Skip to content

Commit

Permalink
tls: include X509 error string when verify result is not x509_V_OK.
Browse files Browse the repository at this point in the history 
Add the X509_verify_cert_error_string to the log message
when SSL verification result != X509_V_OK.

Signed-off-by: Jorge Niedbalski <[email protected]>
  • Loading branch information
Jorge Niedbalski committed Oct 28, 2024
1 parent aadaf1c commit 0a76e1a
Showing 1 changed file with 37 additions and 8 deletions.
45 changes: 37 additions & 8 deletions src/tls/openssl.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -241,18 +241,28 @@ static int windows_load_system_certificates(struct tls_context *ctx)
{
int ret;
HANDLE win_store;
unsigned long err;
PCCERT_CONTEXT win_cert = NULL;
const unsigned char *win_cert_data;
X509_STORE *ossl_store = SSL_CTX_get_cert_store(ctx->ctx);
X509 *ossl_cert;

/* Check if OpenSSL certificate store is available */
if (!ossl_store) {
flb_error("[tls] failed to retrieve openssl certificate store.");
return -1;
}

/* Open the Windows system certificate store */
win_store = CertOpenSystemStoreA(0, "Root");
if (win_store == NULL) {
flb_error("[tls] Cannot open cert store: %i", GetLastError());
flb_error("[tls] cannot open windows certificate store: %lu", GetLastError());
return -1;
}

while (win_cert = CertEnumCertificatesInStore(win_store, win_cert)) {
/* Iterate over certificates in the store */
while ((win_cert = CertEnumCertificatesInStore(win_store, win_cert)) != NULL) {
/* Check if the certificate is encoded in ASN.1 DER format */
if (win_cert->dwCertEncodingType & X509_ASN_ENCODING) {
/*
* Decode the certificate into X509 struct.
Expand All @@ -262,25 +272,42 @@ static int windows_load_system_certificates(struct tls_context *ctx)
*/
win_cert_data = win_cert->pbCertEncoded;
ossl_cert = d2i_X509(NULL, &win_cert_data, win_cert->cbCertEncoded);

if (!ossl_cert) {
flb_debug("[tls] Cannot parse a certificate. skipping...");
flb_debug("[tls] cannot parse a certificate, error code: %lu, skipping...", ERR_get_error());
continue;
}

/* Add X509 struct to the openssl cert store */
ret = X509_STORE_add_cert(ossl_store, ossl_cert);
if (!ret) {
flb_warn("[tls] Failed to add a certificate to the store: %lu: %s",
ERR_get_error(), ERR_error_string(ERR_get_error(), NULL));
err = ERR_get_error();
if (err == X509_R_CERT_ALREADY_IN_HASH_TABLE) {
flb_debug("[tls] certificate already exists in the store, skipping.");
}
else {
flb_warn("[tls] failed to add certificate to openssl store. error code: %lu - %s",
err, ERR_error_string(err, NULL));
}
}
X509_free(ossl_cert);
}
}

/* Check for errors during enumeration */
if (GetLastError() != CRYPT_E_NOT_FOUND) {
flb_error("[tls] error occurred while enumerating certificates: %lu", GetLastError());
CertCloseStore(win_store, 0);
return -1;
}

/* Close the Windows system certificate store */
if (!CertCloseStore(win_store, 0)) {
flb_error("[tls] Cannot close cert store: %i", GetLastError());
flb_error("[tls] cannot close windows certificate store: %lu", GetLastError());
return -1;
}

flb_debug("[tls] successfully loaded certificates from windows system store.");
return 0;
}
#endif
Expand Down Expand Up @@ -684,6 +711,7 @@ static int tls_net_handshake(struct flb_tls *tls,
char err_buf[256];
struct tls_session *session = ptr_session;
struct tls_context *ctx;
const char *x509_err;

ctx = session->parent;
pthread_mutex_lock(&ctx->mutex);
Expand Down Expand Up @@ -743,8 +771,9 @@ static int tls_net_handshake(struct flb_tls *tls,
if (ret == 0) {
ssl_code = SSL_get_verify_result(session->ssl);
if (ssl_code != X509_V_OK) {
flb_error("[tls] error: unexpected EOF with reason: %s",
ERR_reason_error_string(ERR_get_error()));
/* Refer to: https://x509errors.org/ */
x509_err = X509_verify_cert_error_string(ssl_code);
flb_error("[tls] certificate verification failed, reason: %s (X509 code: %ld)", x509_err, ssl_code);
}
else {
flb_error("[tls] error: unexpected EOF");
Expand Down

0 comments on commit 0a76e1a

Please sign in to comment.