Accueil Explorer Aide
Connexion
LBP
/
nagios_nrpe
miroir de https://github.com/NagiosEnterprises/nrpe.git
4
0
Fork 0
Fichiers Tickets 0 Wiki
Parcourir la source

More detailed error logging for SSL

John C. Frickson il y a 9 ans
Parent
3530a76ad6
commit
18288d1141
3 fichiers modifiés avec 36 ajouts et 8 suppressions
Vue séparée Afficher les stats Diff
  1. 1 0
      Changelog
  2. 21 4
      src/check_nrpe.c
  3. 14 4
      src/nrpe.c

+ 1 - 0
Changelog
Voir le fichier 

@@ -13,6 +13,7 @@ FIXES
 
 - Can't build on Debian Stretch, openssl 1.1.0c (John Frickson)
 
 - Fix build failure with -Werror=format-security (Bas Couwenberg)
 
 - Fixed a typo in `nrpe.spec.in` (John Frickson)
 
+- More detailed error logging for SSL (John Frickson)
 
 
 
 3.1.0 - 2017-04-17

+ 21 - 4
src/check_nrpe.c
Voir le fichier 

@@ -743,7 +743,7 @@ void usage(int result)
 
 void setup_ssl()
 
 {
 
 #ifdef HAVE_SSL
 
-	int vrfy;
 
+	int vrfy, x;
 
 
 	if (sslprm.log_opts & SSL_LogStartup) {
 
 		char *val;
 
@@ -899,14 +899,23 @@ void setup_ssl()
 
 
 		if (sslprm.cert_file != NULL && sslprm.privatekey_file != NULL) {
 
 			if (!SSL_CTX_use_certificate_file(ctx, sslprm.cert_file, SSL_FILETYPE_PEM)) {
 
-				SSL_CTX_free(ctx);
 
 				printf("Error: could not use certificate file '%s'.\n", sslprm.cert_file);
 
+				while ((x = ERR_get_error_line_data(NULL, NULL, NULL, NULL)) != 0) {
 
+					printf("Error: could not use certificate file '%s': %s\n",
 
+						   sslprm.cert_file, ERR_reason_error_string(x));
 
+				}
 
+				SSL_CTX_free(ctx);
 
 				exit(STATE_CRITICAL);
 
 			}
 
 			if (!SSL_CTX_use_PrivateKey_file(ctx, sslprm.privatekey_file, SSL_FILETYPE_PEM)) {
 
 				SSL_CTX_free(ctx);
 
 				printf("Error: could not use private key file '%s'.\n",
 
 					   sslprm.privatekey_file);
 
+				while ((x = ERR_get_error_line_data(NULL, NULL, NULL, NULL)) != 0) {
 
+					printf("Error: could not use private key file '%s': %s\n",
 
+						   sslprm.privatekey_file, ERR_reason_error_string(x));
 
+				}
 
+				SSL_CTX_free(ctx);
 
 				exit(STATE_CRITICAL);
 
 			}
 
 		}
 
@@ -915,8 +924,12 @@ void setup_ssl()
 
 			vrfy = SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT;
 
 			SSL_CTX_set_verify(ctx, vrfy, verify_callback);
 
 			if (!SSL_CTX_load_verify_locations(ctx, sslprm.cacert_file, NULL)) {
 
-				SSL_CTX_free(ctx);
 
 				printf("Error: could not use CA certificate '%s'.\n", sslprm.cacert_file);
 
+				while ((x = ERR_get_error_line_data(NULL, NULL, NULL, NULL)) != 0) {
 
+					printf("Error: could not use CA certificate '%s': %s\n",
 
+						   sslprm.privatekey_file, ERR_reason_error_string(x));
 
+				}
 
+				SSL_CTX_free(ctx);
 
 				exit(STATE_CRITICAL);
 
 			}
 
 		}
 
@@ -934,8 +947,12 @@ void setup_ssl()
 
 		}
 
 
 		if (SSL_CTX_set_cipher_list(ctx, sslprm.cipher_list) == 0) {
 
-			SSL_CTX_free(ctx);
 
 			printf("Error: Could not set SSL/TLS cipher list: %s\n", sslprm.cipher_list);
 
+			while ((x = ERR_get_error_line_data(NULL, NULL, NULL, NULL)) != 0) {
 
+				printf("Could not set SSL/TLS cipher list '%s': %s\n",
 
+					   sslprm.cipher_list, ERR_reason_error_string(x));
 
+			}
 
+			SSL_CTX_free(ctx);
 
 			exit(STATE_CRITICAL);
 
 		}
 
 	}

+ 14 - 4
src/nrpe.c
Voir le fichier 

@@ -242,6 +242,7 @@ void init_ssl(void)
 
 #ifdef HAVE_SSL
 
 	DH            *dh;
 
 	char          seedfile[FILENAME_MAX];
 
+	char          errstr[120] = { "" };
 
 	int           i, c, x, vrfy;
 
 	unsigned long ssl_opts = SSL_OP_ALL | SSL_OP_SINGLE_DH_USE;
 
 
@@ -313,7 +314,10 @@ void init_ssl(void)
 
 
 	ctx = SSL_CTX_new(meth);
 
 	if (ctx == NULL) {
 
-		logit(LOG_ERR, "Error: could not create SSL context");
 
+		while ((x = ERR_get_error()) != 0) {
 
+			ERR_error_string(x, errstr);
 
+			logit(LOG_ERR, "Error: could not create SSL context : %s", errstr);
 
+		}
 
 		SSL_CTX_free(ctx);
 
 		exit(STATE_CRITICAL);
 
 	}
 
@@ -377,7 +381,6 @@ void init_ssl(void)
 
 	SSL_CTX_set_options(ctx, ssl_opts);
 
 
 	if (sslprm.cert_file != NULL) {
 
-		char	errstr[120] = { "" };
 
 		if (!SSL_CTX_use_certificate_file(ctx, sslprm.cert_file, SSL_FILETYPE_PEM)) {
 
 			SSL_CTX_free(ctx);
 
 			while ((x = ERR_get_error()) != 0) {
 
@@ -388,9 +391,12 @@ void init_ssl(void)
 
 			exit(STATE_CRITICAL);
 
 		}
 
 		if (!SSL_CTX_use_PrivateKey_file(ctx, sslprm.privatekey_file, SSL_FILETYPE_PEM)) {
 
+			while ((x = ERR_get_error()) != 0) {
 
+				ERR_error_string(x, errstr);
 
+				logit(LOG_ERR, "Error: could not use private key file '%s' : %s",
 
+					 sslprm.privatekey_file, errstr);
 
+			}
 
 			SSL_CTX_free(ctx);
 
-			logit(LOG_ERR, "Error: could not use private key file '%s'",
 
-				   sslprm.privatekey_file);
 
 			exit(STATE_CRITICAL);
 
 		}
 
 	}
 
@@ -401,6 +407,10 @@ void init_ssl(void)
 
 			vrfy |= SSL_VERIFY_FAIL_IF_NO_PEER_CERT;
 
 		SSL_CTX_set_verify(ctx, vrfy, verify_callback);
 
 		if (!SSL_CTX_load_verify_locations(ctx, sslprm.cacert_file, NULL)) {
 
+			while ((x = ERR_get_error_line_data(NULL, NULL, NULL, NULL)) != 0) {
 
+				logit(LOG_ERR, "Error: could not use certificate file '%s': %s\n",
 
+					   sslprm.cacert_file, ERR_reason_error_string(x));
 
+			}
 
 			SSL_CTX_free(ctx);
 
 			logit(LOG_ERR, "Error: could not use CA certificate '%s'", sslprm.cacert_file);
 
 			exit(STATE_CRITICAL);