dovecot-2.1: *-login: If client certificate isn't valid, log the...
dovecot at dovecot.org
dovecot at dovecot.org
Wed Apr 25 21:32:08 EEST 2012
details: http://hg.dovecot.org/dovecot-2.1/rev/36cde186aec6
changeset: 14480:36cde186aec6
user: Timo Sirainen <tss at iki.fi>
date: Wed Apr 25 21:28:16 2012 +0300
description:
*-login: If client certificate isn't valid, log the reason why.
diffstat:
src/login-common/login-proxy.c | 5 ++-
src/login-common/ssl-proxy-openssl.c | 43 ++++++++++++++++++++++++-----------
src/login-common/ssl-proxy.c | 5 ++++
src/login-common/ssl-proxy.h | 1 +
4 files changed, 38 insertions(+), 16 deletions(-)
diffs (120 lines):
diff -r 3893f2b7e4ab -r 36cde186aec6 src/login-common/login-proxy.c
--- a/src/login-common/login-proxy.c Wed Apr 25 21:26:25 2012 +0300
+++ b/src/login-common/login-proxy.c Wed Apr 25 21:28:16 2012 +0300
@@ -516,8 +516,9 @@
if (ssl_proxy_has_broken_client_cert(proxy->ssl_server_proxy)) {
client_log_err(proxy->client, t_strdup_printf(
- "proxy: Received invalid SSL certificate from %s:%u",
- proxy->host, proxy->port));
+ "proxy: Received invalid SSL certificate from %s:%u: %s",
+ proxy->host, proxy->port,
+ ssl_proxy_get_cert_error(proxy->ssl_server_proxy)));
} else if (!ssl_proxy_has_valid_client_cert(proxy->ssl_server_proxy)) {
client_log_err(proxy->client, t_strdup_printf(
"proxy: SSL certificate not received from %s:%u",
diff -r 3893f2b7e4ab -r 36cde186aec6 src/login-common/ssl-proxy-openssl.c
--- a/src/login-common/ssl-proxy-openssl.c Wed Apr 25 21:26:25 2012 +0300
+++ b/src/login-common/ssl-proxy-openssl.c Wed Apr 25 21:28:16 2012 +0300
@@ -66,6 +66,7 @@
ssl_handshake_callback_t *handshake_callback;
void *handshake_context;
+ const char *cert_error;
char *last_error;
unsigned int handshaked:1;
unsigned int destroyed:1;
@@ -754,6 +755,12 @@
#endif
}
+const char *ssl_proxy_get_cert_error(struct ssl_proxy *proxy)
+{
+ return proxy->cert_error != NULL ? proxy->cert_error :
+ "(Unknown error)";
+}
+
void ssl_proxy_free(struct ssl_proxy **_proxy)
{
struct ssl_proxy *proxy = *_proxy;
@@ -849,32 +856,40 @@
{
SSL *ssl;
struct ssl_proxy *proxy;
+ char buf[1024];
+ X509_NAME *subject;
ssl = X509_STORE_CTX_get_ex_data(ctx,
SSL_get_ex_data_X509_STORE_CTX_idx());
proxy = SSL_get_ex_data(ssl, extdata_index);
proxy->cert_received = TRUE;
- if (proxy->set->verbose_ssl ||
- (proxy->set->auth_verbose && !preverify_ok)) {
- char buf[1024];
- X509_NAME *subject;
-
- subject = X509_get_subject_name(ctx->current_cert);
- (void)X509_NAME_oneline(subject, buf, sizeof(buf));
- buf[sizeof(buf)-1] = '\0'; /* just in case.. */
- if (!preverify_ok)
- i_info("Invalid certificate: %s: %s", X509_verify_cert_error_string(ctx->error),buf);
- else
- i_info("Valid certificate: %s", buf);
- }
- if (ctx->error == X509_V_ERR_UNABLE_TO_GET_CRL && proxy->client_proxy) {
+ if (proxy->client_proxy && ctx->error == X509_V_ERR_UNABLE_TO_GET_CRL) {
/* no CRL given with the CA list. don't worry about it. */
preverify_ok = 1;
}
if (!preverify_ok)
proxy->cert_broken = TRUE;
+ subject = X509_get_subject_name(ctx->current_cert);
+ (void)X509_NAME_oneline(subject, buf, sizeof(buf));
+ buf[sizeof(buf)-1] = '\0'; /* just in case.. */
+
+ if (proxy->cert_error == NULL) {
+ proxy->cert_error = p_strdup_printf(proxy->client->pool, "%s: %s",
+ X509_verify_cert_error_string(ctx->error), buf);
+ }
+
+ if (proxy->set->verbose_ssl ||
+ (proxy->set->auth_verbose && !preverify_ok)) {
+ if (preverify_ok)
+ i_info("Valid certificate: %s", buf);
+ else {
+ i_info("Invalid certificate: %s: %s",
+ X509_verify_cert_error_string(ctx->error), buf);
+ }
+ }
+
/* Return success anyway, because if ssl_require_client_cert=no we
could still allow authentication. */
return 1;
diff -r 3893f2b7e4ab -r 36cde186aec6 src/login-common/ssl-proxy.c
--- a/src/login-common/ssl-proxy.c Wed Apr 25 21:26:25 2012 +0300
+++ b/src/login-common/ssl-proxy.c Wed Apr 25 21:28:16 2012 +0300
@@ -79,6 +79,11 @@
return NULL;
}
+const char *ssl_proxy_get_cert_error(struct ssl_proxy *proxy ATTR_UNUSED)
+{
+ return "";
+}
+
void ssl_proxy_free(struct ssl_proxy **proxy ATTR_UNUSED) {}
unsigned int ssl_proxy_get_count(void)
diff -r 3893f2b7e4ab -r 36cde186aec6 src/login-common/ssl-proxy.h
--- a/src/login-common/ssl-proxy.h Wed Apr 25 21:26:25 2012 +0300
+++ b/src/login-common/ssl-proxy.h Wed Apr 25 21:28:16 2012 +0300
@@ -30,6 +30,7 @@
const char *ssl_proxy_get_last_error(const struct ssl_proxy *proxy) ATTR_PURE;
const char *ssl_proxy_get_security_string(struct ssl_proxy *proxy);
const char *ssl_proxy_get_compression(struct ssl_proxy *proxy);
+const char *ssl_proxy_get_cert_error(struct ssl_proxy *proxy);
void ssl_proxy_free(struct ssl_proxy **proxy);
/* Return number of active SSL proxies */
More information about the dovecot-cvs
mailing list