Couple of extra output messages so Stubby users in strict mode know why the authentication failed

This commit is contained in:
Sara Dickinson 2017-02-23 15:38:45 +00:00
parent 1b7aef5a88
commit ff4ecd5b39
1 changed files with 18 additions and 4 deletions

View File

@ -872,9 +872,16 @@ tls_verify_callback(int preverify_ok, X509_STORE_CTX *ctx)
/* First deal with the hostname authentication done by OpenSSL. */ /* First deal with the hostname authentication done by OpenSSL. */
#ifdef X509_V_ERR_HOSTNAME_MISMATCH #ifdef X509_V_ERR_HOSTNAME_MISMATCH
/*Report if error is hostname mismatch*/ /*Report if error is hostname mismatch*/
if (err == X509_V_ERR_HOSTNAME_MISMATCH && upstream->tls_fallback_ok) if (err == X509_V_ERR_HOSTNAME_MISMATCH) {
DEBUG_STUB("%s %-35s: FD: %d WARNING: Proceeding even though hostname validation failed!\n", if (upstream->tls_fallback_ok)
STUB_DEBUG_SETUP_TLS, __FUNC__, upstream->fd); DEBUG_STUB("%s %-35s: FD: %d WARNING: Proceeding even though hostname validation failed!\n",
STUB_DEBUG_SETUP_TLS, __FUNC__, upstream->fd);
#if defined(DAEMON_DEBUG) && DAEMON_DEBUG
else
DEBUG_DAEMON("%s %s : Conn failed : Transport=TLS - *Failure* - Hostname mismatch\n",
STUB_DEBUG_DAEMON, upstream->addr_str);
#endif
}
#else #else
/* if we weren't built against OpenSSL with hostname matching we /* if we weren't built against OpenSSL with hostname matching we
* could not have matched the hostname, so this would be an automatic * could not have matched the hostname, so this would be an automatic
@ -897,9 +904,15 @@ tls_verify_callback(int preverify_ok, X509_STORE_CTX *ctx)
if (upstream->tls_fallback_ok) if (upstream->tls_fallback_ok)
DEBUG_STUB("%s %-35s: FD: %d, WARNING: Proceeding even though pinset validation failed!\n", DEBUG_STUB("%s %-35s: FD: %d, WARNING: Proceeding even though pinset validation failed!\n",
STUB_DEBUG_SETUP_TLS, __FUNC__, upstream->fd); STUB_DEBUG_SETUP_TLS, __FUNC__, upstream->fd);
#if defined(DAEMON_DEBUG) && DAEMON_DEBUG
else
DEBUG_DAEMON("%s %s : Conn failed : Transport=TLS - *Failure* - Pinset validation failure\n",
STUB_DEBUG_DAEMON, upstream->addr_str);
#endif
} else { } else {
/* If we _only_ had a pinset and it is good then force succesful /* If we _only_ had a pinset and it is good then force succesful
authentication when the cert self-signed */ authentication when the cert self-signed
TODO: We need to check for other error cases here, not blindly accept the cert!! */
if ((upstream->tls_pubkey_pinset && upstream->tls_auth_name[0] == '\0') && if ((upstream->tls_pubkey_pinset && upstream->tls_auth_name[0] == '\0') &&
(err == X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN || (err == X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN ||
err == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT)) { err == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT)) {
@ -915,6 +928,7 @@ tls_verify_callback(int preverify_ok, X509_STORE_CTX *ctx)
else if (upstream->tls_auth_state == GETDNS_AUTH_NONE && else if (upstream->tls_auth_state == GETDNS_AUTH_NONE &&
(upstream->tls_pubkey_pinset || upstream->tls_auth_name[0])) (upstream->tls_pubkey_pinset || upstream->tls_auth_name[0]))
upstream->tls_auth_state = GETDNS_AUTH_OK; upstream->tls_auth_state = GETDNS_AUTH_OK;
/* If fallback is allowed, proceed regardless of what the auth error is /* If fallback is allowed, proceed regardless of what the auth error is
(might not be hostname or pinset related) */ (might not be hostname or pinset related) */
return (upstream->tls_fallback_ok) ? 1 : preverify_ok; return (upstream->tls_fallback_ok) ? 1 : preverify_ok;