%ssl::<cert_errors logformat code

The new %ssl::<cert_errors logformat code lists server certificate
validation errors detected by Squid (including OpenSSL and the
certificate validation helper components). The errors are listed in
the discovery order. By default, the error codes are separated by ':'.
Custom separators are also supported. For example:

  %{;}ssl::<cert_errors

This is a Measurement Factory project.

diff --git a/src/cf.data.pre b/src/cf.data.pre
index 672550ce8894122a003e5b9e68de8c7019d08fc9..e9944786e19dd1f1d3c37916b8fe182740a4f453 100644 (file)
--- a/src/cf.data.pre
+++ b/src/cf.data.pre
@@ -4339,6 +4339,13 @@ DOC_START
                                no certificate at all. Consider encoding the
                                logged value because Issuer often has spaces.
 
+               %ssl::<cert_errors The list of certificate validation errors
+                               detected by Squid (including OpenSSL and
+                               certificate validation helper components). The
+                               errors are listed in the discovery order. By
+                               default, the error codes are separated by ':'.
+                               Accepts an optional separator argument.
+
        The default formats available (which do not need re-defining) are:
 
 logformat squid      %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %[un %Sh/%<a %mt

diff --git a/src/format/ByteCode.h b/src/format/ByteCode.h
index 6b170b313f4683e518c158c4b308e5db7cd18c88..ca66b0b858aa8c22923be74d5d4137355429ae69 100644 (file)
--- a/src/format/ByteCode.h
+++ b/src/format/ByteCode.h
@@ -217,6 +217,7 @@ typedef enum {
     LFT_SSL_CLIENT_SNI,
     LFT_SSL_SERVER_CERT_SUBJECT,
     LFT_SSL_SERVER_CERT_ISSUER,
+    LFT_SSL_SERVER_CERT_ERRORS,
 #endif
 
     LFT_NOTE,

diff --git a/src/format/Format.cc b/src/format/Format.cc
index b531835656917909406ada00edbb424ef42eb856..5a05988aa3397efe9355c909397010abd25374f4 100644 (file)
--- a/src/format/Format.cc
+++ b/src/format/Format.cc
@@ -309,6 +309,15 @@ log_quoted_string(const char *str, char *out)
     *p = '\0';
 }
 
+#if USE_OPENSSL
+static char *
+sslErrorName(Ssl::ssl_error_t err, char *buf, size_t size)
+{
+    snprintf(buf, size, "SSL_ERR=%d", err);
+    return buf;
+}
+#endif
+
 void
 Format::Format::assemble(MemBuf &mb, const AccessLogEntry::Pointer &al, int logSequenceNumber) const
 {
@@ -888,10 +897,8 @@ Format::Format::assemble(MemBuf &mb, const AccessLogEntry::Pointer &al, int logS
         case LFT_SQUID_ERROR_DETAIL:
 #if USE_OPENSSL
             if (al->request && al->request->errType == ERR_SECURE_CONNECT_FAIL) {
-                if (! (out = Ssl::GetErrorName(al->request->errDetail))) {
-                    snprintf(tmp, sizeof(tmp), "SSL_ERR=%d", al->request->errDetail);
-                    out = tmp;
-                }
+                if (! (out = Ssl::GetErrorName(al->request->errDetail)))
+                    out = sslErrorName(al->request->errDetail, tmp, sizeof(tmp));
             } else
 #endif
                 if (al->request && al->request->errDetail != ERR_DETAIL_NONE) {
@@ -1158,6 +1165,24 @@ Format::Format::assemble(MemBuf &mb, const AccessLogEntry::Pointer &al, int logS
             }
             break;
 
+        case LFT_SSL_SERVER_CERT_ERRORS:
+            if (al->request && al->request->clientConnectionManager.valid()) {
+                if (Ssl::ServerBump * srvBump = al->request->clientConnectionManager->serverBump()) {
+                    const char *separator = fmt->data.string ? fmt->data.string : ":";
+                    for (Ssl::CertErrors *sslError = srvBump->sslErrors; sslError != NULL;  sslError = sslError->next) {
+                        if (sb.size())
+                            sb.append(separator);
+                        if (const char *errorName = Ssl::GetErrorName(sslError->element.code))
+                            sb.append(errorName);
+                        else
+                            sb.append(sslErrorName(sslError->element.code, tmp, sizeof(tmp)));
+                    }
+                    if (sb.size())
+                        out = sb.termedBuf();
+                }
+            }
+            break;
+
         case LFT_SSL_SERVER_CERT_ISSUER:
         case LFT_SSL_SERVER_CERT_SUBJECT:
             // Not implemented

diff --git a/src/format/Token.cc b/src/format/Token.cc
index 8e0b31b49e26273b561ab1e3316786b2166ff746..3533af12fd752734c78e68933e014d95b5c7fd02 100644 (file)
--- a/src/format/Token.cc
+++ b/src/format/Token.cc
@@ -192,6 +192,7 @@ static TokenTableEntry TokenTableSsl[] = {
     TokenTableEntry(">sni", LFT_SSL_CLIENT_SNI),
     /*TokenTableEntry("<cert_subject", LFT_SSL_SERVER_CERT_SUBJECT), */
     /*TokenTableEntry("<cert_issuer", LFT_SSL_SERVER_CERT_ISSUER), */
+    TokenTableEntry("<cert_errors", LFT_SSL_SERVER_CERT_ERRORS),
     TokenTableEntry(NULL, LFT_NONE)
 };
 #endif