[Openvpn-devel,v3] Log SSL alerts more prominently

Message ID	20231121103930.15175-1-frank@lichtenheld.com
State	Accepted
Headers	show Return-Path: <openvpn-devel-bounces@lists.sourceforge.net> Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; From: Frank Lichtenheld <frank@lichtenheld.com> To: openvpn-devel@lists.sourceforge.net Date: Tue, 21 Nov 2023 11:39:30 +0100 Message-Id: <20231121103930.15175-1-frank@lichtenheld.com> In-Reply-To: <gerrit.1700479678000.I6bdab3028c9bd679c31d4177a746a3ea505dcbbf@gerrit.openvpn.net> References: <gerrit.1700479678000.I6bdab3028c9bd679c31d4177a746a3ea505dcbbf@gerrit.openvpn.net> MIME-Version: 1.0 preview: From: Arne Schwabe <arne@rfc2549.org> When we receive an SSL alert from a server we currently only log a very cryptic OpenSSL error message: OpenSSL: error:0A00042E:SSL routines::tlsv1 alert protocol version:SSL alert number 70 Content analysis details: (-0.9 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.7 RCVD_IN_DNSWL_LOW RBL: Sender listed at https://www.dnswl.org/, low trust [80.241.56.171 listed in list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain -0.0 T_SCC_BODY_TEXT_LINE No description available. Subject: [Openvpn-devel] [PATCH v3] Log SSL alerts more prominently Precedence: list Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox
Series	[Openvpn-devel,v3] Log SSL alerts more prominently \| expand [Openvpn-devel,v3] Log SSL alerts more prominently

Message ID

20231121103930.15175-1-frank@lichtenheld.com

State

Accepted

Headers

Received-SPF: pass (google.com: domain of
 openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
 permitted sender) client-ip=216.105.38.7;
From: Frank Lichtenheld <frank@lichtenheld.com>
To: openvpn-devel@lists.sourceforge.net
Date: Tue, 21 Nov 2023 11:39:30 +0100
Message-Id: <20231121103930.15175-1-frank@lichtenheld.com>
In-Reply-To: 
 <gerrit.1700479678000.I6bdab3028c9bd679c31d4177a746a3ea505dcbbf@gerrit.openvpn.net>
References: 
 <gerrit.1700479678000.I6bdab3028c9bd679c31d4177a746a3ea505dcbbf@gerrit.openvpn.net>
MIME-Version: 1.0
Subject: [Openvpn-devel] [PATCH v3] Log SSL alerts more prominently
Precedence: list
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: openvpn-devel-bounces@lists.sourceforge.net

Series

[Openvpn-devel,v3] Log SSL alerts more prominently | expand

Commit Message

Frank Lichtenheld Nov. 21, 2023, 10:39 a.m. UTC

From: Arne Schwabe <arne@rfc2549.org>

When we receive an SSL alert from a server we currently only log a
very cryptic OpenSSL error message:

   OpenSSL: error:0A00042E:SSL routines::tlsv1 alert protocol version:SSL alert number 70

This also enables logging the much more readable SSL error message:

   Received fatal SSL alert: protocol version

which previously needed --verb 8 to be displayed (now verb 3). Also rework the
message to be better readable.

Change-Id: I6bdab3028c9bd679c31d4177a746a3ea505dcbbf
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
---

This change was reviewed on Gerrit and approved by at least one
developer. I request to merge it to master.

Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/448
This mail reflects revision 3 of this Change.
Acked-by according to Gerrit (reflected above):
Frank Lichtenheld <frank@lichtenheld.com>

Comments

Gert Doering Nov. 21, 2023, 9:26 p.m. UTC | #1

Better diagnostics is goood!

Your patch has been applied to the master and release/2.6 branch 
(very basic change, no code flow change, enhanced diagnostics good).

We might consider moving from dmsg() to msg() - this is neither 
very time consuming nor increasing binary size hugely.

commit a1cb1b47b138b9f654cd0bca5de6d08dbca61888 (master)
commit 94cd53c70e8e8fdd0beac79b17bdb1f912e03cb7 (release/2.6)
Author: Arne Schwabe
Date:   Tue Nov 21 11:39:30 2023 +0100

     Log SSL alerts more prominently

     Signed-off-by: Arne Schwabe <arne@rfc2549.org>
     Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
     Message-Id: <20231121103930.15175-1-frank@lichtenheld.com>
     URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27523.html
     Signed-off-by: Gert Doering <gert@greenie.muc.de>


--
kind regards,

Gert Doering

diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c
index 23e7623..82872bf 100644
--- a/src/openvpn/ssl_openssl.c
+++ b/src/openvpn/ssl_openssl.c
@@ -196,8 +196,8 @@ 
     }
     else if (where & SSL_CB_ALERT)
     {
-        dmsg(D_HANDSHAKE_VERBOSE, "SSL alert (%s): %s: %s",
-             where & SSL_CB_READ ? "read" : "write",
+        dmsg(D_TLS_DEBUG_LOW, "%s %s SSL alert: %s",
+             where & SSL_CB_READ ? "Received" : "Sent",
              SSL_alert_type_string_long(ret),
              SSL_alert_desc_string_long(ret));
     }

[Openvpn-devel,v3] Log SSL alerts more prominently

Commit Message

Comments

Patch