tls: improve cert handling and error logging for handshake.

* Adds betters checks to windows cert loading, extra debug logs. * Adds betters checks for TLS handshake error handling, extra debug logs. * General debug logs on conditionals for handshake and certificate loads, clarified the SNI setup. Signed-off-by: Jorge Niedbalski <[email protected]>
fluent · Oct 28, 2024 · 079a862 · 079a862
1 parent aadaf1c
commit 079a862
Showing 1 changed file with 75 additions and 45 deletions.
diff --git a/src/tls/openssl.c b/src/tls/openssl.c
@@ -235,24 +235,33 @@ static int tls_context_server_alpn_select_callback(SSL *ssl,
 
     return result;
 }
-
 #ifdef _MSC_VER
 static int windows_load_system_certificates(struct tls_context *ctx)
 {
     int ret;
     HANDLE win_store;
+    unsigned long err;
     PCCERT_CONTEXT win_cert = NULL;
     const unsigned char *win_cert_data;
     X509_STORE *ossl_store = SSL_CTX_get_cert_store(ctx->ctx);
     X509 *ossl_cert;
 
+    /* Check if OpenSSL certificate store is available */
+    if (!ossl_store) {
+        flb_error("[tls] failed to retrieve openssl certificate store.");
+        return -1;
+    }
+
+    /* Open the Windows system certificate store */
     win_store = CertOpenSystemStoreA(0, "Root");
     if (win_store == NULL) {
-        flb_error("[tls] Cannot open cert store: %i", GetLastError());
+        flb_error("[tls] cannot open windows certificate store: %lu", GetLastError());
         return -1;
     }
 
-    while (win_cert = CertEnumCertificatesInStore(win_store, win_cert)) {
+    /* Iterate over certificates in the store */
+    while ((win_cert = CertEnumCertificatesInStore(win_store, win_cert)) != NULL) {
+        /* Check if the certificate is encoded in ASN.1 DER format */
         if (win_cert->dwCertEncodingType & X509_ASN_ENCODING) {
             /*
              * Decode the certificate into X509 struct.
@@ -262,27 +271,45 @@ static int windows_load_system_certificates(struct tls_context *ctx)
              */
             win_cert_data = win_cert->pbCertEncoded;
             ossl_cert = d2i_X509(NULL, &win_cert_data, win_cert->cbCertEncoded);
+
             if (!ossl_cert) {
-                flb_debug("[tls] Cannot parse a certificate. skipping...");
+                flb_debug("[tls] cannot parse a certificate, error code: %lu, skipping...", ERR_get_error());
                 continue;
             }
 
             /* Add X509 struct to the openssl cert store */
             ret = X509_STORE_add_cert(ossl_store, ossl_cert);
             if (!ret) {
-                flb_warn("[tls] Failed to add a certificate to the store: %lu: %s",
-                         ERR_get_error(), ERR_error_string(ERR_get_error(), NULL));
+                err = ERR_get_error();
+                if (err == X509_R_CERT_ALREADY_IN_HASH_TABLE) {
+                    flb_debug("[tls] certificate already exists in the store, skipping.");
+                }
+                else {
+                    flb_warn("[tls] failed to add certificate to openssl store. error code: %lu - %s",
+                             err, ERR_error_string(err, NULL));
+                }
             }
             X509_free(ossl_cert);
         }
     }
 
+    /* Check for errors during enumeration */
+    if (GetLastError() != CRYPT_E_NOT_FOUND) {
+        flb_error("[tls] error occurred while enumerating certificates: %lu", GetLastError());
+        CertCloseStore(win_store, 0);
+        return -1;
+    }
+
+    /* Close the Windows system certificate store */
     if (!CertCloseStore(win_store, 0)) {
-        flb_error("[tls] Cannot close cert store: %i", GetLastError());
+        flb_error("[tls] cannot close windows certificate store: %lu", GetLastError());
         return -1;
     }
+
+    flb_debug("[tls] successfully loaded certificates from windows system store.");
     return 0;
 }
+
 #endif
 
 static int load_system_certificates(struct tls_context *ctx)
@@ -682,12 +709,14 @@ static int tls_net_handshake(struct flb_tls *tls,
     int ret = 0;
     long ssl_code = 0;
     char err_buf[256];
+    const char *x509_err;
     struct tls_session *session = ptr_session;
     struct tls_context *ctx;
 
     ctx = session->parent;
     pthread_mutex_lock(&ctx->mutex);
 
+    /* Set up SSL connection state if not continuing an existing handshake */
     if (!session->continuation_flag) {
         if (tls->mode == FLB_TLS_CLIENT_MODE) {
             SSL_set_connect_state(session->ssl);
@@ -696,11 +725,12 @@ static int tls_net_handshake(struct flb_tls *tls,
             SSL_set_accept_state(session->ssl);
         }
         else {
-            flb_error("[tls] error: invalid tls mode : %d", tls->mode);
+            flb_error("[tls] invalid tls mode: %d", tls->mode);
             pthread_mutex_unlock(&ctx->mutex);
             return -1;
         }
 
+        /* Set SNI (Server Name Indication) */
         if (vhost != NULL) {
             SSL_set_tlsext_host_name(session->ssl, vhost);
         }
@@ -724,62 +754,62 @@ static int tls_net_handshake(struct flb_tls *tls,
         }
     }
 
+    /* Clear any previous SSL errors */
     ERR_clear_error();
 
+    /* Perform SSL handshake */
     if (tls->mode == FLB_TLS_CLIENT_MODE) {
         ret = SSL_connect(session->ssl);
     }
     else if (tls->mode == FLB_TLS_SERVER_MODE) {
         ret = SSL_accept(session->ssl);
     }
 
-    if (ret != 1) {
-        ret = SSL_get_error(session->ssl, ret);
-        if (ret != SSL_ERROR_WANT_READ &&
-            ret != SSL_ERROR_WANT_WRITE) {
-            ret = SSL_get_error(session->ssl, ret);
-            // The SSL_ERROR_SYSCALL with errno value of 0 indicates unexpected
-            //  EOF from the peer. This is fixed in OpenSSL 3.0.
-            if (ret == 0) {
+    /* Exit early if the handshake was successful */
+    if (ret == 1) {
+        session->continuation_flag = FLB_FALSE;
+        pthread_mutex_unlock(&ctx->mutex);
+        flb_debug("[tls] connection and handshake ok");
+        return 0;
+    }
+
+    int ssl_err = SSL_get_error(session->ssl, ret);
+
+    /* Handle SSL handshake errors */
+    switch (ssl_err) {
+        case SSL_ERROR_WANT_READ:
+            pthread_mutex_unlock(&ctx->mutex);
+            session->continuation_flag = FLB_TRUE;
+            return FLB_TLS_WANT_READ;
+
+        case SSL_ERROR_WANT_WRITE:
+            pthread_mutex_unlock(&ctx->mutex);
+            session->continuation_flag = FLB_TRUE;
+            return FLB_TLS_WANT_WRITE;
+
+        case SSL_ERROR_SYSCALL:
+        case SSL_ERROR_SSL:
+        default:
+            /* Handle unexpected EOF and other errors */
+            if (ssl_err == 0) {
                 ssl_code = SSL_get_verify_result(session->ssl);
                 if (ssl_code != X509_V_OK) {
-                    flb_error("[tls] error: unexpected EOF with reason: %s",
-                              ERR_reason_error_string(ERR_get_error()));
+                    x509_err = X509_verify_cert_error_string(ssl_code);
+                    flb_error("[tls] certificate verification failed, reason: %s (X509 code: %ld)",
+                              x509_err, ssl_code);
                 }
                 else {
-                    flb_error("[tls] error: unexpected EOF");
+                    flb_error("[tls] unexpected EOF during handshake");
                 }
-            } else {
-                ERR_error_string_n(ret, err_buf, sizeof(err_buf)-1);
-                flb_error("[tls] error: %s", err_buf);
+            }
+            else {
+                ERR_error_string_n(ssl_err, err_buf, sizeof(err_buf) - 1);
+                flb_error("[tls] handshake error: %s", err_buf);
             }
 
             pthread_mutex_unlock(&ctx->mutex);
-
             return -1;
-        }
-
-        if (ret == SSL_ERROR_WANT_WRITE) {
-            pthread_mutex_unlock(&ctx->mutex);
-
-            session->continuation_flag = FLB_TRUE;
-
-            return FLB_TLS_WANT_WRITE;
-        }
-        else if (ret == SSL_ERROR_WANT_READ) {
-            pthread_mutex_unlock(&ctx->mutex);
-
-            session->continuation_flag = FLB_TRUE;
-
-            return FLB_TLS_WANT_READ;
-        }
     }
-
-    session->continuation_flag = FLB_FALSE;
-
-    pthread_mutex_unlock(&ctx->mutex);
-    flb_trace("[tls] connection and handshake OK");
-    return 0;
 }
 
 /* OpenSSL backend registration */