haproxy/ssl_trace-t.h
+++ b/include/haproxy/ssl_trace-t.h
@@ -29,6 +29,7 @@ extern struct trace_source trace_ssl;
 #define SSL_EV_CONN_IO_CB          (1ULL <<  8)
 #define SSL_EV_CONN_HNDSHK         (1ULL <<  9)
 #define SSL_EV_CONN_VFY_CB         (1ULL << 10)
+#define SSL_EV_CONN_STAPLING       (1ULL << 11)
 
 #define TRACE_SOURCE &trace_ssl
 

diff --git a/src/ssl_ocsp.c b/src/ssl_ocsp.c
index 59750905842960b44a18778b903d0ce35042d5cb..a6355e6f096f632e70381c8886bbe3dfae4a87fb 100644 (file)
--- a/src/ssl_ocsp.c
+++ b/src/ssl_ocsp.c
@@ -62,6 +62,8 @@
 #include <haproxy/task.h>
 #include <haproxy/ticks.h>
 #include <haproxy/time.h>
+#include <haproxy/trace.h>
+#include <haproxy/ssl_trace-t.h>
 
 #ifdef HAVE_SSL_OCSP
 
@@ -112,6 +114,8 @@ int ssl_sock_ocsp_stapling_cbk(SSL *ssl, void *arg)
        int key_type;
        int index;
 
+       TRACE_ENTER(SSL_EV_CONN_STAPLING, conn);
+
        ctx = SSL_get_SSL_CTX(ssl);
        if (!ctx)
                goto error;
@@ -133,12 +137,16 @@ int ssl_sock_ocsp_stapling_cbk(SSL *ssl, void *arg)
        }
 
        ocsp_arg = SSL_CTX_get_ex_data(ctx, ocsp_ex_index);
-       if (!ocsp_arg)
+       if (!ocsp_arg) {
+               TRACE_ERROR("Could not get ex_data", SSL_EV_CONN_STAPLING, conn);
                goto error;
+       }
 
        ssl_pkey = SSL_get_privatekey(ssl);
-       if (!ssl_pkey)
+       if (!ssl_pkey) {
+               TRACE_ERROR("Could not get private key from SSL context", SSL_EV_CONN_STAPLING, conn);
                goto error;
+       }
 
        key_type = EVP_PKEY_base_id(ssl_pkey);
 
@@ -150,8 +158,10 @@ int ssl_sock_ocsp_stapling_cbk(SSL *ssl, void *arg)
                 */
                index = ssl_sock_get_ocsp_arg_kt_index(key_type);
 
-               if (index < 0)
+               if (index < 0) {
+                       TRACE_ERROR("Wrong key_type", SSL_EV_CONN_STAPLING, conn);
                        goto error;
+               }
 
                ocsp = ocsp_arg->m_ocsp[index];
 
@@ -159,13 +169,20 @@ int ssl_sock_ocsp_stapling_cbk(SSL *ssl, void *arg)
 
        if (!ocsp ||
            !ocsp->response.area ||
-           !ocsp->response.data ||
-           (ocsp->expire < date.tv_sec))
+           !ocsp->response.data) {
+               TRACE_ERROR("Missing OCSP response", SSL_EV_CONN_STAPLING, conn, ssl);
                goto error;
+       }
+       if (ocsp->expire < date.tv_sec) {
+               TRACE_ERROR("Expired OCSP response", SSL_EV_CONN_STAPLING, conn, ssl);
+               goto error;
+       }
 
        ssl_buf = OPENSSL_malloc(ocsp->response.data);
-       if (!ssl_buf)
+       if (!ssl_buf) {
+               TRACE_ERROR("Allocation failure", SSL_EV_CONN_STAPLING, conn);
                goto error;
+       }
 
 
        memcpy(ssl_buf, ocsp->response.area, ocsp->response.data);
@@ -176,6 +193,8 @@ int ssl_sock_ocsp_stapling_cbk(SSL *ssl, void *arg)
                HA_ATOMIC_INC(&counters_px->ocsp_staple);
        }
 
+       TRACE_LEAVE(SSL_EV_CONN_STAPLING, conn);
+
        return SSL_TLSEXT_ERR_OK;
 
 
@@ -186,6 +205,8 @@ error:
                HA_ATOMIC_INC(&counters_px->failed_ocsp_staple);
        }
 
+       TRACE_ERROR("Stapling callback error", SSL_EV_CONN_STAPLING, conn);
+
        return SSL_TLSEXT_ERR_NOACK;
 }
 

diff --git a/src/ssl_trace.c b/src/ssl_trace.c
index eaec5cf4c20989b38e1f982a23c15d7992d133b7..1408ee1af8f186787246a520972e54b54f632eea 100644 (file)
--- a/src/ssl_trace.c
+++ b/src/ssl_trace.c
@@ -37,6 +37,7 @@ static const struct trace_event ssl_trace_events[] = {
        { .mask = SSL_EV_CONN_IO_CB,          .name = "sslc_io_cb",          .desc = "SSL io callback"},
        { .mask = SSL_EV_CONN_HNDSHK,         .name = "sslc_hndshk",         .desc = "SSL handshake"},
        { .mask = SSL_EV_CONN_VFY_CB,         .name = "sslc_vfy_cb",         .desc = "SSL verify callback"},
+       { .mask = SSL_EV_CONN_STAPLING,       .name = "sslc_stapling",       .desc = "SSL OCSP stapling callback"},
        { }
 };