From 05ec39a1110786b8c891f399e275cd94deb04df7 Mon Sep 17 00:00:00 2001 From: Sean Bright Date: Wed, 19 Feb 2020 10:33:28 -0500 Subject: [PATCH] tcptls.c: Log more informative OpenSSL errors ASTERISK-28750 #close Reported by: Martin Zeh Change-Id: Ie092d5724505eeb5d3f0d9b15e9cd66324082e63 --- main/tcptls.c | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/main/tcptls.c b/main/tcptls.c index be07e2d484..ff1cfb52e9 100644 --- a/main/tcptls.c +++ b/main/tcptls.c @@ -106,6 +106,21 @@ static int check_tcptls_cert_name(ASN1_STRING *cert_str, const char *hostname, c return ret; } + +static void log_openssl_error_stack(void) +{ + FILE *fp; + char *buffer; + size_t length; + + fp = open_memstream(&buffer, &length); + if (fp) { + ERR_print_errors_fp(fp); + fclose(fp); + ast_log(LOG_ERROR, "%s\n", buffer); + ast_free(buffer); + } +} #endif /*! \brief @@ -345,10 +360,13 @@ static void __ssl_setup_certs(struct ast_tls_config *cfg, const size_t cert_file if (access(cert_file, F_OK) == 0) { if (SSL_CTX_use_certificate_chain_file(cfg->ssl_ctx, cert_file) == 0) { ast_log(LOG_WARNING, "TLS/SSL error loading public %s key (certificate) from <%s>.\n", key_type, cert_file); + log_openssl_error_stack(); } else if (SSL_CTX_use_PrivateKey_file(cfg->ssl_ctx, cert_file, SSL_FILETYPE_PEM) == 0) { ast_log(LOG_WARNING, "TLS/SSL error loading private %s key from <%s>.\n", key_type, cert_file); + log_openssl_error_stack(); } else if (SSL_CTX_check_private_key(cfg->ssl_ctx) == 0) { ast_log(LOG_WARNING, "TLS/SSL error matching private %s key and certificate in <%s>.\n", key_type, cert_file); + log_openssl_error_stack(); } } } @@ -451,6 +469,7 @@ static int __ssl_setup(struct ast_tls_config *cfg, int client) if (!client) { /* Clients don't need a certificate, but if its setup we can use it */ ast_log(LOG_ERROR, "TLS/SSL error loading cert file. <%s>\n", cfg->certfile); + log_openssl_error_stack(); cfg->enabled = 0; SSL_CTX_free(cfg->ssl_ctx); cfg->ssl_ctx = NULL; @@ -461,6 +480,7 @@ static int __ssl_setup(struct ast_tls_config *cfg, int client) if (!client) { /* Clients don't need a private key, but if its setup we can use it */ ast_log(LOG_ERROR, "TLS/SSL error loading private key file. <%s>\n", tmpprivate); + log_openssl_error_stack(); cfg->enabled = 0; SSL_CTX_free(cfg->ssl_ctx); cfg->ssl_ctx = NULL; @@ -483,6 +503,7 @@ static int __ssl_setup(struct ast_tls_config *cfg, int client) if (SSL_CTX_set_cipher_list(cfg->ssl_ctx, cfg->cipher) == 0 ) { if (!client) { ast_log(LOG_ERROR, "TLS/SSL cipher error <%s>\n", cfg->cipher); + log_openssl_error_stack(); cfg->enabled = 0; SSL_CTX_free(cfg->ssl_ctx); cfg->ssl_ctx = NULL; @@ -493,6 +514,7 @@ static int __ssl_setup(struct ast_tls_config *cfg, int client) if (!ast_strlen_zero(cfg->cafile) || !ast_strlen_zero(cfg->capath)) { if (SSL_CTX_load_verify_locations(cfg->ssl_ctx, S_OR(cfg->cafile, NULL), S_OR(cfg->capath,NULL)) == 0) { ast_log(LOG_ERROR, "TLS/SSL CA file(%s)/path(%s) error\n", cfg->cafile, cfg->capath); + log_openssl_error_stack(); } } -- 2.20.1