From: Christos Tsantilas <chtsanti@users.sourceforge.net>
Date: Thu, 8 Oct 2015 17:20:27 +0000 (+0300)
Subject: %ssl::<cert_errors logformat code
X-Git-Tag: SQUID_4_0_1~13
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=7598eb63ac4878f32ae887a950b33f6ed6335270;p=thirdparty%2Fsquid.git

%ssl::<cert_errors logformat code

The new %ssl::<cert_errors logformat code lists server certificate
validation errors detected by Squid (including OpenSSL and the
certificate validation helper components). The errors are listed in
the discovery order. By default, the error codes are separated by ':'.
Custom separators are also supported. For example:

  %{;}ssl::<cert_errors

This is a Measurement Factory project.
---

diff --git a/src/cf.data.pre b/src/cf.data.pre
index 672550ce88..e9944786e1 100644
--- a/src/cf.data.pre
+++ b/src/cf.data.pre
@@ -4339,6 +4339,13 @@ DOC_START
 				no certificate at all. Consider encoding the
 				logged value because Issuer often has spaces.
 
+		%ssl::<cert_errors The list of certificate validation errors
+				detected by Squid (including OpenSSL and
+				certificate validation helper components). The
+				errors are listed in the discovery order. By
+				default, the error codes are separated by ':'.
+				Accepts an optional separator argument.
+
 	The default formats available (which do not need re-defining) are:
 
 logformat squid      %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %[un %Sh/%<a %mt
diff --git a/src/format/ByteCode.h b/src/format/ByteCode.h
index 6b170b313f..ca66b0b858 100644
--- a/src/format/ByteCode.h
+++ b/src/format/ByteCode.h
@@ -217,6 +217,7 @@ typedef enum {
     LFT_SSL_CLIENT_SNI,
     LFT_SSL_SERVER_CERT_SUBJECT,
     LFT_SSL_SERVER_CERT_ISSUER,
+    LFT_SSL_SERVER_CERT_ERRORS,
 #endif
 
     LFT_NOTE,
diff --git a/src/format/Format.cc b/src/format/Format.cc
index b531835656..5a05988aa3 100644
--- a/src/format/Format.cc
+++ b/src/format/Format.cc
@@ -309,6 +309,15 @@ log_quoted_string(const char *str, char *out)
     *p = '\0';
 }
 
+#if USE_OPENSSL
+static char *
+sslErrorName(Ssl::ssl_error_t err, char *buf, size_t size)
+{
+    snprintf(buf, size, "SSL_ERR=%d", err);
+    return buf;
+}
+#endif
+
 void
 Format::Format::assemble(MemBuf &mb, const AccessLogEntry::Pointer &al, int logSequenceNumber) const
 {
@@ -888,10 +897,8 @@ Format::Format::assemble(MemBuf &mb, const AccessLogEntry::Pointer &al, int logS
         case LFT_SQUID_ERROR_DETAIL:
 #if USE_OPENSSL
             if (al->request && al->request->errType == ERR_SECURE_CONNECT_FAIL) {
-                if (! (out = Ssl::GetErrorName(al->request->errDetail))) {
-                    snprintf(tmp, sizeof(tmp), "SSL_ERR=%d", al->request->errDetail);
-                    out = tmp;
-                }
+                if (! (out = Ssl::GetErrorName(al->request->errDetail)))
+                    out = sslErrorName(al->request->errDetail, tmp, sizeof(tmp));
             } else
 #endif
                 if (al->request && al->request->errDetail != ERR_DETAIL_NONE) {
@@ -1158,6 +1165,24 @@ Format::Format::assemble(MemBuf &mb, const AccessLogEntry::Pointer &al, int logS
             }
             break;
 
+        case LFT_SSL_SERVER_CERT_ERRORS:
+            if (al->request && al->request->clientConnectionManager.valid()) {
+                if (Ssl::ServerBump * srvBump = al->request->clientConnectionManager->serverBump()) {
+                    const char *separator = fmt->data.string ? fmt->data.string : ":";
+                    for (Ssl::CertErrors *sslError = srvBump->sslErrors; sslError != NULL;  sslError = sslError->next) {
+                        if (sb.size())
+                            sb.append(separator);
+                        if (const char *errorName = Ssl::GetErrorName(sslError->element.code))
+                            sb.append(errorName);
+                        else
+                            sb.append(sslErrorName(sslError->element.code, tmp, sizeof(tmp)));
+                    }
+                    if (sb.size())
+                        out = sb.termedBuf();
+                }
+            }
+            break;
+
         case LFT_SSL_SERVER_CERT_ISSUER:
         case LFT_SSL_SERVER_CERT_SUBJECT:
             // Not implemented
diff --git a/src/format/Token.cc b/src/format/Token.cc
index 8e0b31b49e..3533af12fd 100644
--- a/src/format/Token.cc
+++ b/src/format/Token.cc
@@ -192,6 +192,7 @@ static TokenTableEntry TokenTableSsl[] = {
     TokenTableEntry(">sni", LFT_SSL_CLIENT_SNI),
     /*TokenTableEntry("<cert_subject", LFT_SSL_SERVER_CERT_SUBJECT), */
     /*TokenTableEntry("<cert_issuer", LFT_SSL_SERVER_CERT_ISSUER), */
+    TokenTableEntry("<cert_errors", LFT_SSL_SERVER_CERT_ERRORS),
     TokenTableEntry(NULL, LFT_NONE)
 };
 #endif