cbiedl
/
ngircd


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293
							From 36ba9c20f4962b207531238ea2a0935ee9122547 Mon Sep 17 00:00:00 2001
From: Alexander Barton <alex@barton.de>
Date: Tue, 2 Jan 2024 22:13:42 +0100
Subject: [PATCH 09/20] S2S-TLS/OpenSSL: Streamline logging

This includes simplifying cb_connserver_login_ssl() a bit, we do not
have to code for invalid state which was ruled out by an assert() and
therefore can get rid of the goto altogether (and don't log the same
error twice with different messages).

(cherry picked from commit 02bb99b0242ade8af78f957aa1657561374ef1d6)
---
 src/ngircd/conn-ssl.c | 15 +++++++++------
 src/ngircd/conn.c     | 25 +++++++++++--------------
 2 files changed, 20 insertions(+), 20 deletions(-)

--- a/src/ngircd/conn-ssl.c
+++ b/src/ngircd/conn-ssl.c
@@ -147,13 +147,13 @@
 	mem = BIO_new(BIO_s_mem());
 	if (!mem)
 		return;
-	X509_NAME_print_ex(mem, X509_get_subject_name(cert), 4,
+	X509_NAME_print_ex(mem, X509_get_subject_name(cert), 0,
 			   XN_FLAG_ONELINE);
-	X509_NAME_print_ex(mem, X509_get_issuer_name(cert), 4, XN_FLAG_ONELINE);
+	X509_NAME_print_ex(mem, X509_get_issuer_name(cert), 2, XN_FLAG_ONELINE);
 	if (BIO_write(mem, "", 1) == 1) {
 		len = BIO_get_mem_data(mem, &memptr);
 		if (memptr && len > 0)
-			Log(level, "%s: \"%s\"", msg, memptr);
+			Log(level, "%s: \"%s\".", msg, memptr);
 	}
 	(void)BIO_set_close(mem, BIO_CLOSE);
 	BIO_free(mem);
@@ -755,9 +755,12 @@
 				    "SSL error, client disconnected [in %s()]!",
 				    fname);
 				break;
-			case -1:	/* low level socket I/O error, check errno */
-				Log(LOG_ERR, "SSL error: %s [in %s()]!",
-				    strerror(real_errno), fname);
+			case -1:
+				/* Low level socket I/O error, check errno. But
+				 * we don't need to log this here, the generic
+				 * connection layer will take care of it. */
+				LogDebug("SSL error: %s [in %s()]!",
+					 strerror(real_errno), fname);
 			}
 		}
 		break;
--- a/src/ngircd/conn.c
+++ b/src/ngircd/conn.c
@@ -2534,28 +2534,25 @@
 
 	serveridx = Conf_GetServer(idx);
 	assert(serveridx >= 0);
-	if (serveridx < 0)
-		goto err;
-
-	Log( LOG_INFO, "SSL connection %d with \"%s:%d\" established.", idx,
-	    My_Connections[idx].host, Conf_Server[Conf_GetServer( idx )].port );
 
+	/* The SSL handshake is done, but validation results were ignored so
+	 * far, so let's see where we are: */
+	LogDebug("SSL handshake on socket %d done.", idx);
 	if (!Conn_OPTION_ISSET(&My_Connections[idx], CONN_SSL_PEERCERT_OK)) {
 		if (Conf_Server[serveridx].SSLVerify) {
 			Log(LOG_ERR,
-				"SSLVerify enabled for %d, but peer certificate check failed",
-				idx);
-			goto err;
+				"Peer certificate check failed for \"%s\" on connection %d!",
+				My_Connections[idx].host, idx);
+			Conn_Close(idx, "Valid certificate required",
+				   NULL, false);
+			return;
 		}
 		Log(LOG_WARNING,
-			"Peer certificate check failed for %d, but SSLVerify is disabled, continuing",
-			idx);
+			"Peer certificate check failed for \"%s\" on connection %d, but \"SSLVerify\" is disabled. Continuing ...",
+			My_Connections[idx].host, idx);
 	}
+	LogDebug("Server certificate accepted, continuing server login ...");
 	server_login(idx);
-	return;
-      err:
-	Log(LOG_ERR, "SSL connection on socket %d failed!", sock);
-	Conn_Close(idx, "Can't connect!", NULL, false);
 }