diff --git a/iocore/net/P_SNIActionPerformer.h b/iocore/net/P_SNIActionPerformer.h index bcaec2b9917..ab1094283b1 100644 --- a/iocore/net/P_SNIActionPerformer.h +++ b/iocore/net/P_SNIActionPerformer.h @@ -77,12 +77,15 @@ class ControlH2 : public ActionItem int SNIAction(TLSSNISupport *snis, const Context &ctx) const override { - auto ssl_vc = dynamic_cast(snis); + auto ssl_vc = dynamic_cast(snis); + const char *servername = ssl_vc->get_server_name(); if (ssl_vc) { if (!enable_h2) { ssl_vc->disableProtocol(TS_ALPN_PROTOCOL_INDEX_HTTP_2_0); + Debug("ssl_sni", "H2 disabled, fqdn [%s]", servername); } else { ssl_vc->enableProtocol(TS_ALPN_PROTOCOL_INDEX_HTTP_2_0); + Debug("ssl_sni", "H2 enabled, fqdn [%s]", servername); } } return SSL_TLSEXT_ERR_OK; @@ -107,14 +110,16 @@ class TunnelDestination : public ActionItem { // Set the netvc option? SSLNetVConnection *ssl_netvc = dynamic_cast(snis); + const char *servername = ssl_netvc->get_server_name(); if (ssl_netvc) { // If needed, we will try to amend the tunnel destination. if (ctx._fqdn_wildcard_captured_groups && need_fix) { const auto &fixed_dst = replace_match_groups(destination, *ctx._fqdn_wildcard_captured_groups); ssl_netvc->set_tunnel_destination(fixed_dst, type); - Debug("TunnelDestination", "Destination now is [%s], configured [%s]", fixed_dst.c_str(), destination.c_str()); + Debug("ssl_sni", "Destination now is [%s], configured [%s], fqdn [%s]", fixed_dst.c_str(), destination.c_str(), servername); } else { ssl_netvc->set_tunnel_destination(destination, type); + Debug("ssl_sni", "Destination now is [%s], fqdn [%s]", destination.c_str(), servername); } if (type == SNIRoutingType::BLIND) { @@ -212,17 +217,20 @@ class VerifyClient : public ActionItem VerifyClient(uint8_t param, std::string_view file, std::string_view dir) : mode(param), ca_file(file), ca_dir(dir) {} VerifyClient(const char *param, std::string_view file, std::string_view dir) : VerifyClient(atoi(param), file, dir) {} ~VerifyClient() override; + int SNIAction(TLSSNISupport *snis, const Context &ctx) const override { - auto ssl_vc = dynamic_cast(snis); - Debug("ssl_sni", "action verify param %d", this->mode); + auto ssl_vc = dynamic_cast(snis); + const char *servername = ssl_vc->get_server_name(); + Debug("ssl_sni", "action verify param %d, fqdn [%s]", this->mode, servername); setClientCertLevel(ssl_vc->ssl, this->mode); ssl_vc->set_ca_cert_file(ca_file, ca_dir); setClientCertCACerts(ssl_vc->ssl, ssl_vc->get_ca_cert_file(), ssl_vc->get_ca_cert_dir()); return SSL_TLSEXT_ERR_OK; } + bool TestClientSNIAction(const char *servername, const IpEndpoint &ep, int &policy) const override { @@ -243,12 +251,14 @@ class HostSniPolicy : public ActionItem HostSniPolicy(const char *param) : policy(atoi(param)) {} HostSniPolicy(uint8_t param) : policy(param) {} ~HostSniPolicy() override {} + int SNIAction(TLSSNISupport *snis, const Context &ctx) const override { // On action this doesn't do anything return SSL_TLSEXT_ERR_OK; } + bool TestClientSNIAction(const char *servername, const IpEndpoint &ep, int &in_policy) const override { @@ -272,12 +282,14 @@ class TLSValidProtocols : public ActionItem #endif TLSValidProtocols() : protocol_mask(max_mask) {} TLSValidProtocols(unsigned long protocols) : unset(false), protocol_mask(protocols) {} + int SNIAction(TLSSNISupport *snis, const Context & /* ctx */) const override { if (!unset) { - auto ssl_vc = dynamic_cast(snis); - Debug("ssl_sni", "TLSValidProtocol param 0%x", static_cast(this->protocol_mask)); + auto ssl_vc = dynamic_cast(snis); + const char *servername = ssl_vc->get_server_name(); + Debug("ssl_sni", "TLSValidProtocol param 0%x, fqdn [%s]", static_cast(this->protocol_mask), servername); ssl_vc->set_valid_tls_protocols(protocol_mask, TLSValidProtocols::max_mask); } @@ -333,6 +345,7 @@ class SNI_IpAllow : public ActionItem return SSL_TLSEXT_ERR_ALERT_FATAL; } } + bool TestClientSNIAction(const char *servrername, const IpEndpoint &ep, int &policy) const override { diff --git a/iocore/net/SSLClientUtils.cc b/iocore/net/SSLClientUtils.cc index 65a807fc01a..4d14569545a 100644 --- a/iocore/net/SSLClientUtils.cc +++ b/iocore/net/SSLClientUtils.cc @@ -45,7 +45,7 @@ verify_callback(int signature_ok, X509_STORE_CTX *ctx) int err; SSL *ssl; - SSLDebug("Entered verify cb"); + Debug("ssl_verify", "Entered cert verify callback"); /* * Retrieve the pointer to the SSL of the connection currently treated @@ -57,7 +57,7 @@ verify_callback(int signature_ok, X509_STORE_CTX *ctx) // No enforcing, go away if (netvc == nullptr) { // No netvc, very bad. Go away. Things are not good. - SSLDebug("WARN, Netvc gone by in verify_callback"); + Debug("ssl_verify", "WARNING, NetVC is NULL in cert verify callback"); return false; } else if (netvc->options.verifyServerPolicy == YamlSNIConfig::Policy::DISABLED) { return true; // Tell them that all is well @@ -73,7 +73,7 @@ verify_callback(int signature_ok, X509_STORE_CTX *ctx) if (check_sig) { if (!signature_ok) { - SSLDebug("verify error:num=%d:%s:depth=%d", err, X509_verify_cert_error_string(err), depth); + Debug("ssl_verify", "verification error:num=%d:%s:depth=%d", err, X509_verify_cert_error_string(err), depth); const char *sni_name; char buff[INET6_ADDRSTRLEN]; ats_ip_ntop(netvc->get_remote_addr(), buff, INET6_ADDRSTRLEN); @@ -108,7 +108,7 @@ verify_callback(int signature_ok, X509_STORE_CTX *ctx) ats_ip_ntop(netvc->get_remote_addr(), buff, INET6_ADDRSTRLEN); } if (validate_hostname(cert, sni_name, false, &matched_name)) { - SSLDebug("Hostname %s verified OK, matched %s", netvc->options.sni_servername.get(), matched_name); + Debug("ssl_verify", "Hostname %s verified OK, matched %s", sni_name, matched_name); ats_free(matched_name); } else { // Name validation failed // Get the server address if we did't already compute it @@ -152,6 +152,7 @@ ssl_client_cert_callback(SSL *ssl, void * /*arg*/) // both are internal pointers X509 *cert = SSL_CTX_get0_certificate(ctx); netvc->set_sent_cert(cert != nullptr ? 2 : 1); + Debug("ssl_verify", "sent cert: %d", cert != nullptr ? 2 : 1); } return 1; } diff --git a/iocore/net/SSLConfig.cc b/iocore/net/SSLConfig.cc index 0098e5132f4..56b470cdf04 100644 --- a/iocore/net/SSLConfig.cc +++ b/iocore/net/SSLConfig.cc @@ -756,7 +756,7 @@ SSLConfigParams::getCTX(const std::string &client_cert, const std::string &key_f ctx_key = client_cert; ts::bwprint(top_level_key, "{}:{}", ca_bundle_file, ca_bundle_path); - Debug("ssl", "Look for client cert %s %s", top_level_key.c_str(), ctx_key.c_str()); + Debug("ssl_client_ctx", "Look for client cert %s %s", top_level_key.c_str(), ctx_key.c_str()); ink_mutex_acquire(&ctxMapLock); auto ctx_map_iter = top_level_ctx_map.find(top_level_key); @@ -773,7 +773,7 @@ SSLConfigParams::getCTX(const std::string &client_cert, const std::string &key_f EVP_PKEY *key = nullptr; // Create context if doesn't exists if (!client_ctx) { - Debug("ssl", "Load new cert for %s %s", top_level_key.c_str(), ctx_key.c_str()); + Debug("ssl_client_ctx", "Load new cert for %s %s", top_level_key.c_str(), ctx_key.c_str()); client_ctx = shared_SSL_CTX(SSLInitClientContext(this), SSLReleaseContext); // Set public and private keys diff --git a/iocore/net/SSLUtils.cc b/iocore/net/SSLUtils.cc index 054432f12a1..e1bb3350e06 100644 --- a/iocore/net/SSLUtils.cc +++ b/iocore/net/SSLUtils.cc @@ -356,12 +356,12 @@ set_context_cert(SSL *ssl) static int ssl_verify_client_callback(int preverify_ok, X509_STORE_CTX *ctx) { - Debug("ssl", "Callback: verify client cert"); + Debug("ssl_verify", "Callback: verify client cert"); auto *ssl = static_cast(X509_STORE_CTX_get_ex_data(ctx, SSL_get_ex_data_X509_STORE_CTX_idx())); SSLNetVConnection *netvc = SSLNetVCAccess(ssl); if (!netvc || netvc->ssl != ssl) { - Debug("ssl.error", "ssl_verify_client_callback call back on stale netvc"); + Debug("ssl_verify", "ssl_verify_client_callback call back on stale netvc"); return false; }