apache · duke8253 · Jul 6, 2021 · Apr 7, 2021
diff --git a/iocore/net/P_SNIActionPerformer.h b/iocore/net/P_SNIActionPerformer.h
@@ -77,12 +77,15 @@ class ControlH2 : public ActionItem
   int
   SNIAction(TLSSNISupport *snis, const Context &ctx) const override
   {
-    auto ssl_vc = dynamic_cast<SSLNetVConnection *>(snis);
+    auto ssl_vc            = dynamic_cast<SSLNetVConnection *>(snis);
+    const char *servername = ssl_vc->get_server_name();
     if (ssl_vc) {
       if (!enable_h2) {
         ssl_vc->disableProtocol(TS_ALPN_PROTOCOL_INDEX_HTTP_2_0);
+        Debug("ssl_sni", "H2 disabled, fqdn [%s]", servername);
       } else {
         ssl_vc->enableProtocol(TS_ALPN_PROTOCOL_INDEX_HTTP_2_0);
+        Debug("ssl_sni", "H2 enabled, fqdn [%s]", servername);
       }
     }
     return SSL_TLSEXT_ERR_OK;
@@ -107,14 +110,16 @@ class TunnelDestination : public ActionItem
   {
     // Set the netvc option?
     SSLNetVConnection *ssl_netvc = dynamic_cast<SSLNetVConnection *>(snis);
+    const char *servername       = ssl_netvc->get_server_name();
     if (ssl_netvc) {
       // If needed, we will try to amend the tunnel destination.
       if (ctx._fqdn_wildcard_captured_groups && need_fix) {
         const auto &fixed_dst = replace_match_groups(destination, *ctx._fqdn_wildcard_captured_groups);
         ssl_netvc->set_tunnel_destination(fixed_dst, type);
-        Debug("TunnelDestination", "Destination now is [%s], configured [%s]", fixed_dst.c_str(), destination.c_str());
+        Debug("ssl_sni", "Destination now is [%s], configured [%s], fqdn [%s]", fixed_dst.c_str(), destination.c_str(), servername);
       } else {
         ssl_netvc->set_tunnel_destination(destination, type);
+        Debug("ssl_sni", "Destination now is [%s], fqdn [%s]", destination.c_str(), servername);
       }
 
       if (type == SNIRoutingType::BLIND) {
@@ -212,17 +217,20 @@ class VerifyClient : public ActionItem
   VerifyClient(uint8_t param, std::string_view file, std::string_view dir) : mode(param), ca_file(file), ca_dir(dir) {}
   VerifyClient(const char *param, std::string_view file, std::string_view dir) : VerifyClient(atoi(param), file, dir) {}
   ~VerifyClient() override;
+
   int
   SNIAction(TLSSNISupport *snis, const Context &ctx) const override
   {
-    auto ssl_vc = dynamic_cast<SSLNetVConnection *>(snis);
-    Debug("ssl_sni", "action verify param %d", this->mode);
+    auto ssl_vc            = dynamic_cast<SSLNetVConnection *>(snis);
+    const char *servername = ssl_vc->get_server_name();
+    Debug("ssl_sni", "action verify param %d, fqdn [%s]", this->mode, servername);
     setClientCertLevel(ssl_vc->ssl, this->mode);
     ssl_vc->set_ca_cert_file(ca_file, ca_dir);
     setClientCertCACerts(ssl_vc->ssl, ssl_vc->get_ca_cert_file(), ssl_vc->get_ca_cert_dir());
 
     return SSL_TLSEXT_ERR_OK;
   }
+
   bool
   TestClientSNIAction(const char *servername, const IpEndpoint &ep, int &policy) const override
   {
@@ -243,12 +251,14 @@ class HostSniPolicy : public ActionItem
   HostSniPolicy(const char *param) : policy(atoi(param)) {}
   HostSniPolicy(uint8_t param) : policy(param) {}
   ~HostSniPolicy() override {}
+
   int
   SNIAction(TLSSNISupport *snis, const Context &ctx) const override
   {
     // On action this doesn't do anything
     return SSL_TLSEXT_ERR_OK;
   }
+
   bool
   TestClientSNIAction(const char *servername, const IpEndpoint &ep, int &in_policy) const override
   {
@@ -272,12 +282,14 @@ class TLSValidProtocols : public ActionItem
 #endif
   TLSValidProtocols() : protocol_mask(max_mask) {}
   TLSValidProtocols(unsigned long protocols) : unset(false), protocol_mask(protocols) {}
+
   int
   SNIAction(TLSSNISupport *snis, const Context & /* ctx */) const override
   {
     if (!unset) {
-      auto ssl_vc = dynamic_cast<SSLNetVConnection *>(snis);
-      Debug("ssl_sni", "TLSValidProtocol param 0%x", static_cast<unsigned int>(this->protocol_mask));
+      auto ssl_vc            = dynamic_cast<SSLNetVConnection *>(snis);
+      const char *servername = ssl_vc->get_server_name();
+      Debug("ssl_sni", "TLSValidProtocol param 0%x, fqdn [%s]", static_cast<unsigned int>(this->protocol_mask), servername);
       ssl_vc->set_valid_tls_protocols(protocol_mask, TLSValidProtocols::max_mask);
     }
 
@@ -333,6 +345,7 @@ class SNI_IpAllow : public ActionItem
       return SSL_TLSEXT_ERR_ALERT_FATAL;
     }
   }
+
   bool
   TestClientSNIAction(const char *servrername, const IpEndpoint &ep, int &policy) const override
   {

diff --git a/iocore/net/SSLClientUtils.cc b/iocore/net/SSLClientUtils.cc
@@ -45,7 +45,7 @@ verify_callback(int signature_ok, X509_STORE_CTX *ctx)
   int err;
   SSL *ssl;
 
-  SSLDebug("Entered verify cb");
+  Debug("ssl_verify", "Entered cert verify callback");
 
   /*
    * Retrieve the pointer to the SSL of the connection currently treated
@@ -57,7 +57,7 @@ verify_callback(int signature_ok, X509_STORE_CTX *ctx)
   // No enforcing, go away
   if (netvc == nullptr) {
     // No netvc, very bad.  Go away.  Things are not good.
-    SSLDebug("WARN, Netvc gone by in verify_callback");
+    Debug("ssl_verify", "WARNING, NetVC is NULL in cert verify callback");
     return false;
   } else if (netvc->options.verifyServerPolicy == YamlSNIConfig::Policy::DISABLED) {
     return true; // Tell them that all is well
@@ -73,7 +73,7 @@ verify_callback(int signature_ok, X509_STORE_CTX *ctx)
 
   if (check_sig) {
     if (!signature_ok) {
-      SSLDebug("verify error:num=%d:%s:depth=%d", err, X509_verify_cert_error_string(err), depth);
+      Debug("ssl_verify", "verification error:num=%d:%s:depth=%d", err, X509_verify_cert_error_string(err), depth);
       const char *sni_name;
       char buff[INET6_ADDRSTRLEN];
       ats_ip_ntop(netvc->get_remote_addr(), buff, INET6_ADDRSTRLEN);
@@ -108,7 +108,7 @@ verify_callback(int signature_ok, X509_STORE_CTX *ctx)
       ats_ip_ntop(netvc->get_remote_addr(), buff, INET6_ADDRSTRLEN);
     }
     if (validate_hostname(cert, sni_name, false, &matched_name)) {
-      SSLDebug("Hostname %s verified OK, matched %s", netvc->options.sni_servername.get(), matched_name);
+      Debug("ssl_verify", "Hostname %s verified OK, matched %s", sni_name, matched_name);
       ats_free(matched_name);
     } else { // Name validation failed
       // Get the server address if we did't already compute it
@@ -152,6 +152,7 @@ ssl_client_cert_callback(SSL *ssl, void * /*arg*/)
     // both are internal pointers
     X509 *cert = SSL_CTX_get0_certificate(ctx);
     netvc->set_sent_cert(cert != nullptr ? 2 : 1);
+    Debug("ssl_verify", "sent cert: %d", cert != nullptr ? 2 : 1);
   }
   return 1;
 }

diff --git a/iocore/net/SSLConfig.cc b/iocore/net/SSLConfig.cc
@@ -756,7 +756,7 @@ SSLConfigParams::getCTX(const std::string &client_cert, const std::string &key_f
   ctx_key = client_cert;
   ts::bwprint(top_level_key, "{}:{}", ca_bundle_file, ca_bundle_path);
 
-  Debug("ssl", "Look for client cert %s %s", top_level_key.c_str(), ctx_key.c_str());
+  Debug("ssl_client_ctx", "Look for client cert %s %s", top_level_key.c_str(), ctx_key.c_str());
 
   ink_mutex_acquire(&ctxMapLock);
   auto ctx_map_iter = top_level_ctx_map.find(top_level_key);
@@ -773,7 +773,7 @@ SSLConfigParams::getCTX(const std::string &client_cert, const std::string &key_f
   EVP_PKEY *key = nullptr;
   // Create context if doesn't exists
   if (!client_ctx) {
-    Debug("ssl", "Load new cert for %s %s", top_level_key.c_str(), ctx_key.c_str());
+    Debug("ssl_client_ctx", "Load new cert for %s %s", top_level_key.c_str(), ctx_key.c_str());
     client_ctx = shared_SSL_CTX(SSLInitClientContext(this), SSLReleaseContext);
 
     // Set public and private keys

diff --git a/iocore/net/SSLUtils.cc b/iocore/net/SSLUtils.cc
@@ -356,12 +356,12 @@ set_context_cert(SSL *ssl)
 static int
 ssl_verify_client_callback(int preverify_ok, X509_STORE_CTX *ctx)
 {
-  Debug("ssl", "Callback: verify client cert");
+  Debug("ssl_verify", "Callback: verify client cert");
   auto *ssl                = static_cast<SSL *>(X509_STORE_CTX_get_ex_data(ctx, SSL_get_ex_data_X509_STORE_CTX_idx()));
   SSLNetVConnection *netvc = SSLNetVCAccess(ssl);
 
   if (!netvc || netvc->ssl != ssl) {
-    Debug("ssl.error", "ssl_verify_client_callback call back on stale netvc");
+    Debug("ssl_verify", "ssl_verify_client_callback call back on stale netvc");
     return false;
   }