Mercurial > hg > freeDiameter
comparison libfdcore/cnxctx.c @ 1256:bd6b40c9f731
Fix messages display level on TLS errors
author | Sebastien Decugis <sdecugis@freediameter.net> |
---|---|
date | Sun, 02 Feb 2014 18:06:43 +0800 |
parents | 98478a8aabb1 |
children | 25fad6714991 |
comparison
equal
deleted
inserted
replaced
1255:c6a4bda62ccc | 1256:bd6b40c9f731 |
---|---|
1187 if (verbose) { | 1187 if (verbose) { |
1188 const char *tmp; | 1188 const char *tmp; |
1189 gnutls_kx_algorithm_t kx; | 1189 gnutls_kx_algorithm_t kx; |
1190 gnutls_credentials_type_t cred; | 1190 gnutls_credentials_type_t cred; |
1191 | 1191 |
1192 LOG_A("TLS Session information for connection '%s':", conn->cc_id); | 1192 LOG_D("TLS Session information for connection '%s':", conn->cc_id); |
1193 | 1193 |
1194 /* print the key exchange's algorithm name */ | 1194 /* print the key exchange's algorithm name */ |
1195 GNUTLS_TRACE( kx = gnutls_kx_get (session) ); | 1195 GNUTLS_TRACE( kx = gnutls_kx_get (session) ); |
1196 GNUTLS_TRACE( tmp = gnutls_kx_get_name (kx) ); | 1196 GNUTLS_TRACE( tmp = gnutls_kx_get_name (kx) ); |
1197 LOG_A("\t - Key Exchange: %s", tmp); | 1197 LOG_D("\t - Key Exchange: %s", tmp); |
1198 | 1198 |
1199 /* Check the authentication type used and switch | 1199 /* Check the authentication type used and switch |
1200 * to the appropriate. */ | 1200 * to the appropriate. */ |
1201 GNUTLS_TRACE( cred = gnutls_auth_get_type (session) ); | 1201 GNUTLS_TRACE( cred = gnutls_auth_get_type (session) ); |
1202 switch (cred) | 1202 switch (cred) |
1203 { | 1203 { |
1204 case GNUTLS_CRD_IA: | 1204 case GNUTLS_CRD_IA: |
1205 LOG_A("\t - TLS/IA session"); | 1205 LOG_D("\t - TLS/IA session"); |
1206 break; | 1206 break; |
1207 | 1207 |
1208 case GNUTLS_CRD_PSK: | 1208 case GNUTLS_CRD_PSK: |
1209 /* This returns NULL in server side. */ | 1209 /* This returns NULL in server side. */ |
1210 if (gnutls_psk_client_get_hint (session) != NULL) | 1210 if (gnutls_psk_client_get_hint (session) != NULL) |
1211 LOG_A("\t - PSK authentication. PSK hint '%s'", | 1211 LOG_D("\t - PSK authentication. PSK hint '%s'", |
1212 gnutls_psk_client_get_hint (session)); | 1212 gnutls_psk_client_get_hint (session)); |
1213 /* This returns NULL in client side. */ | 1213 /* This returns NULL in client side. */ |
1214 if (gnutls_psk_server_get_username (session) != NULL) | 1214 if (gnutls_psk_server_get_username (session) != NULL) |
1215 LOG_A("\t - PSK authentication. Connected as '%s'", | 1215 LOG_D("\t - PSK authentication. Connected as '%s'", |
1216 gnutls_psk_server_get_username (session)); | 1216 gnutls_psk_server_get_username (session)); |
1217 break; | 1217 break; |
1218 | 1218 |
1219 case GNUTLS_CRD_ANON: /* anonymous authentication */ | 1219 case GNUTLS_CRD_ANON: /* anonymous authentication */ |
1220 LOG_A("\t - Anonymous DH using prime of %d bits", | 1220 LOG_D("\t - Anonymous DH using prime of %d bits", |
1221 gnutls_dh_get_prime_bits (session)); | 1221 gnutls_dh_get_prime_bits (session)); |
1222 break; | 1222 break; |
1223 | 1223 |
1224 case GNUTLS_CRD_CERTIFICATE: /* certificate authentication */ | 1224 case GNUTLS_CRD_CERTIFICATE: /* certificate authentication */ |
1225 /* Check if we have been using ephemeral Diffie-Hellman. */ | 1225 /* Check if we have been using ephemeral Diffie-Hellman. */ |
1226 if (kx == GNUTLS_KX_DHE_RSA || kx == GNUTLS_KX_DHE_DSS) { | 1226 if (kx == GNUTLS_KX_DHE_RSA || kx == GNUTLS_KX_DHE_DSS) { |
1227 LOG_A("\t - Ephemeral DH using prime of %d bits", | 1227 LOG_D("\t - Ephemeral DH using prime of %d bits", |
1228 gnutls_dh_get_prime_bits (session)); | 1228 gnutls_dh_get_prime_bits (session)); |
1229 } | 1229 } |
1230 break; | 1230 break; |
1231 #ifdef ENABLE_SRP | 1231 #ifdef ENABLE_SRP |
1232 case GNUTLS_CRD_SRP: | 1232 case GNUTLS_CRD_SRP: |
1233 LOG_A("\t - SRP session with username %s", | 1233 LOG_D("\t - SRP session with username %s", |
1234 gnutls_srp_server_get_username (session)); | 1234 gnutls_srp_server_get_username (session)); |
1235 break; | 1235 break; |
1236 #endif /* ENABLE_SRP */ | 1236 #endif /* ENABLE_SRP */ |
1237 | 1237 |
1238 default: | 1238 default: |
1241 | 1241 |
1242 } | 1242 } |
1243 | 1243 |
1244 /* print the protocol's name (ie TLS 1.0) */ | 1244 /* print the protocol's name (ie TLS 1.0) */ |
1245 tmp = gnutls_protocol_get_name (gnutls_protocol_get_version (session)); | 1245 tmp = gnutls_protocol_get_name (gnutls_protocol_get_version (session)); |
1246 LOG_A("\t - Protocol: %s", tmp); | 1246 LOG_D("\t - Protocol: %s", tmp); |
1247 | 1247 |
1248 /* print the certificate type of the peer. ie X.509 */ | 1248 /* print the certificate type of the peer. ie X.509 */ |
1249 tmp = gnutls_certificate_type_get_name (gnutls_certificate_type_get (session)); | 1249 tmp = gnutls_certificate_type_get_name (gnutls_certificate_type_get (session)); |
1250 LOG_A("\t - Certificate Type: %s", tmp); | 1250 LOG_D("\t - Certificate Type: %s", tmp); |
1251 | 1251 |
1252 /* print the compression algorithm (if any) */ | 1252 /* print the compression algorithm (if any) */ |
1253 tmp = gnutls_compression_get_name (gnutls_compression_get (session)); | 1253 tmp = gnutls_compression_get_name (gnutls_compression_get (session)); |
1254 LOG_A("\t - Compression: %s", tmp); | 1254 LOG_D("\t - Compression: %s", tmp); |
1255 | 1255 |
1256 /* print the name of the cipher used. ie 3DES. */ | 1256 /* print the name of the cipher used. ie 3DES. */ |
1257 tmp = gnutls_cipher_get_name (gnutls_cipher_get (session)); | 1257 tmp = gnutls_cipher_get_name (gnutls_cipher_get (session)); |
1258 LOG_A("\t - Cipher: %s", tmp); | 1258 LOG_D("\t - Cipher: %s", tmp); |
1259 | 1259 |
1260 /* Print the MAC algorithms name. ie SHA1 */ | 1260 /* Print the MAC algorithms name. ie SHA1 */ |
1261 tmp = gnutls_mac_get_name (gnutls_mac_get (session)); | 1261 tmp = gnutls_mac_get_name (gnutls_mac_get (session)); |
1262 LOG_A("\t - MAC: %s", tmp); | 1262 LOG_D("\t - MAC: %s", tmp); |
1263 } | 1263 } |
1264 #endif /* DEBUG */ | 1264 #endif /* DEBUG */ |
1265 | 1265 |
1266 /* First, use built-in verification */ | 1266 /* First, use built-in verification */ |
1267 CHECK_GNUTLS_DO( gnutls_certificate_verify_peers2 (session, >ret), return EINVAL ); | 1267 CHECK_GNUTLS_DO( gnutls_certificate_verify_peers2 (session, >ret), return EINVAL ); |
1268 if (gtret) { | 1268 if (gtret) { |
1269 if (TRACE_BOOL(INFO)) { | 1269 LOG_E("TLS: Remote certificate invalid on socket %d (Remote: '%s')(Connection: '%s') :", conn->cc_socket, conn->cc_remid, conn->cc_id); |
1270 fd_log_debug("TLS: Remote certificate invalid on socket %d (Remote: '%s')(Connection: '%s') :", conn->cc_socket, conn->cc_remid, conn->cc_id); | 1270 if (gtret & GNUTLS_CERT_INVALID) |
1271 if (gtret & GNUTLS_CERT_INVALID) | 1271 LOG_E(" - The certificate is not trusted (unknown CA? expired?)"); |
1272 fd_log_debug(" - The certificate is not trusted (unknown CA? expired?)"); | 1272 if (gtret & GNUTLS_CERT_REVOKED) |
1273 if (gtret & GNUTLS_CERT_REVOKED) | 1273 LOG_E(" - The certificate has been revoked."); |
1274 fd_log_debug(" - The certificate has been revoked."); | 1274 if (gtret & GNUTLS_CERT_SIGNER_NOT_FOUND) |
1275 if (gtret & GNUTLS_CERT_SIGNER_NOT_FOUND) | 1275 LOG_E(" - The certificate hasn't got a known issuer."); |
1276 fd_log_debug(" - The certificate hasn't got a known issuer."); | 1276 if (gtret & GNUTLS_CERT_SIGNER_NOT_CA) |
1277 if (gtret & GNUTLS_CERT_SIGNER_NOT_CA) | 1277 LOG_E(" - The certificate signer is not a CA, or uses version 1, or 3 without basic constraints."); |
1278 fd_log_debug(" - The certificate signer is not a CA, or uses version 1, or 3 without basic constraints."); | 1278 if (gtret & GNUTLS_CERT_INSECURE_ALGORITHM) |
1279 if (gtret & GNUTLS_CERT_INSECURE_ALGORITHM) | 1279 LOG_E(" - The certificate signature uses a weak algorithm."); |
1280 fd_log_debug(" - The certificate signature uses a weak algorithm."); | |
1281 } | |
1282 return EINVAL; | 1280 return EINVAL; |
1283 } | 1281 } |
1284 | 1282 |
1285 /* Code from http://www.gnu.org/software/gnutls/manual/gnutls.html#Verifying-peer_0027s-certificate */ | 1283 /* Code from http://www.gnu.org/software/gnutls/manual/gnutls.html#Verifying-peer_0027s-certificate */ |
1286 if (gnutls_certificate_type_get (session) != GNUTLS_CRT_X509) | 1284 if (gnutls_certificate_type_get (session) != GNUTLS_CRT_X509) { |
1285 LOG_E("TLS: Remote peer did not present a certificate, other mechanisms are not supported yet. socket %d (Remote: '%s')(Connection: '%s') :", conn->cc_socket, conn->cc_remid, conn->cc_id); | |
1287 return EINVAL; | 1286 return EINVAL; |
1287 } | |
1288 | 1288 |
1289 GNUTLS_TRACE( cert_list = gnutls_certificate_get_peers (session, &cert_list_size) ); | 1289 GNUTLS_TRACE( cert_list = gnutls_certificate_get_peers (session, &cert_list_size) ); |
1290 if (cert_list == NULL) | 1290 if (cert_list == NULL) |
1291 return EINVAL; | 1291 return EINVAL; |
1292 | 1292 |
1357 CHECK_GNUTLS_DO( gnutls_x509_crt_init (&cert), return EINVAL); | 1357 CHECK_GNUTLS_DO( gnutls_x509_crt_init (&cert), return EINVAL); |
1358 CHECK_GNUTLS_DO( gnutls_x509_crt_import (cert, &cert_list[i], GNUTLS_X509_FMT_DER), return EINVAL); | 1358 CHECK_GNUTLS_DO( gnutls_x509_crt_import (cert, &cert_list[i], GNUTLS_X509_FMT_DER), return EINVAL); |
1359 | 1359 |
1360 GNUTLS_TRACE( deadline = gnutls_x509_crt_get_expiration_time(cert) ); | 1360 GNUTLS_TRACE( deadline = gnutls_x509_crt_get_expiration_time(cert) ); |
1361 if ((deadline != (time_t)-1) && (deadline < now)) { | 1361 if ((deadline != (time_t)-1) && (deadline < now)) { |
1362 if (TRACE_BOOL(INFO)) { | 1362 LOG_E("TLS: Remote certificate invalid on socket %d (Remote: '%s')(Connection: '%s') :", conn->cc_socket, conn->cc_remid, conn->cc_id); |
1363 fd_log_debug("TLS: Remote certificate invalid on socket %d (Remote: '%s')(Connection: '%s') :", conn->cc_socket, conn->cc_remid, conn->cc_id); | 1363 LOG_E(" - The certificate %d in the chain is expired", i); |
1364 fd_log_debug(" - The certificate %d in the chain is expired", i); | |
1365 } | |
1366 ret = EINVAL; | 1364 ret = EINVAL; |
1367 } | 1365 } |
1368 | 1366 |
1369 GNUTLS_TRACE( deadline = gnutls_x509_crt_get_activation_time(cert) ); | 1367 GNUTLS_TRACE( deadline = gnutls_x509_crt_get_activation_time(cert) ); |
1370 if ((deadline != (time_t)-1) && (deadline > now)) { | 1368 if ((deadline != (time_t)-1) && (deadline > now)) { |
1371 if (TRACE_BOOL(INFO)) { | 1369 LOG_E("TLS: Remote certificate invalid on socket %d (Remote: '%s')(Connection: '%s') :", conn->cc_socket, conn->cc_remid, conn->cc_id); |
1372 fd_log_debug("TLS: Remote certificate invalid on socket %d (Remote: '%s')(Connection: '%s') :", conn->cc_socket, conn->cc_remid, conn->cc_id); | 1370 LOG_E(" - The certificate %d in the chain is not yet activated", i); |
1373 fd_log_debug(" - The certificate %d in the chain is not yet activated", i); | |
1374 } | |
1375 ret = EINVAL; | 1371 ret = EINVAL; |
1376 } | 1372 } |
1377 | 1373 |
1378 if ((i == 0) && (conn->cc_tls_para.cn)) { | 1374 if ((i == 0) && (conn->cc_tls_para.cn)) { |
1379 if (!gnutls_x509_crt_check_hostname (cert, conn->cc_tls_para.cn)) { | 1375 if (!gnutls_x509_crt_check_hostname (cert, conn->cc_tls_para.cn)) { |
1380 if (TRACE_BOOL(INFO)) { | 1376 LOG_E("TLS: Remote certificate invalid on socket %d (Remote: '%s')(Connection: '%s') :", conn->cc_socket, conn->cc_remid, conn->cc_id); |
1381 fd_log_debug("TLS: Remote certificate invalid on socket %d (Remote: '%s')(Connection: '%s') :", conn->cc_socket, conn->cc_remid, conn->cc_id); | 1377 LOG_E(" - The certificate hostname does not match '%s'", conn->cc_tls_para.cn); |
1382 fd_log_debug(" - The certificate hostname does not match '%s'", conn->cc_tls_para.cn); | |
1383 } | |
1384 ret = EINVAL; | 1378 ret = EINVAL; |
1385 } | 1379 } |
1386 } | 1380 } |
1387 | 1381 |
1388 GNUTLS_TRACE( gnutls_x509_crt_deinit (cert) ); | 1382 GNUTLS_TRACE( gnutls_x509_crt_deinit (cert) ); |
1422 | 1416 |
1423 /* print the key exchange's algorithm name | 1417 /* print the key exchange's algorithm name |
1424 */ | 1418 */ |
1425 GNUTLS_TRACE( kx = gnutls_kx_get (session) ); | 1419 GNUTLS_TRACE( kx = gnutls_kx_get (session) ); |
1426 GNUTLS_TRACE( tmp = gnutls_kx_get_name (kx) ); | 1420 GNUTLS_TRACE( tmp = gnutls_kx_get_name (kx) ); |
1427 LOG_A("\t- Key Exchange: %s", tmp); | 1421 LOG_D("\t- Key Exchange: %s", tmp); |
1428 | 1422 |
1429 /* Check the authentication type used and switch | 1423 /* Check the authentication type used and switch |
1430 * to the appropriate. | 1424 * to the appropriate. |
1431 */ | 1425 */ |
1432 GNUTLS_TRACE( cred = gnutls_auth_get_type (session) ); | 1426 GNUTLS_TRACE( cred = gnutls_auth_get_type (session) ); |
1433 switch (cred) | 1427 switch (cred) |
1434 { | 1428 { |
1435 case GNUTLS_CRD_IA: | 1429 case GNUTLS_CRD_IA: |
1436 LOG_A("\t - TLS/IA session"); | 1430 LOG_D("\t - TLS/IA session"); |
1437 break; | 1431 break; |
1438 | 1432 |
1439 | 1433 |
1440 #ifdef ENABLE_SRP | 1434 #ifdef ENABLE_SRP |
1441 case GNUTLS_CRD_SRP: | 1435 case GNUTLS_CRD_SRP: |
1442 LOG_A("\t - SRP session with username %s", | 1436 LOG_D("\t - SRP session with username %s", |
1443 gnutls_srp_server_get_username (session)); | 1437 gnutls_srp_server_get_username (session)); |
1444 break; | 1438 break; |
1445 #endif | 1439 #endif |
1446 | 1440 |
1447 case GNUTLS_CRD_PSK: | 1441 case GNUTLS_CRD_PSK: |
1448 /* This returns NULL in server side. | 1442 /* This returns NULL in server side. |
1449 */ | 1443 */ |
1450 if (gnutls_psk_client_get_hint (session) != NULL) | 1444 if (gnutls_psk_client_get_hint (session) != NULL) |
1451 LOG_A("\t - PSK authentication. PSK hint '%s'", | 1445 LOG_D("\t - PSK authentication. PSK hint '%s'", |
1452 gnutls_psk_client_get_hint (session)); | 1446 gnutls_psk_client_get_hint (session)); |
1453 /* This returns NULL in client side. | 1447 /* This returns NULL in client side. |
1454 */ | 1448 */ |
1455 if (gnutls_psk_server_get_username (session) != NULL) | 1449 if (gnutls_psk_server_get_username (session) != NULL) |
1456 LOG_A("\t - PSK authentication. Connected as '%s'", | 1450 LOG_D("\t - PSK authentication. Connected as '%s'", |
1457 gnutls_psk_server_get_username (session)); | 1451 gnutls_psk_server_get_username (session)); |
1458 | 1452 |
1459 if (kx == GNUTLS_KX_ECDHE_PSK) | 1453 if (kx == GNUTLS_KX_ECDHE_PSK) |
1460 ecdh = 1; | 1454 ecdh = 1; |
1461 else if (kx == GNUTLS_KX_DHE_PSK) | 1455 else if (kx == GNUTLS_KX_DHE_PSK) |
1462 dhe = 1; | 1456 dhe = 1; |
1463 break; | 1457 break; |
1464 | 1458 |
1465 case GNUTLS_CRD_ANON: /* anonymous authentication */ | 1459 case GNUTLS_CRD_ANON: /* anonymous authentication */ |
1466 LOG_A("\t - Anonymous DH using prime of %d bits", | 1460 LOG_D("\t - Anonymous DH using prime of %d bits", |
1467 gnutls_dh_get_prime_bits (session)); | 1461 gnutls_dh_get_prime_bits (session)); |
1468 if (kx == GNUTLS_KX_ANON_ECDH) | 1462 if (kx == GNUTLS_KX_ANON_ECDH) |
1469 ecdh = 1; | 1463 ecdh = 1; |
1470 else if (kx == GNUTLS_KX_ANON_DH) | 1464 else if (kx == GNUTLS_KX_ANON_DH) |
1471 dhe = 1; | 1465 dhe = 1; |
1484 if (gnutls_certificate_type_get (session) == GNUTLS_CRT_X509) { | 1478 if (gnutls_certificate_type_get (session) == GNUTLS_CRT_X509) { |
1485 gnutls_datum_t cinfo; | 1479 gnutls_datum_t cinfo; |
1486 | 1480 |
1487 cert_list = gnutls_certificate_get_peers (session, &cert_list_size); | 1481 cert_list = gnutls_certificate_get_peers (session, &cert_list_size); |
1488 | 1482 |
1489 LOG_A("\t Peer provided %d certificates.", cert_list_size); | 1483 LOG_D("\t Peer provided %d certificates.", cert_list_size); |
1490 | 1484 |
1491 if (cert_list_size > 0) | 1485 if (cert_list_size > 0) |
1492 { | 1486 { |
1493 int ret; | 1487 int ret; |
1494 | 1488 |
1504 a certificate. */ | 1498 a certificate. */ |
1505 | 1499 |
1506 ret = gnutls_x509_crt_print (cert, GNUTLS_CRT_PRINT_ONELINE, &cinfo); | 1500 ret = gnutls_x509_crt_print (cert, GNUTLS_CRT_PRINT_ONELINE, &cinfo); |
1507 if (ret == 0) | 1501 if (ret == 0) |
1508 { | 1502 { |
1509 LOG_A("\t\t%s", cinfo.data); | 1503 LOG_D("\t\t%s", cinfo.data); |
1510 gnutls_free (cinfo.data); | 1504 gnutls_free (cinfo.data); |
1511 } | 1505 } |
1512 | 1506 |
1513 if (conn->cc_tls_para.cn) { | 1507 if (conn->cc_tls_para.cn) { |
1514 if (!gnutls_x509_crt_check_hostname (cert, conn->cc_tls_para.cn)) { | 1508 if (!gnutls_x509_crt_check_hostname (cert, conn->cc_tls_para.cn)) { |
1515 fd_log_debug("\tTLS: Remote certificate invalid on socket %d (Remote: '%s')(Connection: '%s') :", conn->cc_socket, conn->cc_remid, conn->cc_id); | 1509 LOG_E("\tTLS: Remote certificate invalid on socket %d (Remote: '%s')(Connection: '%s') :", conn->cc_socket, conn->cc_remid, conn->cc_id); |
1516 fd_log_debug("\t - The certificate hostname does not match '%s'", conn->cc_tls_para.cn); | 1510 LOG_E("\t - The certificate hostname does not match '%s'", conn->cc_tls_para.cn); |
1517 gnutls_x509_crt_deinit (cert); | 1511 gnutls_x509_crt_deinit (cert); |
1518 return GNUTLS_E_CERTIFICATE_ERROR; | 1512 return GNUTLS_E_CERTIFICATE_ERROR; |
1519 } | 1513 } |
1520 | 1514 |
1521 } | 1515 } |
1527 } | 1521 } |
1528 } | 1522 } |
1529 break; | 1523 break; |
1530 | 1524 |
1531 default: | 1525 default: |
1532 LOG_A("\t - unknown session type (%d)", cred); | 1526 LOG_E("\t - unknown session type (%d)", cred); |
1533 | 1527 |
1534 } /* switch */ | 1528 } /* switch */ |
1535 | 1529 |
1536 if (ecdh != 0) | 1530 if (ecdh != 0) |
1537 LOG_A("\t - Ephemeral ECDH using curve %s", | 1531 LOG_D("\t - Ephemeral ECDH using curve %s", |
1538 gnutls_ecc_curve_get_name (gnutls_ecc_curve_get (session))); | 1532 gnutls_ecc_curve_get_name (gnutls_ecc_curve_get (session))); |
1539 else if (dhe != 0) | 1533 else if (dhe != 0) |
1540 LOG_A("\t - Ephemeral DH using prime of %d bits", | 1534 LOG_D("\t - Ephemeral DH using prime of %d bits", |
1541 gnutls_dh_get_prime_bits (session)); | 1535 gnutls_dh_get_prime_bits (session)); |
1542 | 1536 |
1543 /* print the protocol's name (ie TLS 1.0) | 1537 /* print the protocol's name (ie TLS 1.0) |
1544 */ | 1538 */ |
1545 tmp = gnutls_protocol_get_name (gnutls_protocol_get_version (session)); | 1539 tmp = gnutls_protocol_get_name (gnutls_protocol_get_version (session)); |
1546 LOG_A("\t - Protocol: %s", tmp); | 1540 LOG_D("\t - Protocol: %s", tmp); |
1547 | 1541 |
1548 /* print the certificate type of the peer. | 1542 /* print the certificate type of the peer. |
1549 * ie X.509 | 1543 * ie X.509 |
1550 */ | 1544 */ |
1551 tmp = gnutls_certificate_type_get_name (gnutls_certificate_type_get (session)); | 1545 tmp = gnutls_certificate_type_get_name (gnutls_certificate_type_get (session)); |
1552 LOG_A("\t - Certificate Type: %s", tmp); | 1546 LOG_D("\t - Certificate Type: %s", tmp); |
1553 | 1547 |
1554 /* print the compression algorithm (if any) | 1548 /* print the compression algorithm (if any) |
1555 */ | 1549 */ |
1556 tmp = gnutls_compression_get_name (gnutls_compression_get (session)); | 1550 tmp = gnutls_compression_get_name (gnutls_compression_get (session)); |
1557 LOG_A("\t - Compression: %s", tmp); | 1551 LOG_D("\t - Compression: %s", tmp); |
1558 | 1552 |
1559 /* print the name of the cipher used. | 1553 /* print the name of the cipher used. |
1560 * ie 3DES. | 1554 * ie 3DES. |
1561 */ | 1555 */ |
1562 tmp = gnutls_cipher_get_name (gnutls_cipher_get (session)); | 1556 tmp = gnutls_cipher_get_name (gnutls_cipher_get (session)); |
1563 LOG_A("\t - Cipher: %s", tmp); | 1557 LOG_D("\t - Cipher: %s", tmp); |
1564 | 1558 |
1565 /* Print the MAC algorithms name. | 1559 /* Print the MAC algorithms name. |
1566 * ie SHA1 | 1560 * ie SHA1 |
1567 */ | 1561 */ |
1568 tmp = gnutls_mac_get_name (gnutls_mac_get (session)); | 1562 tmp = gnutls_mac_get_name (gnutls_mac_get (session)); |
1569 LOG_A("\t - MAC: %s", tmp); | 1563 LOG_D("\t - MAC: %s", tmp); |
1570 | 1564 |
1571 #endif /* DEBUG */ | 1565 #endif /* DEBUG */ |
1572 | 1566 |
1573 /* This verification function uses the trusted CAs in the credentials | 1567 /* This verification function uses the trusted CAs in the credentials |
1574 * structure. So you must have installed one or more CA certificates. | 1568 * structure. So you must have installed one or more CA certificates. |
1575 */ | 1569 */ |
1576 CHECK_GNUTLS_DO( gnutls_certificate_verify_peers2 (session, &status), return GNUTLS_E_CERTIFICATE_ERROR ); | 1570 CHECK_GNUTLS_DO( gnutls_certificate_verify_peers2 (session, &status), return GNUTLS_E_CERTIFICATE_ERROR ); |
1577 if (TRACE_BOOL(INFO) && (status & GNUTLS_CERT_INVALID)) { | 1571 if (status & GNUTLS_CERT_INVALID) { |
1578 fd_log_debug("TLS: Remote certificate invalid on socket %d (Remote: '%s')(Connection: '%s') :", conn->cc_socket, conn->cc_remid, conn->cc_id); | 1572 LOG_E("TLS: Remote certificate invalid on socket %d (Remote: '%s')(Connection: '%s') :", conn->cc_socket, conn->cc_remid, conn->cc_id); |
1579 if (status & GNUTLS_CERT_SIGNER_NOT_FOUND) | 1573 if (status & GNUTLS_CERT_SIGNER_NOT_FOUND) |
1580 fd_log_debug(" - The certificate hasn't got a known issuer."); | 1574 LOG_E(" - The certificate hasn't got a known issuer."); |
1581 | 1575 |
1582 if (status & GNUTLS_CERT_REVOKED) | 1576 if (status & GNUTLS_CERT_REVOKED) |
1583 fd_log_debug(" - The certificate has been revoked."); | 1577 LOG_E(" - The certificate has been revoked."); |
1584 | 1578 |
1585 if (status & GNUTLS_CERT_EXPIRED) | 1579 if (status & GNUTLS_CERT_EXPIRED) |
1586 fd_log_debug(" - The certificate has expired."); | 1580 LOG_E(" - The certificate has expired."); |
1587 | 1581 |
1588 if (status & GNUTLS_CERT_NOT_ACTIVATED) | 1582 if (status & GNUTLS_CERT_NOT_ACTIVATED) |
1589 fd_log_debug(" - The certificate is not yet activated."); | 1583 LOG_E(" - The certificate is not yet activated."); |
1590 } | 1584 } |
1591 if (status & GNUTLS_CERT_INVALID) | 1585 if (status & GNUTLS_CERT_INVALID) |
1592 { | 1586 { |
1593 return GNUTLS_E_CERTIFICATE_ERROR; | 1587 return GNUTLS_E_CERTIFICATE_ERROR; |
1594 } | 1588 } |
1597 * OpenPGP keys. From now on X.509 certificates are assumed. This can | 1591 * OpenPGP keys. From now on X.509 certificates are assumed. This can |
1598 * be easily extended to work with openpgp keys as well. | 1592 * be easily extended to work with openpgp keys as well. |
1599 */ | 1593 */ |
1600 if ((!hostname_verified) && (conn->cc_tls_para.cn)) { | 1594 if ((!hostname_verified) && (conn->cc_tls_para.cn)) { |
1601 if (gnutls_certificate_type_get (session) != GNUTLS_CRT_X509) { | 1595 if (gnutls_certificate_type_get (session) != GNUTLS_CRT_X509) { |
1602 TRACE_DEBUG(INFO, "TLS: Remote credentials are not x509, rejected on socket %d (Remote: '%s')(Connection: '%s') :", conn->cc_socket, conn->cc_remid, conn->cc_id); | 1596 LOG_E("TLS: Remote credentials are not x509, rejected on socket %d (Remote: '%s')(Connection: '%s') :", conn->cc_socket, conn->cc_remid, conn->cc_id); |
1603 return GNUTLS_E_CERTIFICATE_ERROR; | 1597 return GNUTLS_E_CERTIFICATE_ERROR; |
1604 } | 1598 } |
1605 | 1599 |
1606 CHECK_GNUTLS_DO( gnutls_x509_crt_init (&cert), return GNUTLS_E_CERTIFICATE_ERROR ); | 1600 CHECK_GNUTLS_DO( gnutls_x509_crt_init (&cert), return GNUTLS_E_CERTIFICATE_ERROR ); |
1607 | 1601 |
1609 CHECK_PARAMS_DO( cert_list, return GNUTLS_E_CERTIFICATE_ERROR ); | 1603 CHECK_PARAMS_DO( cert_list, return GNUTLS_E_CERTIFICATE_ERROR ); |
1610 | 1604 |
1611 CHECK_GNUTLS_DO( gnutls_x509_crt_import (cert, &cert_list[0], GNUTLS_X509_FMT_DER), return GNUTLS_E_CERTIFICATE_ERROR ); | 1605 CHECK_GNUTLS_DO( gnutls_x509_crt_import (cert, &cert_list[0], GNUTLS_X509_FMT_DER), return GNUTLS_E_CERTIFICATE_ERROR ); |
1612 | 1606 |
1613 if (!gnutls_x509_crt_check_hostname (cert, conn->cc_tls_para.cn)) { | 1607 if (!gnutls_x509_crt_check_hostname (cert, conn->cc_tls_para.cn)) { |
1614 if (TRACE_BOOL(INFO)) { | 1608 LOG_E("TLS: Remote certificate invalid on socket %d (Remote: '%s')(Connection: '%s') :", conn->cc_socket, conn->cc_remid, conn->cc_id); |
1615 fd_log_debug("TLS: Remote certificate invalid on socket %d (Remote: '%s')(Connection: '%s') :", conn->cc_socket, conn->cc_remid, conn->cc_id); | 1609 LOG_E(" - The certificate hostname does not match '%s'", conn->cc_tls_para.cn); |
1616 fd_log_debug(" - The certificate hostname does not match '%s'", conn->cc_tls_para.cn); | |
1617 } | |
1618 gnutls_x509_crt_deinit (cert); | 1610 gnutls_x509_crt_deinit (cert); |
1619 return GNUTLS_E_CERTIFICATE_ERROR; | 1611 return GNUTLS_E_CERTIFICATE_ERROR; |
1620 } | 1612 } |
1621 | 1613 |
1622 gnutls_x509_crt_deinit (cert); | 1614 gnutls_x509_crt_deinit (cert); |