if (conn) {
bind_conf = __objt_listener(conn->target)->bind_conf;
ctx = __conn_get_ssl_sock_ctx(conn);
+ TRACE_ENTER(SSL_EV_CONN_VFY_CB, conn);
}
#ifdef USE_QUIC
else {
depth = X509_STORE_CTX_get_error_depth(x_store);
err = X509_STORE_CTX_get_error(x_store);
- if (ok) /* no errors */
+ if (ok) { /* no errors */
+ TRACE_LEAVE(SSL_EV_CONN_VFY_CB, conn);
return ok;
+ }
/* Keep a reference to the client's certificate in order to be able to
* dump some fetches values in a log even when the verification process
}
if (err <= SSL_MAX_VFY_ERROR_CODE &&
- cert_ignerr_bitfield_get(bind_conf->ca_ignerr_bitfield, err))
+ cert_ignerr_bitfield_get(bind_conf->ca_ignerr_bitfield, err)) {
+ TRACE_STATE("Ignored ca-related error", SSL_EV_CONN_VFY_CB, conn, ssl, NULL, &err);
goto err_ignored;
+ }
/* TODO: for QUIC connection, this error code is lost */
- if (conn)
+ if (conn) {
conn->err_code = CO_ER_SSL_CA_FAIL;
+ TRACE_ERROR("Verify callback error (ca)", SSL_EV_CONN_VFY_CB|SSL_EV_CONN_ERR, conn, ssl, &conn->err_code, &err);
+ }
return 0;
}
/* check if certificate error needs to be ignored */
if (err <= SSL_MAX_VFY_ERROR_CODE &&
- cert_ignerr_bitfield_get(bind_conf->crt_ignerr_bitfield, err))
+ cert_ignerr_bitfield_get(bind_conf->crt_ignerr_bitfield, err)) {
+ TRACE_STATE("Ignored crt-related error", SSL_EV_CONN_VFY_CB, conn, ssl, NULL, &err);
goto err_ignored;
+ }
/* TODO: for QUIC connection, this error code is lost */
- if (conn)
+ if (conn) {
conn->err_code = CO_ER_SSL_CRT_FAIL;
+ TRACE_ERROR("Verify callback error (crt)", SSL_EV_CONN_VFY_CB|SSL_EV_CONN_ERR, conn, ssl, &conn->err_code, &err);
+ }
return 0;
err_ignored:
ssl_sock_dump_errors(conn, qc);
ERR_clear_error();
+ TRACE_LEAVE(SSL_EV_CONN_VFY_CB, conn);
return 1;
}
{ .mask = SSL_EV_CONN_RECV_EARLY, .name = "sslc_recv_early", .desc = "Rx on SSL connection (early data)" },
{ .mask = SSL_EV_CONN_IO_CB, .name = "sslc_io_cb", .desc = "SSL io callback"},
{ .mask = SSL_EV_CONN_HNDSHK, .name = "sslc_hndshk", .desc = "SSL handshake"},
+ { .mask = SSL_EV_CONN_VFY_CB, .name = "sslc_vfy_cb", .desc = "SSL verify callback"},
{ }
};
}
}
+ if (mask & SSL_EV_CONN_VFY_CB) {
+ if (mask & SSL_EV_CONN_ERR) {
+ if (a3) {
+ const unsigned int *err_code = a3;
+ chunk_appendf(&trace_buf, " err_code=%u err_str=\"%s\"", *err_code, conn_err_code_str(conn));
+ }
+ if (a4) {
+ const unsigned int *ssl_err_code = a4;
+ chunk_appendf(&trace_buf, " ssl_err_code=%u ssl_err_str=\"%s\"", *ssl_err_code,
+ ERR_reason_error_string(*ssl_err_code));
+ }
+ } else if (src->verbosity > SSL_VERB_SIMPLE) {
+ /* We faced an ignored error */
+ if (a4) {
+ const unsigned int *ssl_err_code = a4;
+ chunk_appendf(&trace_buf, " ssl_err_code=%u ssl_err_str=\"%s\"", *ssl_err_code,
+ ERR_reason_error_string(*ssl_err_code));
+ }
+ }
+ }
}
projects / thirdparty / haproxy.git / commitdiff
