From: Arran Cudbard-Bell <a.cudbardb@freeradius.org>
Date: Wed, 25 Aug 2021 16:46:51 +0000 (-0500)
Subject: More helpful TLS alert messages
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=9f070bd7dae0816041c678d16fde322280150119;p=thirdparty%2Ffreeradius-server.git

More helpful TLS alert messages
---

diff --git a/src/lib/tls/session.c b/src/lib/tls/session.c
index e049bea60ea..959bea14e7e 100644
--- a/src/lib/tls/session.c
+++ b/src/lib/tls/session.c
@@ -525,18 +525,22 @@ void fr_tls_session_info_cb(SSL const *ssl, int where, int ret)
 	if (where & SSL_CB_ALERT) {
 		if ((ret & 0xff) == SSL_AD_CLOSE_NOTIFY) return;
 
+		/*
+		 *	We got an alert...
+		 */
 		if (where & SSL_CB_READ) {
 			fr_pair_t *vp;
 
-			REDEBUG("Client sent %s TLS alert: %s", SSL_alert_type_string_long(ret),
-			        SSL_alert_desc_string_long(ret));
+			REDEBUG("Client sent %s TLS alert (%i) - %s", SSL_alert_type_string_long(ret),
+			        ret & 0xff, SSL_alert_desc_string_long(ret));
 
 			/*
 			 *	Offer helpful advice... Should be expanded.
 			 */
 			switch (ret & 0xff) {
 			case TLS1_AD_UNKNOWN_CA:
-				REDEBUG("Verify client has copy of CA certificate (and trusts CA)");
+				REDEBUG("Verify the client has a copy of the server's Certificate "
+					"Authority (CA) installed, and trusts that CA");
 				break;
 
 			default:
@@ -546,9 +550,27 @@ void fr_tls_session_info_cb(SSL const *ssl, int where, int ret)
 			MEM(pair_update_request(&vp, attr_tls_client_error_code) >= 0);
 			vp->vp_uint8 = ret & 0xff;
 			RDEBUG2("&TLS-Client-Error-Code := %pV", &vp->data);
+		/*
+		 *	We're sending the client an alert.
+		 */
 		} else {
-			REDEBUG("Sending client %s TLS alert: %s %i", SSL_alert_type_string_long(ret),
-				SSL_alert_desc_string_long(ret), ret & 0xff);
+			REDEBUG("Sending client %s TLS alert (%i) - %s", SSL_alert_type_string_long(ret),
+				ret & 0xff, SSL_alert_desc_string_long(ret));
+
+			/*
+			 *	Offer helpful advice... Should be expanded.
+			 */
+			switch (ret & 0xff) {
+			case TLS1_AD_PROTOCOL_VERSION:
+				REDEBUG("Client requested a TLS protocol version that is not enabled or not supported. "
+				        "Upgrade FreeRADIUS + OpenSSL to their latest versions and/or adjust "
+				        "'tls_max_version'/'tls_min_version' if you want authentication to "
+				        "succeed");
+				break;
+
+			default:
+				break;
+			}
 		}
 		return;
 	}