haproxy

History

Remi Tricot-Le Breton 74f6ab6e87 MEDIUM: ssl: Keep a reference to the client's certificate for use in logs Most of the SSL sample fetches related to the client certificate were based on the SSL_get_peer_certificate function which returns NULL when the verification process failed. This made it impossible to use those fetches in a log format since they would always be empty. The patch adds a reference to the X509 object representing the client certificate in the SSL structure and makes use of this reference in the fetches. The reference can only be obtained in ssl_sock_bind_verifycbk which means that in case of an SSL error occurring before the verification process ("no shared cipher" for instance, which happens while processing the Client Hello), we won't ever start the verification process and it will be impossible to get information about the client certificate. This patch also allows most of the ssl_c_XXX fetches to return a usable value in case of connection failure (because of a verification error for instance) by making the "conn->flags & CO_FL_WAIT_XPRT" test (which requires a connection to be established) less strict. Thanks to this patch, a log-format such as the following should return usable information in case of an error occurring during the verification process : log-format "DN=%{+Q}[ssl_c_s_dn] serial=%[ssl_c_serial,hex] \ hash=%[ssl_c_sha1,hex]" It should answer to GitHub issue #693.	2021-08-19 23:26:05 +02:00
..
haproxy	MEDIUM: ssl: Keep a reference to the client's certificate for use in logs	2021-08-19 23:26:05 +02:00
import	CLEANUP: assorted typo fixes in the code and comments	2021-08-16 12:37:59 +02:00

Remi Tricot-Le Breton 74f6ab6e87 MEDIUM: ssl: Keep a reference to the client's certificate for use in logs

Most of the SSL sample fetches related to the client certificate were
based on the SSL_get_peer_certificate function which returns NULL when
the verification process failed. This made it impossible to use those
fetches in a log format since they would always be empty.

The patch adds a reference to the X509 object representing the client
certificate in the SSL structure and makes use of this reference in the
fetches.

The reference can only be obtained in ssl_sock_bind_verifycbk which
means that in case of an SSL error occurring before the verification
process ("no shared cipher" for instance, which happens while processing
the Client Hello), we won't ever start the verification process and it
will be impossible to get information about the client certificate.

This patch also allows most of the ssl_c_XXX fetches to return a usable
value in case of connection failure (because of a verification error for
instance) by making the "conn->flags & CO_FL_WAIT_XPRT" test (which
requires a connection to be established) less strict.

Thanks to this patch, a log-format such as the following should return
usable information in case of an error occurring during the verification
process :
    log-format "DN=%{+Q}[ssl_c_s_dn] serial=%[ssl_c_serial,hex] \
                hash=%[ssl_c_sha1,hex]"

It should answer to GitHub issue #693.

2021-08-19 23:26:05 +02:00

haproxy

MEDIUM: ssl: Keep a reference to the client's certificate for use in logs

2021-08-19 23:26:05 +02:00

import

CLEANUP: assorted typo fixes in the code and comments

2021-08-16 12:37:59 +02:00