[PATCH ustream-ssl] ustream-openssl: wolfSSL: provide detailed information in debug builds

Petr Štetiar ynezz at true.cz
Wed Feb 23 00:57:55 PST 2022 

Show detailed information about the session/peer in debug builds:

 $ wget https://letsencrypt.org

 Alternate cert chain used
  issuer : /C=US/O=Let's Encrypt/CN=R3
  subject: /CN=lencr.org
  altname = lencr.org
  altname = letsencrypt.com
  altname = letsencrypt.org
  altname = www.lencr.org
  altname = www.letsencrypt.com
  altname = www.letsencrypt.org
  serial number:03:4e:29:5a:d6:74:ae:fd:51:cd:0d:61:11:f9:e3:e3:bd:88
 Certificate:

  ...snip...

 our cert info: No Cert
 Peer verify result = 39
 SSL version is TLSv1.3
 SSL cipher suite is TLS_AES_256_GCM_SHA384
 SSL curve name is SECP256R1
 Alternate cert chain used

As it makes debugging issues like #9283 easier.

Signed-off-by: Petr Štetiar <ynezz at true.cz>
---
 CMakeLists.txt    | 2 ++
 ustream-openssl.c | 8 ++++++++
 2 files changed, 10 insertions(+)

diff --git a/CMakeLists.txt b/CMakeLists.txt
index f53e726aa866..2de65905a40d 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -42,6 +42,8 @@ TARGET_LINK_LIBRARIES(ustream-example-server ustream-ssl)
 ADD_EXECUTABLE(ustream-example-client ustream-example-client.c)
 TARGET_LINK_LIBRARIES(ustream-example-client ustream-ssl)
 
+TARGET_COMPILE_DEFINITIONS(ustream-ssl PRIVATE $<$<CONFIG:Debug>:DEBUG>)
+
 INSTALL(FILES ustream-ssl.h
 	DESTINATION include/libubox
 )
diff --git a/ustream-openssl.c b/ustream-openssl.c
index 894dddb5afb1..6dae4aedb752 100644
--- a/ustream-openssl.c
+++ b/ustream-openssl.c
@@ -25,6 +25,10 @@
 #include <openssl/x509v3.h>
 #endif
 
+#if defined(HAVE_WOLFSSL) && defined(DEBUG)
+#include <wolfssl/test.h>
+#endif
+
 /* Ciphersuite preference:
  * - for server, no weak ciphers are used if you use an ECDSA key.
  * - forward-secret (pfs), authenticated (AEAD) ciphers are at the top:
@@ -268,6 +272,10 @@ static void ustream_ssl_verify_cert(struct ustream_ssl *us)
 	X509 *cert;
 	int res;
 
+#if defined(HAVE_WOLFSSL) && defined(DEBUG)
+	showPeer(ssl);
+#endif
+
 	res = SSL_get_verify_result(ssl);
 	if (res != X509_V_OK) {
 		if (us->notify_verify_error)

More information about the openwrt-devel mailing list