From 16b3eae8623916fa7bc2cd9cad292bbad8d6a116 Mon Sep 17 00:00:00 2001 From: madmaxoft Date: Mon, 28 Apr 2014 21:16:32 +0200 Subject: [PATCH] Added a debug cert printing function. --- src/PolarSSL++/SslContext.cpp | 62 +++++++++++++++++++++++++++++++++++ src/PolarSSL++/SslContext.h | 3 ++ 2 files changed, 65 insertions(+) diff --git a/src/PolarSSL++/SslContext.cpp b/src/PolarSSL++/SslContext.cpp index e7fa11c75..1994cf844 100644 --- a/src/PolarSSL++/SslContext.cpp +++ b/src/PolarSSL++/SslContext.cpp @@ -64,7 +64,12 @@ int cSslContext::Initialize(bool a_IsClient, const SharedPtr & ssl_set_bio(&m_Ssl, ReceiveEncrypted, this, SendEncrypted, this); #ifdef _DEBUG + /* + // These functions allow us to debug SSL and certificate problems, but produce way too much output, + // so they're disabled until someone needs them ssl_set_dbg(&m_Ssl, &SSLDebugMessage, this); + ssl_set_verify(&m_Ssl, &SSLVerifyCert, this); + */ #endif m_IsValid = true; @@ -174,6 +179,63 @@ int cSslContext::NotifyClose(void) LOGD("SSL (%d): %s", a_Level, Text.c_str()); } + + + + + + int cSslContext::SSLVerifyCert(void * a_This, x509_crt * a_Crt, int a_Depth, int * a_Flags) + { + char buf[1024]; + UNUSED(a_This); + + LOG("Verify requested for (Depth %d):", a_Depth); + x509_crt_info(buf, sizeof(buf) - 1, "", a_Crt); + LOG("%s", buf); + + int Flags = *a_Flags; + if ((Flags & BADCERT_EXPIRED) != 0) + { + LOG(" ! server certificate has expired"); + } + + if ((Flags & BADCERT_REVOKED) != 0) + { + LOG(" ! server certificate has been revoked"); + } + + if ((Flags & BADCERT_CN_MISMATCH) != 0) + { + LOG(" ! CN mismatch"); + } + + if ((Flags & BADCERT_NOT_TRUSTED) != 0) + { + LOG(" ! self-signed or not signed by a trusted CA"); + } + + if ((Flags & BADCRL_NOT_TRUSTED) != 0) + { + LOG(" ! CRL not trusted"); + } + + if ((Flags & BADCRL_EXPIRED) != 0) + { + LOG(" ! CRL expired"); + } + + if ((Flags & BADCERT_OTHER) != 0) + { + LOG(" ! other (unknown) flag"); + } + + if (Flags == 0) + { + LOG(" This certificate has no flags"); + } + + return 0; + } #endif // _DEBUG diff --git a/src/PolarSSL++/SslContext.h b/src/PolarSSL++/SslContext.h index 6effdcaea..85add5f8b 100644 --- a/src/PolarSSL++/SslContext.h +++ b/src/PolarSSL++/SslContext.h @@ -120,6 +120,9 @@ protected: #ifdef _DEBUG /** The callback used by PolarSSL to output debug messages */ static void SSLDebugMessage(void * a_UserParam, int a_Level, const char * a_Text); + + /** The callback used by PolarSSL to log information on the cert chain */ + static int SSLVerifyCert(void * a_This, x509_crt * a_Crt, int a_Depth, int * a_Flags); #endif // _DEBUG /** Called when PolarSSL wants to read encrypted data. */