diff options
Diffstat (limited to 'lib/server/SocketStreamTLS.cpp')
-rw-r--r-- | lib/server/SocketStreamTLS.cpp | 51 |
1 files changed, 41 insertions, 10 deletions
diff --git a/lib/server/SocketStreamTLS.cpp b/lib/server/SocketStreamTLS.cpp index e6299bfa..fc9652b7 100644 --- a/lib/server/SocketStreamTLS.cpp +++ b/lib/server/SocketStreamTLS.cpp @@ -10,8 +10,7 @@ #include "Box.h" #define TLS_CLASS_IMPLEMENTATION_CPP -#include <openssl/ssl.h> -#include <openssl/bio.h> + #include <errno.h> #include <fcntl.h> @@ -19,6 +18,10 @@ #include <poll.h> #endif +#include <openssl/bio.h> +#include <openssl/err.h> +#include <openssl/ssl.h> + #include "autogen_ConnectionException.h" #include "autogen_ServerException.h" #include "BoxTime.h" @@ -126,8 +129,8 @@ void SocketStreamTLS::Handshake(const TLSContext &rContext, bool IsServer) mpBIO = ::BIO_new(::BIO_s_socket()); if(mpBIO == 0) { - CryptoUtils::LogError("creating socket bio"); - THROW_EXCEPTION(ServerException, TLSAllocationFailed) + THROW_EXCEPTION_MESSAGE(ServerException, TLSAllocationFailed, + "Failed to create SSL BIO: " << CryptoUtils::LogError("creating socket bio")); } tOSSocketHandle socket = GetSocketHandle(); @@ -137,8 +140,8 @@ void SocketStreamTLS::Handshake(const TLSContext &rContext, bool IsServer) mpSSL = ::SSL_new(rContext.GetRawContext()); if(mpSSL == 0) { - CryptoUtils::LogError("creating SSL object"); - THROW_EXCEPTION(ServerException, TLSAllocationFailed) + THROW_EXCEPTION_MESSAGE(ServerException, TLSAllocationFailed, + "Failed to create SSL object: " << CryptoUtils::LogError("creating SSL object")); } // Make the socket non-blocking so timeouts on Read work @@ -203,15 +206,43 @@ void SocketStreamTLS::Handshake(const TLSContext &rContext, bool IsServer) default: // (and SSL_ERROR_ZERO_RETURN) // Error occured +#if HAVE_DECL_SSL_R_EE_KEY_TOO_SMALL + int err_reason = ERR_GET_REASON(ERR_peek_error()); + const char *file, *data; + int line, flags; + ERR_peek_error_line_data(&file, &line, &data, &flags); + long verify_result = SSL_get_verify_result(mpSSL); + + if(se == SSL_ERROR_SSL && verify_result == X509_V_ERR_CA_KEY_TOO_SMALL) + { + // Would be nice to use GetPeerCommonName() in these error messages, + // but since the certificate isn't trusted, that might be misleading, + // and it's not available to us anyway :( + + THROW_EXCEPTION_MESSAGE(ConnectionException, TLSPeerWeakCertificate, + (IsServer ? "Failed to accept connection from" : + "Failed to connect to") << " " << mPeerSocketDesc << + ": key too short for current security level"); + } + else if(se == SSL_ERROR_SSL && verify_result == X509_V_ERR_CA_MD_TOO_WEAK) + { + THROW_EXCEPTION_MESSAGE(ConnectionException, TLSPeerWeakCertificate, + (IsServer ? "Failed to accept connection from" : + "Failed to connect to") << " " << mPeerSocketDesc << + ": hash too weak for current security level"); + } + else +#endif // HAVE_DECL_SSL_R_EE_KEY_TOO_SMALL if(IsServer) { - CryptoUtils::LogError("accepting connection"); - THROW_EXCEPTION(ConnectionException, TLSHandshakeFailed) + THROW_EXCEPTION_MESSAGE(ConnectionException, TLSHandshakeFailed, + "Failed to accept connection: " << + CryptoUtils::LogError("accepting connection")); } else { - CryptoUtils::LogError("connecting"); - THROW_EXCEPTION(ConnectionException, TLSHandshakeFailed) + THROW_EXCEPTION_MESSAGE(ConnectionException, TLSHandshakeFailed, + "Failed to connect: " << CryptoUtils::LogError("connecting")); } } } |