diff --git a/common/include/ssl_stream.h b/common/include/ssl_stream.h index 74d6fd7..a49e3a8 100644 --- a/common/include/ssl_stream.h +++ b/common/include/ssl_stream.h @@ -44,3 +44,5 @@ int ssl_stream_set_integer_opt(struct ssl_stream *upstream, enum SSL_STREAM_OPT int ssl_stream_get_integer_opt(struct ssl_stream *upstream, enum SSL_STREAM_OPT opt_type, int *opt_val); int ssl_stream_get_string_opt(struct ssl_stream *upstream, enum SSL_STREAM_OPT opt_type, char* in_buff, size_t sz); +unsigned int is_ssl_debug(); + diff --git a/conf/tfe/tfe.conf b/conf/tfe/tfe.conf index a151f8c..066b8b0 100644 --- a/conf/tfe/tfe.conf +++ b/conf/tfe/tfe.conf @@ -52,7 +52,7 @@ timeout_cnt_as_fail=3 timeout_debug=0 [ssl] -ssl_ja3_debug=0 +ssl_debug=0 ssl_ja3_table=PXY_SSL_FINGERPRINT # ssl version Not available, configured via TSG website # ssl_max_version=tls13 diff --git a/platform/include/internal/ssl_utils.h b/platform/include/internal/ssl_utils.h index 2c4939d..be4cba3 100644 --- a/platform/include/internal/ssl_utils.h +++ b/platform/include/internal/ssl_utils.h @@ -180,7 +180,7 @@ int ssl_tls_clienthello_parse(const unsigned char *, ssize_t, int, int ssl_dnsname_match(const char *, size_t, const char *, size_t); char * ssl_wildcardify(const char *); - +void ssl_chain_dump(const char *sni, const char *chain_type, STACK_OF(X509) *chain); enum chello_parse_result { diff --git a/platform/src/ssl_stream.cpp b/platform/src/ssl_stream.cpp index 7b154bb..f28bb32 100644 --- a/platform/src/ssl_stream.cpp +++ b/platform/src/ssl_stream.cpp @@ -47,7 +47,7 @@ static int SSL_CTX_EX_DATA_IDX_SSLMGR; static int SSL_EX_DATA_IDX_SSLSTREAM; -static unsigned int ssl_ja3_debug; +static unsigned int ssl_debug; #define MAX_NET_RETRIES 50 #define LATENCY_WARNING_THRESHOLD_MS 1000 @@ -289,6 +289,12 @@ struct fs_spec enum ssl_stream_stat id; const char* name; }; + +unsigned int is_ssl_debug() +{ + return ssl_debug; +} + int sslver_str2num(const char * version_str) { int sslversion = -1; @@ -634,7 +640,7 @@ struct ssl_mgr * ssl_manager_init(const char * ini_profile, const char * section goto error_out; } - MESA_load_profile_uint_def(ini_profile, section, "ssl_ja3_debug", &(ssl_ja3_debug), 0); + MESA_load_profile_uint_def(ini_profile, section, "ssl_debug", &(ssl_debug), 0); MESA_load_profile_string_def(ini_profile, section, "ssl_min_version", version_str, sizeof(version_str), "ssl3"); mgr->ssl_min_version = sslver_str2num(version_str); @@ -820,7 +826,7 @@ static void peek_client_hello_cb(evutil_socket_t fd, short what, void * arg) { case CHELLO_PARSE_SUCCESS: { - if (ssl_ja3_debug) + if (is_ssl_debug()) { char *addr = tfe_string_addr_create_by_fd(fd, CONN_DIR_DOWNSTREAM); struct ssl_ja3 *fingerprint = ssl_ja3_generate_fingerprint(buf, n); diff --git a/platform/src/ssl_trusted_cert_storage.cpp b/platform/src/ssl_trusted_cert_storage.cpp index 4111cd7..0f1a60f 100644 --- a/platform/src/ssl_trusted_cert_storage.cpp +++ b/platform/src/ssl_trusted_cert_storage.cpp @@ -1,6 +1,7 @@ #include "ssl_trusted_cert_storage.h" #include "ssl_fetch_cert.h" +#include "ssl_stream.h" #include "MESA_htable_aux.h" #include @@ -473,23 +474,36 @@ int ssl_trusted_cert_storage_verify_conn(struct ssl_trusted_cert_storage* storag ret=1; } - TFE_LOG_DEBUG(g_default_logger, - "sni:%s, cet_real_untrust:%d, verify_host_fail:%d, verify_issure_fail:%d, verify_self_signed_fail:%d, verify_expiry_date_fail:%d, verify_other_fail:%d", - (hostname ? hostname : "NULL"), - ((param->real_untrust & 0xff) ? 1 : 0), - ((param->real_untrust & 0x01) ? 1 : 0), - ((param->real_untrust & 0x02) ? 1 : 0), - ((param->real_untrust & 0x04) ? 1 : 0), - ((param->real_untrust & 0x08) ? 1 : 0), - ((param->real_untrust & 0x10) ? 1 : 0)); + if (is_ssl_debug()) + { + TFE_LOG_DEBUG(g_default_logger, + "sni:%s, cet_real_untrust:%d, verify_host_fail:%d, verify_issure_fail:%d, verify_self_signed_fail:%d, verify_expiry_date_fail:%d, verify_other_fail:%d", + (hostname ? hostname : "NULL"), + ((param->real_untrust & 0xff) ? 1 : 0), + ((param->real_untrust & 0x01) ? 1 : 0), + ((param->real_untrust & 0x02) ? 1 : 0), + ((param->real_untrust & 0x04) ? 1 : 0), + ((param->real_untrust & 0x08) ? 1 : 0), + ((param->real_untrust & 0x10) ? 1 : 0)); + ssl_chain_dump(hostname, "server_chain", cert_chain); + } // case cert verify success - if (param->real_untrust == 0) { - ssl_fetch_trusted_cert_from_chain(cert_chain, storage->effective_store, hostname); + if (param->real_untrust == 0) + { + STACK_OF(X509) *trust_chain = X509_STORE_CTX_get1_chain(ctx); + if (trust_chain) + { + if (is_ssl_debug()) + { + ssl_chain_dump(hostname, "trust_chain", trust_chain); + } + ssl_fetch_trusted_cert_from_chain(trust_chain, storage->effective_store, hostname); + sk_X509_pop_free(trust_chain, X509_free); + } } X509_STORE_CTX_free(ctx); pthread_rwlock_unlock(&(storage->rwlock)); return ret; -} - +} \ No newline at end of file diff --git a/platform/src/ssl_utils.cpp b/platform/src/ssl_utils.cpp index 4580f9b..4a6bd05 100644 --- a/platform/src/ssl_utils.cpp +++ b/platform/src/ssl_utils.cpp @@ -2395,3 +2395,45 @@ struct ssl_chello* ssl_chello_parse(const unsigned char* buff, size_t buff_len, } } +void ssl_chain_dump(const char *sni, const char *chain_type, STACK_OF(X509) *chain) +{ + int j = 0; + char *subj = NULL; + char *issuer = NULL; + char *fingerprint = NULL; + X509 *cert = NULL; + + if (chain == NULL) + { + return; + } + + for (j = 0; j < sk_X509_num(chain); j++) + { + cert = sk_X509_value(chain, j); + if (cert == NULL) + continue; + + subj = ssl_x509_subject(cert); + issuer = ssl_x509_issuer(cert); + fingerprint = ssl_x509_fingerprint(cert, 0); + + TFE_LOG_DEBUG(g_default_logger, "sni:%s chain_type:%s depth=%d: subject:%s issuer:%s fingerprint:%s", + sni ? sni : "null", chain_type, j, subj ? subj : "null", issuer ? issuer : "null", fingerprint ? fingerprint : "null"); + if (subj) + { + free(subj); + subj = NULL; + } + if (issuer) + { + free(issuer); + issuer = NULL; + } + if (fingerprint) + { + free(fingerprint); + fingerprint = NULL; + } + } +} \ No newline at end of file