tlshd: Report peer certificate verification failures

Parse the session's verification error bit mask and report the
individual errors to help admins debug certificate verification
problems.

Signed-off-by: Chuck Lever <[email protected]>

Author: chucklever

src/tlshd/handshake.c

@@ -103,7 +103,13 @@ void tlshd_client_handshake(gnutls_session_t session)
 		ret = gnutls_handshake(session);
 	} while (ret < 0 && !gnutls_error_is_fatal(ret));
 	if (ret < 0) {
-		tlshd_log_gnutls_error(ret);
+		switch (ret) {
+		case GNUTLS_E_CERTIFICATE_VERIFICATION_ERROR:
+			tlshd_log_cert_verification_error(session);
+			break;
+		default:
+			tlshd_log_gnutls_error(ret);
+		}
 		return;
 	}
 

src/tlshd/log.c

@@ -120,6 +120,50 @@ void tlshd_log_gai_error(int error)
 	syslog(LOG_NOTICE, "%s\n", gai_strerror(error));
 }
 
+struct tlshd_cert_status_bit {
+	unsigned int	bit;
+	char		*name;
+};
+
+static const struct tlshd_cert_status_bit tlshd_cert_status_names[] = {
+	/* { GNUTLS_CERT_INVALID, "invalid" }, */
+	{ GNUTLS_CERT_REVOKED, "revoked" },
+	{ GNUTLS_CERT_SIGNER_NOT_FOUND, "signer not found" },
+	{ GNUTLS_CERT_SIGNER_NOT_CA, "signer not CA" },
+	{ GNUTLS_CERT_INSECURE_ALGORITHM, "uses insecure algorithm" },
+	{ GNUTLS_CERT_NOT_ACTIVATED, "not activated" },
+	{ GNUTLS_CERT_EXPIRED, "expired" },
+	{ GNUTLS_CERT_SIGNATURE_FAILURE, "signature failure" },
+	{ GNUTLS_CERT_REVOCATION_DATA_SUPERSEDED, "revocation data superseded" },
+	{ GNUTLS_CERT_UNEXPECTED_OWNER, "owner unexpected" },
+	{ GNUTLS_CERT_REVOCATION_DATA_ISSUED_IN_FUTURE, "revocation data issued in the future" },
+	{ GNUTLS_CERT_SIGNER_CONSTRAINTS_FAILURE, "signer constraints failure" },
+	{ GNUTLS_CERT_MISMATCH, "mismatch" },
+	{ GNUTLS_CERT_PURPOSE_MISMATCH, "purpose mismatch" },
+	{ GNUTLS_CERT_MISSING_OCSP_STATUS, "has missing OCSP status" },
+	{ GNUTLS_CERT_INVALID_OCSP_STATUS, "has invalid OCSP status" },
+	{ GNUTLS_CERT_UNKNOWN_CRIT_EXTENSIONS, "has unknown crit extensions" },
+	{ 0, NULL }
+};
+
+/**
+ * tlshd_log_cert_verification_error - Report a failed certificate verification
+ * @session: Session with a failed handshake
+ *
+ */
+void tlshd_log_cert_verification_error(gnutls_session_t session)
+{
+	unsigned int status;
+	int i;
+
+	status = gnutls_session_get_verify_cert_status(session);
+
+	for (i = 0; tlshd_cert_status_names[i].name; i++)
+		if (status & tlshd_cert_status_names[i].bit)
+			syslog(LOG_ERR, "Certificate %s.\n",
+			       tlshd_cert_status_names[i].name);
+}
+
 /**
  * tlshd_log_gnutls_error - Emit "library call failed" notification
  * @error: GnuTLS error code to log

src/tlshd/tlshd.h

@@ -52,8 +52,9 @@ void tlshd_log_debug(const char *fmt, ...);
 extern void tlshd_log_error(const char *msg);
 extern void tlshd_log_perror(const char *prefix);
 extern void tlshd_log_gai_error(int error);
-extern void tlshd_log_gnutls_error(int error);
 
+extern void tlshd_log_cert_verification_error(gnutls_session_t session);
+extern void tlshd_log_gnutls_error(int error);
 extern void tlshd_gnutls_log_func(int level, const char *msg);
 extern void tlshd_gnutls_audit_func(gnutls_session_t session, const char *msg);
 

src/tlshd/x509.c

@@ -84,15 +84,15 @@ static void tlshd_client_anon_x509_handshake(int sock, const char *peername)
 
 	gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, xcred);
 
-	if (tlshd_verify_server)
-		gnutls_session_set_verify_cert(session, peername, 0);
-
 	ret = gnutls_set_default_priority(session);
 	if (ret != GNUTLS_E_SUCCESS) {
 		tlshd_log_gnutls_error(ret);
 		return;
 	}
 
+	if (tlshd_verify_server)
+		gnutls_session_set_verify_cert(session, peername, 0);
+
 	tlshd_client_handshake(session);
 
 	gnutls_deinit(session);