[PATCH ustream-ssl] ustream-openssl: wolfSSL: provide detailed information in debug builds
Petr Štetiar
ynezz at true.cz
Wed Feb 23 00:57:55 PST 2022
Show detailed information about the session/peer in debug builds:
$ wget https://letsencrypt.org
Alternate cert chain used
issuer : /C=US/O=Let's Encrypt/CN=R3
subject: /CN=lencr.org
altname = lencr.org
altname = letsencrypt.com
altname = letsencrypt.org
altname = www.lencr.org
altname = www.letsencrypt.com
altname = www.letsencrypt.org
serial number:03:4e:29:5a:d6:74:ae:fd:51:cd:0d:61:11:f9:e3:e3:bd:88
Certificate:
...snip...
our cert info: No Cert
Peer verify result = 39
SSL version is TLSv1.3
SSL cipher suite is TLS_AES_256_GCM_SHA384
SSL curve name is SECP256R1
Alternate cert chain used
As it makes debugging issues like #9283 easier.
Signed-off-by: Petr Štetiar <ynezz at true.cz>
---
CMakeLists.txt | 2 ++
ustream-openssl.c | 8 ++++++++
2 files changed, 10 insertions(+)
diff --git a/CMakeLists.txt b/CMakeLists.txt
index f53e726aa866..2de65905a40d 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -42,6 +42,8 @@ TARGET_LINK_LIBRARIES(ustream-example-server ustream-ssl)
ADD_EXECUTABLE(ustream-example-client ustream-example-client.c)
TARGET_LINK_LIBRARIES(ustream-example-client ustream-ssl)
+TARGET_COMPILE_DEFINITIONS(ustream-ssl PRIVATE $<$<CONFIG:Debug>:DEBUG>)
+
INSTALL(FILES ustream-ssl.h
DESTINATION include/libubox
)
diff --git a/ustream-openssl.c b/ustream-openssl.c
index 894dddb5afb1..6dae4aedb752 100644
--- a/ustream-openssl.c
+++ b/ustream-openssl.c
@@ -25,6 +25,10 @@
#include <openssl/x509v3.h>
#endif
+#if defined(HAVE_WOLFSSL) && defined(DEBUG)
+#include <wolfssl/test.h>
+#endif
+
/* Ciphersuite preference:
* - for server, no weak ciphers are used if you use an ECDSA key.
* - forward-secret (pfs), authenticated (AEAD) ciphers are at the top:
@@ -268,6 +272,10 @@ static void ustream_ssl_verify_cert(struct ustream_ssl *us)
X509 *cert;
int res;
+#if defined(HAVE_WOLFSSL) && defined(DEBUG)
+ showPeer(ssl);
+#endif
+
res = SSL_get_verify_result(ssl);
if (res != X509_V_OK) {
if (us->notify_verify_error)
More information about the openwrt-devel
mailing list