From: Timo Sirainen Date: Sun, 23 Feb 2003 19:44:46 +0000 (+0200) Subject: Added setting verbose_ssl X-Git-Tag: 1.1.alpha1~4871 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=5088da7d8cbfe6dcde8e2f34d09d9107f3cb0c9d;p=thirdparty%2Fdovecot%2Fcore.git Added setting verbose_ssl --HG-- branch : HEAD --- diff --git a/src/imap-login/client.c b/src/imap-login/client.c index 543cdb9593..cfefe21082 100644 --- a/src/imap-login/client.c +++ b/src/imap-login/client.c @@ -125,7 +125,7 @@ static int cmd_starttls(struct imap_client *client) client->common.io = NULL; } - fd_ssl = ssl_proxy_new(client->common.fd); + fd_ssl = ssl_proxy_new(client->common.fd, &client->common.ip); if (fd_ssl != -1) { client->tls = TRUE; client_set_title(client); diff --git a/src/login-common/common.h b/src/login-common/common.h index 5a2a04d641..153855d100 100644 --- a/src/login-common/common.h +++ b/src/login-common/common.h @@ -5,6 +5,7 @@ #include "../auth/auth-login-interface.h" extern int disable_plaintext_auth, process_per_connection, verbose_proctitle; +extern int verbose_ssl; extern unsigned int max_logging_users; extern unsigned int login_process_uid; diff --git a/src/login-common/main.c b/src/login-common/main.c index 24275af5bf..f0b24ea597 100644 --- a/src/login-common/main.c +++ b/src/login-common/main.c @@ -16,6 +16,7 @@ #include int disable_plaintext_auth, process_per_connection, verbose_proctitle; +int verbose_ssl; unsigned int max_logging_users; unsigned int login_process_uid; @@ -119,7 +120,7 @@ static void login_accept_ssl(void *context __attr_unused__) if (process_per_connection) main_close_listen(); - fd_ssl = ssl_proxy_new(fd); + fd_ssl = ssl_proxy_new(fd, &ip); if (fd_ssl == -1) net_disconnect(fd); else @@ -163,7 +164,8 @@ static void main_init(void) disable_plaintext_auth = getenv("DISABLE_PLAINTEXT_AUTH") != NULL; process_per_connection = getenv("PROCESS_PER_CONNECTION") != NULL; - verbose_proctitle = getenv("VERBOSE_PROCTITLE") != NULL; + verbose_proctitle = getenv("VERBOSE_PROCTITLE") != NULL; + verbose_ssl = getenv("VERBOSE_SSL") != NULL; value = getenv("MAX_LOGGING_USERS"); max_logging_users = value == NULL ? 0 : strtoul(value, NULL, 10); diff --git a/src/login-common/ssl-proxy-gnutls.c b/src/login-common/ssl-proxy-gnutls.c index 285109e99f..5346ad117d 100644 --- a/src/login-common/ssl-proxy-gnutls.c +++ b/src/login-common/ssl-proxy-gnutls.c @@ -19,6 +19,8 @@ struct ssl_proxy { int refcount; gnutls_session session; + struct ip_addr ip; + int fd_ssl, fd_plain; struct io *io_ssl, *io_plain; int io_ssl_dir; @@ -60,20 +62,32 @@ static const char *get_alert_text(struct ssl_proxy *proxy) static int handle_ssl_error(struct ssl_proxy *proxy, int error) { if (!gnutls_error_is_fatal(error)) { + if (!verbose_ssl) + return 0; + if (error == GNUTLS_E_WARNING_ALERT_RECEIVED) { - i_warning("Received SSL warning alert: %s", - get_alert_text(proxy)); + i_warning("Received SSL warning alert: %s [%s]", + get_alert_text(proxy), + net_ip2host(&proxy->ip)); + } else { + i_warning("Non-fatal SSL error: %s: %s", + get_alert_text(proxy), + net_ip2host(&proxy->ip)); } return 0; } - /* fatal error occured */ - if (error == GNUTLS_E_FATAL_ALERT_RECEIVED) { - i_warning("Received SSL fatal alert: %s", - get_alert_text(proxy)); - } else { - i_warning("Error reading from SSL client: %s", - gnutls_strerror(error)); + if (verbose_ssl) { + /* fatal error occured */ + if (error == GNUTLS_E_FATAL_ALERT_RECEIVED) { + i_warning("Received SSL fatal alert: %s [%s]", + get_alert_text(proxy), + net_ip2host(&proxy->ip)); + } else { + i_warning("Error reading from SSL client: %s [%s]", + gnutls_strerror(error), + net_ip2host(&proxy->ip)); + } } gnutls_alert_send_appropriate(proxy->session, error); @@ -290,7 +304,7 @@ static gnutls_session initialize_state(void) return session; } -int ssl_proxy_new(int fd) +int ssl_proxy_new(int fd, struct ip_addr *ip) { struct ssl_proxy *proxy; gnutls_session session; @@ -316,6 +330,7 @@ int ssl_proxy_new(int fd) proxy->session = session; proxy->fd_ssl = fd; proxy->fd_plain = sfd[0]; + proxy->ip = *ip; proxy->refcount++; ssl_handshake(proxy); diff --git a/src/login-common/ssl-proxy-openssl.c b/src/login-common/ssl-proxy-openssl.c index d129266352..59c6a4b7cc 100644 --- a/src/login-common/ssl-proxy-openssl.c +++ b/src/login-common/ssl-proxy-openssl.c @@ -24,6 +24,7 @@ struct ssl_proxy { int refcount; SSL *ssl; + struct ip_addr ip; enum ssl_state state; int fd_ssl, fd_plain; @@ -150,9 +151,12 @@ static const char *ssl_last_error(void) return buf; } -static void ssl_handle_error(struct ssl_proxy *proxy, int err, const char *func) +static void ssl_handle_error(struct ssl_proxy *proxy, int ret, const char *func) { - err = SSL_get_error(proxy->ssl, err); + const char *errstr; + int err; + + err = SSL_get_error(proxy->ssl, ret); switch (err) { case SSL_ERROR_WANT_READ: @@ -163,7 +167,19 @@ static void ssl_handle_error(struct ssl_proxy *proxy, int err, const char *func) break; case SSL_ERROR_SYSCALL: /* eat up the error queue */ - /*i_warning("%s failed: %s", func, ssl_last_error());*/ + if (verbose_ssl) { + if (ERR_peek_error() != 0) + errstr = ssl_last_error(); + else { + if (ret == 0) + errstr = "EOF"; + else + errstr = strerror(errno); + } + + i_warning("%s syscall failed: %s [%s]", + func, errstr, net_ip2host(&proxy->ip)); + } ssl_proxy_destroy(proxy); break; case SSL_ERROR_ZERO_RETURN: @@ -171,12 +187,15 @@ static void ssl_handle_error(struct ssl_proxy *proxy, int err, const char *func) ssl_proxy_destroy(proxy); break; case SSL_ERROR_SSL: - /*i_warning("%s failed: %s", func, ssl_last_error());*/ + if (verbose_ssl) { + i_warning("%s failed: %s [%s]", func, ssl_last_error(), + net_ip2host(&proxy->ip)); + } ssl_proxy_destroy(proxy); break; default: - i_warning("%s failed: unknown failure %d (%s)", - func, err, ssl_last_error()); + i_warning("%s failed: unknown failure %d (%s) [%s]", + func, err, ssl_last_error(), net_ip2host(&proxy->ip)); ssl_proxy_destroy(proxy); break; } @@ -272,7 +291,7 @@ static void ssl_set_direction(struct ssl_proxy *proxy, int dir) proxy->io_ssl_dir = dir; } -int ssl_proxy_new(int fd) +int ssl_proxy_new(int fd, struct ip_addr *ip) { struct ssl_proxy *proxy; SSL *ssl; @@ -307,6 +326,7 @@ int ssl_proxy_new(int fd) proxy->ssl = ssl; proxy->fd_ssl = fd; proxy->fd_plain = sfd[0]; + proxy->ip = *ip; proxy->state = SSL_STATE_HANDSHAKE; ssl_set_direction(proxy, IO_READ); diff --git a/src/login-common/ssl-proxy.h b/src/login-common/ssl-proxy.h index 82d2b883d5..80ca7a5ed5 100644 --- a/src/login-common/ssl-proxy.h +++ b/src/login-common/ssl-proxy.h @@ -1,12 +1,14 @@ #ifndef __SSL_PROXY_H #define __SSL_PROXY_H +struct ip_addr; + extern int ssl_initialized; /* establish SSL connection with the given fd, returns a new fd which you must use from now on, or -1 if error occured. Unless -1 is returned, the given fd must be simply forgotten. */ -int ssl_proxy_new(int fd); +int ssl_proxy_new(int fd, struct ip_addr *ip); void ssl_proxy_init(void); void ssl_proxy_deinit(void); diff --git a/src/master/master-settings.c b/src/master/master-settings.c index c31409f7b3..715614dace 100644 --- a/src/master/master-settings.c +++ b/src/master/master-settings.c @@ -39,6 +39,7 @@ static struct setting_def setting_defs[] = { /* login */ DEF(SET_STR, login_dir), DEF(SET_BOOL, login_chroot), + DEF(SET_BOOL, verbose_ssl), /* mail */ DEF(SET_STR, valid_chroot_dirs), @@ -145,6 +146,7 @@ struct settings default_settings = { /* login */ MEMBER(login_dir) "login", MEMBER(login_chroot) TRUE, + MEMBER(verbose_ssl) FALSE, /* mail */ MEMBER(valid_chroot_dirs) NULL, diff --git a/src/master/master-settings.h b/src/master/master-settings.h index 5821920dcd..2be8048e78 100644 --- a/src/master/master-settings.h +++ b/src/master/master-settings.h @@ -25,6 +25,7 @@ struct settings { /* login */ const char *login_dir; int login_chroot; + int verbose_ssl; /* mail */ const char *valid_chroot_dirs; diff --git a/src/pop3-login/client.c b/src/pop3-login/client.c index 9626a8da69..e8d1eb5115 100644 --- a/src/pop3-login/client.c +++ b/src/pop3-login/client.c @@ -80,7 +80,7 @@ static int cmd_stls(struct pop3_client *client) client->common.io = NULL; } - fd_ssl = ssl_proxy_new(client->common.fd); + fd_ssl = ssl_proxy_new(client->common.fd, &client->common.ip); if (fd_ssl != -1) { client->tls = TRUE; client_set_title(client);