summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJeremy Harris <jgh146exb@wizmail.org>2022-07-03 12:42:31 +0100
committerJeremy Harris <jgh146exb@wizmail.org>2022-07-03 20:31:33 +0100
commit6d05006594ffacbfde1c8c4e759332873a702087 (patch)
tree027e2d362022f58ffe6277e196773cade7611c61
parentcf5f5988102b229ef87bc85ba3f0a9ec265f28a6 (diff)
OpenSSL: add IP & DN to OCSP fail log line
-rw-r--r--src/src/tls-openssl.c22
1 files changed, 16 insertions, 6 deletions
diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c
index 2b8a4e61c..4c61fc0e6 100644
--- a/src/src/tls-openssl.c
+++ b/src/src/tls-openssl.c
@@ -2405,7 +2405,7 @@ BIO_puts(bp, "\n");
}
static int
-tls_client_stapling_cb(SSL *s, void *arg)
+tls_client_stapling_cb(SSL * ssl, void * arg)
{
exim_openssl_state_st * cbinfo = arg;
const unsigned char * p;
@@ -2415,10 +2415,10 @@ OCSP_BASICRESP * bs;
int i;
DEBUG(D_tls) debug_printf("Received TLS status callback (OCSP stapling):\n");
-len = SSL_get_tlsext_status_ocsp_resp(s, &p);
+len = SSL_get_tlsext_status_ocsp_resp(ssl, &p);
if(!p)
{ /* Expect this when we requested ocsp but got none */
- if (SSL_session_reused(s) && tls_out.ocsp == OCSP_VFIED)
+ if (SSL_session_reused(ssl) && tls_out.ocsp == OCSP_VFIED)
{
DEBUG(D_tls) debug_printf(" null, but resumed; ocsp vfy stored with session is good\n");
return 1;
@@ -2476,9 +2476,19 @@ if (!(bs = OCSP_response_get1_basic(rsp)))
if (ERR_peek_error())
{
tls_out.ocsp = OCSP_FAILED;
- if (LOGGING(tls_cipher)) log_write(0, LOG_MAIN,
- "Received TLS cert status response, itself unverifiable: %s",
- ERR_reason_error_string(ERR_peek_error()));
+ if (LOGGING(tls_cipher))
+ {
+ const uschar * errstr = CUS ERR_reason_error_string(ERR_peek_error());
+ static uschar peerdn[256];
+ X509_NAME_oneline(X509_get_subject_name(SSL_get_peer_certificate(ssl)),
+ CS peerdn, sizeof(peerdn));
+ log_write(0, LOG_MAIN,
+ "[%s] %s Received TLS cert (DN: '%.*s') status response, "
+ "itself unverifiable: %s",
+ sender_host_address, sender_host_name,
+ (int)sizeof(peerdn), peerdn,
+ errstr);
+ }
DEBUG(D_tls)
{
BIO_printf(bp, "OCSP response verify failure\n");