diff options
Diffstat (limited to 'vespalib/src/vespa/vespalib/net/tls/impl/openssl_tls_context_impl.cpp')
-rw-r--r-- | vespalib/src/vespa/vespalib/net/tls/impl/openssl_tls_context_impl.cpp | 23 |
1 files changed, 14 insertions, 9 deletions
diff --git a/vespalib/src/vespa/vespalib/net/tls/impl/openssl_tls_context_impl.cpp b/vespalib/src/vespa/vespalib/net/tls/impl/openssl_tls_context_impl.cpp index c87dc1d2148..98675ec6b0b 100644 --- a/vespalib/src/vespa/vespalib/net/tls/impl/openssl_tls_context_impl.cpp +++ b/vespalib/src/vespa/vespalib/net/tls/impl/openssl_tls_context_impl.cpp @@ -2,6 +2,7 @@ #include "iana_cipher_map.h" #include "openssl_typedefs.h" #include "openssl_tls_context_impl.h" +#include "openssl_crypto_codec_impl.h" #include <vespa/vespalib/net/tls/crypto_exception.h> #include <vespa/vespalib/net/tls/statistics.h> #include <vespa/vespalib/net/tls/transport_security_options.h> @@ -17,7 +18,7 @@ #include <openssl/asn1.h> #include <openssl/pem.h> -#include <vespa/log/log.h> +#include <vespa/log/bufferedlogger.h> LOG_SETUP(".vespalib.net.tls.openssl_tls_context_impl"); #if (OPENSSL_VERSION_NUMBER < 0x10000000L) @@ -402,8 +403,6 @@ bool fill_certificate_subject_alternate_names(::X509* cert, PeerCredentials& cre } // anon ns -// TODO if/when we want to move per-connection peer credentials into the crypto codec/socket -// itself, we probably need to set the verification callback (data) on _SSL_, not _SSL_CTX_..! // Note: we try to be as conservative as possible. If anything looks out of place, we fail // secure by denying the connection. // @@ -426,19 +425,22 @@ int OpenSslTlsContextImpl::verify_cb_wrapper(int preverified_ok, ::X509_STORE_CT void* data = ::X509_STORE_CTX_get_ex_data(store_ctx, ::SSL_get_ex_data_X509_STORE_CTX_idx()); LOG_ASSERT(data != nullptr); auto* ssl = static_cast<::SSL*>(data); + data = SSL_get_app_data(ssl); + LOG_ASSERT(data != nullptr); + auto* codec_impl = static_cast<OpenSslCryptoCodecImpl*>(data); const ::SSL_CTX* ssl_ctx = ::SSL_get_SSL_CTX(ssl); LOG_ASSERT(ssl_ctx != nullptr); auto* self = static_cast<OpenSslTlsContextImpl*>(SSL_CTX_get_app_data(ssl_ctx)); LOG_ASSERT(self != nullptr); - if (self->verify_trusted_certificate(store_ctx)) { + if (self->verify_trusted_certificate(store_ctx, codec_impl->peer_address())) { return 1; } ConnectionStatistics::get(SSL_in_accept_init(ssl) != 0).inc_invalid_peer_credentials(); return 0; } -bool OpenSslTlsContextImpl::verify_trusted_certificate(::X509_STORE_CTX* store_ctx) { +bool OpenSslTlsContextImpl::verify_trusted_certificate(::X509_STORE_CTX* store_ctx, const SocketAddress& peer_address) { const auto authz_mode = authorization_mode(); // TODO consider if we want to fill in peer credentials even if authorization is disabled if (authz_mode == AuthorizationMode::Disable) { @@ -459,13 +461,16 @@ bool OpenSslTlsContextImpl::verify_trusted_certificate(::X509_STORE_CTX* store_c try { const bool verified_by_cb = _cert_verify_callback->verify(creds); if (!verified_by_cb) { - // TODO we should print the peer's remote address too, but that information is - // not currently available to us here. - LOG(warning, "Certificate verification failed for %s", to_string(creds).c_str()); + // Buffer warnings on peer IP address to avoid log flooding. + LOGBT(warning, peer_address.ip_address(), + "Certificate verification of peer '%s' failed with %s", + peer_address.spec().c_str(), to_string(creds).c_str()); return (authz_mode != AuthorizationMode::Enforce); } } catch (std::exception& e) { - LOG(error, "Got exception during certificate verification callback: %s", e.what()); + LOGBT(error, peer_address.ip_address(), + "Got exception during certificate verification callback for peer '%s': %s", + peer_address.spec().c_str(), e.what()); return false; } // we don't expect any non-std::exception derived exceptions, so let them terminate the process. return true; |