rpms / rsyslog

Clone
Source Code
GIT

Files

  1.   537b073c75c8b07c5de2f541dafa4c8a64a8e47a
  2.   SOURCES
  3.   rsyslog-8.2102.0-nsd_ossl-better-logs.patch
Blob Blame History Raw 
diff --git a/runtime/nsd_ossl.c b/runtime/nsd_ossl.c
index e55b014b2c..431ea738b8 100644
--- a/runtime/nsd_ossl.c
+++ b/runtime/nsd_ossl.c
@@ -210,7 +210,8 @@ void osslLastSSLErrorMsg(int ret, SSL *ssl, int severity, const char* pszCallSou
 
 	/* Loop through ERR_get_error */
 	while ((un_error = ERR_get_error()) > 0){
-		LogMsg(0, RS_RET_NO_ERRCODE, severity, "OpenSSL Error Stack: %s", ERR_error_string(un_error, NULL) );
+		LogMsg(0, RS_RET_NO_ERRCODE, severity,
+			"nsd_ossl:OpenSSL Error Stack: %s", ERR_error_string(un_error, NULL) );
 	}
 }
 
@@ -721,9 +722,10 @@ osslChkPeerFingerprint(nsd_ossl_t *pThis, X509 *pCert)
 		if(pThis->bReportAuthErr == 1) {
 			errno = 0;
 			LogError(0, RS_RET_INVALID_FINGERPRINT,
-			"nsd_ossl:error:"
-			" peer fingerprint '%s' unknown - we are "
-			"not permitted to talk to it", cstrGetSzStrNoNULL(pstrFingerprint));
+				"nsd_ossl:error: peer fingerprint '%s' unknown - we are "
+				"not permitted to talk to it", cstrGetSzStrNoNULL(pstrFingerprint));
+			LogMsg(0, RS_RET_NO_ERRCODE, LOG_INFO,
+				"nsd_ossl:TLS session terminated with remote syslog server.");
 			pThis->bReportAuthErr = 0;
 		}
 		ABORT_FINALIZE(RS_RET_INVALID_FINGERPRINT);
@@ -834,8 +836,10 @@ osslChkPeerName(nsd_ossl_t *pThis, X509 *pCert)
 			cstrFinalize(pStr);
 			errno = 0;
 			LogError(0, RS_RET_INVALID_FINGERPRINT, "nsd_ossl:error: peer name not authorized -  "
-					"not permitted to talk to it. Names: %s",
-					cstrGetSzStrNoNULL(pStr));
+				"not permitted to talk to it. Names: %s",
+				cstrGetSzStrNoNULL(pStr));
+			LogMsg(0, RS_RET_NO_ERRCODE, LOG_INFO,
+				"nsd_ossl:TLS session terminated with remote syslog server.");
 			pThis->bReportAuthErr = 0;
 		}
 		ABORT_FINALIZE(RS_RET_INVALID_FINGERPRINT);
@@ -871,8 +875,10 @@ osslChkPeerID(nsd_ossl_t *pThis)
 		if(pThis->bReportAuthErr == 1) {
 			errno = 0;
 			LogError(0, RS_RET_TLS_NO_CERT, "nsd_ossl:error: peer did not provide a certificate, "
-					"not permitted to talk to it");
+				"not permitted to talk to it");
 			pThis->bReportAuthErr = 0;
+			LogMsg(0, RS_RET_NO_ERRCODE, LOG_INFO,
+				"nsd_ossl:TLS session terminated with remote syslog server.");
 		}
 		ABORT_FINALIZE(RS_RET_TLS_NO_CERT);
 	}
@@ -905,15 +911,19 @@ osslChkPeerCertValidity(nsd_ossl_t *pThis)
 		if (iVerErr == X509_V_ERR_CERT_HAS_EXPIRED) {
 			if (pThis->permitExpiredCerts == OSSL_EXPIRED_DENY) {
 				LogError(0, RS_RET_CERT_EXPIRED,
-					"nsd_ossl:CertValidity check"
-"- not permitted to talk to peer: certificate expired: %s",
+					"nsd_ossl:CertValidity check - not permitted to talk to peer: "
+					"certificate expired: %s",
 					X509_verify_cert_error_string(iVerErr));
+				LogMsg(0, RS_RET_NO_ERRCODE, LOG_INFO,
+					"nsd_ossl:TLS session terminated with remote syslog server.");
 				ABORT_FINALIZE(RS_RET_CERT_EXPIRED);
 			} else if (pThis->permitExpiredCerts == OSSL_EXPIRED_WARN) {
 				LogMsg(0, RS_RET_NO_ERRCODE, LOG_WARNING,
-					"nsd_ossl:CertValidity check"
-"- warning talking to peer: certificate expired: %s",
+					"nsd_ossl:CertValidity check - warning talking to peer: "
+					"certificate expired: %s",
 					X509_verify_cert_error_string(iVerErr));
+				LogMsg(0, RS_RET_NO_ERRCODE, LOG_INFO,
+					"nsd_ossl:TLS session terminated with remote syslog server.");
 			} else {
 				dbgprintf("osslChkPeerCertValidity: talking to peer: certificate expired: %s\n",
 					X509_verify_cert_error_string(iVerErr));
@@ -921,6 +931,8 @@ osslChkPeerCertValidity(nsd_ossl_t *pThis)
 		} else {
 			LogError(0, RS_RET_CERT_INVALID, "nsd_ossl:not permitted to talk to peer: "
 				"certificate validation failed: %s", X509_verify_cert_error_string(iVerErr));
+			LogMsg(0, RS_RET_NO_ERRCODE, LOG_INFO,
+				"nsd_ossl:TLS session terminated with remote syslog server.");
 			ABORT_FINALIZE(RS_RET_CERT_INVALID);
 		}
 	} else {
@@ -1384,7 +1396,7 @@ osslPostHandshakeCheck(nsd_ossl_t *pNsd)
 	#if OPENSSL_VERSION_NUMBER >= 0x10002000L
 	if(SSL_get_shared_curve(pNsd->ssl, -1) == 0) {
 		LogError(0, RS_RET_NO_ERRCODE, "nsd_ossl:"
-"No shared curve between syslog client and server.");
+		"No shared curve between syslog client and server.");
 	}
 	#endif
 	sslCipher = (const SSL_CIPHER*) SSL_get_current_cipher(pNsd->ssl);
@@ -1446,8 +1458,6 @@ osslHandshakeCheck(nsd_ossl_t *pNsd)
 				resErr == SSL_ERROR_WANT_WRITE) {
 				pNsd->rtryCall = osslRtry_handshake;
 				pNsd->rtryOsslErr = resErr; /* Store SSL ErrorCode into*/
-				LogError(0, RS_RET_NO_ERRCODE, "nsd_ossl:"
-"TLS handshake failed between syslog client and server.");
 				dbgprintf("osslHandshakeCheck: OpenSSL Client handshake does not complete "
 					"immediately - setting to retry (this is OK and normal)\n");
 				FINALIZE;
@@ -1458,6 +1468,8 @@ osslHandshakeCheck(nsd_ossl_t *pNsd)
 				ABORT_FINALIZE(RS_RET_NO_ERRCODE /*RS_RET_RETRY*/);
 			} else {
 				osslLastSSLErrorMsg(res, pNsd->ssl, LOG_ERR, "osslHandshakeCheck Client");
+				LogMsg(0, RS_RET_NO_ERRCODE, LOG_INFO,
+					"nsd_ossl:TLS session terminated with remote syslog server.");
 				ABORT_FINALIZE(RS_RET_NO_ERRCODE);
 			}
 		}
@@ -1738,8 +1750,8 @@ Connect(nsd_t *pNsd, int family, uchar *port, uchar *host, char *device)
 	conn = BIO_new_socket(pPtcp->sock, BIO_CLOSE /*BIO_NOCLOSE*/);
 	dbgprintf("Connect: Init conn BIO[%p] done\n", (void *)conn);
 
-	LogMsg(0, RS_RET_NO_ERRCODE, LOG_INFO, "nsd_ossl:"
-"TLS Connection initiated with remote syslog server.");
+	LogMsg(0, RS_RET_NO_ERRCODE, LOG_INFO, "nsd_ossl: "
+		"TLS Connection initiated with remote syslog server.");
 	/*if we reach this point we are in tls mode */
 	DBGPRINTF("Connect: TLS Mode\n");
 	if(!(pThis->ssl = SSL_new(ctx))) {

Powered by Pagure 5.13.3

SSH Hostkey/Fingerprint | Documentation