From: Remi Gacogne <remi.gacogne@powerdns.com>
Date: Wed, 9 Jun 2021 14:49:48 +0000 (+0200)
Subject: dnsdist: Better error reporting for client-side GnuTLS validation issues
X-Git-Tag: dnsdist-1.7.0-alpha1~45^2~10
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=7ad88a3a6c366fe12e79291debdbe5b0b8835b2f;p=thirdparty%2Fpdns.git

dnsdist: Better error reporting for client-side GnuTLS validation issues
---

diff --git a/pdns/tcpiohandler.cc b/pdns/tcpiohandler.cc
index 3cd8547332..c4a07587b6 100644
--- a/pdns/tcpiohandler.cc
+++ b/pdns/tcpiohandler.cc
@@ -907,7 +907,12 @@ public:
     do {
       ret = gnutls_handshake(d_conn.get());
       if (gnutls_error_is_fatal(ret) || ret == GNUTLS_E_WARNING_ALERT_RECEIVED) {
-        throw std::runtime_error("Error accepting a new connection");
+        if (d_client) {
+          throw std::runtime_error("Error establishing a new connection: " + std::string(gnutls_strerror(ret)));
+        }
+        else {
+          throw std::runtime_error("Error accepting a new connection: " + std::string(gnutls_strerror(ret)));
+        }
       }
     }
     while (ret != GNUTLS_E_SUCCESS && ret == GNUTLS_E_INTERRUPTED);
@@ -930,11 +935,29 @@ public:
         return direction == 0 ? IOState::NeedRead : IOState::NeedWrite;
       }
       else if (gnutls_error_is_fatal(ret) || ret == GNUTLS_E_WARNING_ALERT_RECEIVED) {
-        throw std::runtime_error("Error accepting a new connection: " + std::string(gnutls_strerror(ret)));
+        if (d_client) {
+          std::string error;
+          if (ret == GNUTLS_E_CERTIFICATE_VERIFICATION_ERROR) {
+            gnutls_datum_t out;
+            if (gnutls_certificate_verification_status_print(gnutls_session_get_verify_cert_status(d_conn.get()), gnutls_certificate_type_get(d_conn.get()), &out, 0) == 0) {
+              error = " (" + std::string(reinterpret_cast<const char*>(out.data)) + ")";
+              gnutls_free(out.data);
+            }
+          }
+          throw std::runtime_error("Error accepting a new connection: " + std::string(gnutls_strerror(ret)) + error);
+        }
+        else {
+          throw std::runtime_error("Error establishing a new connection: " + std::string(gnutls_strerror(ret)));
+        }
       }
     } while (ret == GNUTLS_E_INTERRUPTED);
 
-    throw std::runtime_error("Error accepting a new connection");
+    if (d_client) {
+      throw std::runtime_error("Error establishinging a new connection: " + std::string(gnutls_strerror(ret)));
+    }
+    else {
+      throw std::runtime_error("Error accepting a new connection: " + std::string(gnutls_strerror(ret)));
+    }
   }
 
   IOState tryWrite(const PacketBuffer& buffer, size_t& pos, size_t toWrite) override