Log IP address that caused failed TLS handshake

#923
bibledit · Mar 9, 2024 · 503c648 · 503c648
1 parent b70e2f0
commit 503c648
Show file tree

Hide file tree

Showing 3 changed files with 33 additions and 26 deletions.
diff --git a/filter/url.cpp b/filter/url.cpp
@@ -1539,21 +1539,21 @@ string filter_url_http_request_mbed (string url, string& error, const map <strin
     if (connection_healthy) {
       int ret = mbedtls_ssl_config_defaults (&conf, MBEDTLS_SSL_IS_CLIENT, MBEDTLS_SSL_TRANSPORT_STREAM, MBEDTLS_SSL_PRESET_DEFAULT);
       if (ret != 0) {
-        filter_url_display_mbed_tls_error (ret, &error, false);
+        filter_url_display_mbed_tls_error (ret, &error, false, std::string());
         connection_healthy = false;
       }
       mbedtls_ssl_conf_authmode (&conf, MBEDTLS_SSL_VERIFY_OPTIONAL);
       mbedtls_ssl_conf_ca_chain (&conf, &filter_url_mbed_tls_cacert, nullptr);
       mbedtls_ssl_conf_rng (&conf, mbedtls_ctr_drbg_random, &filter_url_mbed_tls_ctr_drbg);
       ret = mbedtls_ssl_setup (&ssl, &conf);
       if (ret != 0) {
-        filter_url_display_mbed_tls_error (ret, &error, false);
+        filter_url_display_mbed_tls_error (ret, &error, false, std::string());
         connection_healthy = false;
       }
       // The hostname it connects to, and verifies the certificate for.
       ret = mbedtls_ssl_set_hostname (&ssl, hostname.c_str ());
       if (ret != 0) {
-        filter_url_display_mbed_tls_error (ret, &error, false);
+        filter_url_display_mbed_tls_error (ret, &error, false, std::string());
         connection_healthy = false;
       }
       mbedtls_ssl_set_bio (&ssl, &fd, mbedtls_net_send, mbedtls_net_recv, nullptr);
@@ -1567,7 +1567,7 @@ string filter_url_http_request_mbed (string url, string& error, const map <strin
       // The code was updated to work around that.
       int ret = mbedtls_net_connect (&fd, hostname.c_str(), filter::strings::convert_to_string (port).c_str (), MBEDTLS_NET_PROTO_TCP);
       if (ret != 0) {
-        filter_url_display_mbed_tls_error (ret, &error, false);
+        filter_url_display_mbed_tls_error (ret, &error, false, std::string());
         connection_healthy = false;
       }
     }
@@ -1668,7 +1668,7 @@ string filter_url_http_request_mbed (string url, string& error, const map <strin
     while (connection_healthy && ((ret = mbedtls_ssl_handshake (&ssl)) != 0)) {
       if (ret == MBEDTLS_ERR_SSL_WANT_READ) continue;
       if (ret == MBEDTLS_ERR_SSL_WANT_WRITE) continue;
-      filter_url_display_mbed_tls_error (ret, &error, false);
+      filter_url_display_mbed_tls_error (ret, &error, false, std::string());
       connection_healthy = false;
     }
   }
@@ -1744,7 +1744,7 @@ string filter_url_http_request_mbed (string url, string& error, const map <strin
           // until it returns a positive value.
           if (ret == MBEDTLS_ERR_SSL_WANT_READ) continue;
           if (ret == MBEDTLS_ERR_SSL_WANT_WRITE) continue;
-          filter_url_display_mbed_tls_error (ret, &error, false);
+          filter_url_display_mbed_tls_error (ret, &error, false, std::string());
           connection_healthy = false;
         }
       }
@@ -1815,7 +1815,7 @@ string filter_url_http_request_mbed (string url, string& error, const map <strin
       } else if (secure && (ret == MBEDTLS_ERR_SSL_WANT_WRITE)) {
       } else if (secure && (ret == MBEDTLS_ERR_SSL_PEER_CLOSE_NOTIFY)) {
       } else if (secure && (ret < 0)) {
-        filter_url_display_mbed_tls_error (ret, &error, false);
+        filter_url_display_mbed_tls_error (ret, &error, false, std::string());
         connection_healthy = false;
       } else {
         // Probably EOF.
@@ -1882,14 +1882,14 @@ void filter_url_ssl_tls_initialize ()
   mbedtls_entropy_init (&filter_url_mbed_tls_entropy);
   const char *pers = "Client";
   ret = mbedtls_ctr_drbg_seed (&filter_url_mbed_tls_ctr_drbg, mbedtls_entropy_func, &filter_url_mbed_tls_entropy, reinterpret_cast <const unsigned char *> (pers), strlen (pers));
-  filter_url_display_mbed_tls_error (ret, nullptr, false);
+  filter_url_display_mbed_tls_error (ret, nullptr, false, std::string());
   // Wait until the trusted root certificates exist.
   // This is necessary as there's cases that the data is still being installed at this point.
   string path = filter_url_create_root_path ({"filter", "cas.crt"});
   while (!file_or_dir_exists (path)) this_thread::sleep_for (chrono::milliseconds (100));
   // Read the trusted root certificates.
   ret = mbedtls_x509_crt_parse_file (&filter_url_mbed_tls_cacert, path.c_str ());
-  filter_url_display_mbed_tls_error (ret, nullptr, false);
+  filter_url_display_mbed_tls_error (ret, nullptr, false, std::string());
 }
 
 
@@ -1905,7 +1905,7 @@ void filter_url_ssl_tls_finalize ()
 // This logs the $ret (return) value, converted to readable text, to the journal.
 // If $error is given, it is stored there instead.
 // It $server is true, it suppresses additional error codes.
-void filter_url_display_mbed_tls_error (int & ret, string * error, bool server)
+void filter_url_display_mbed_tls_error (int& ret, string* error, bool server, const std::string& remote_ip_address) // Todo add IP adddress, or Webserver Request.
 {
   // Local copy of the return value, and clear the original return value.
   int local_return = ret;
@@ -1934,6 +1934,12 @@ void filter_url_display_mbed_tls_error (int & ret, string * error, bool server)
   msg.append (" (");
   msg.append (filter::strings::convert_to_string (local_return));
   msg.append (")");
+  // Add the remote IP address if available.
+  if (!remote_ip_address.empty()) {
+    msg.append (" (IP address ");
+    msg.append (remote_ip_address);
+    msg.append (")");
+  }
   if (error) {
     error->assign (msg);
   } else {

diff --git a/filter/url.h b/filter/url.h
@@ -71,7 +71,7 @@ std::string filter_url_remove_username_password (std::string url);
 std::string filter_url_http_request_mbed (std::string url, std::string& error, const std::map <std::string, std::string>& post, const std::string& filename, bool check_certificate);
 void filter_url_ssl_tls_initialize ();
 void filter_url_ssl_tls_finalize ();
-void filter_url_display_mbed_tls_error (int & ret, std::string * error, bool server);
+void filter_url_display_mbed_tls_error (int& ret, std::string* error, bool server, const std::string& remote_ip_address);
 std::string filter_url_set_scheme (std::string url, bool secure);
 std::string filter_url_clean_filename (std::string name);
 std::string filter_url_filename_clean (std::string name);

diff --git a/webserver/webserver.cpp b/webserver/webserver.cpp
@@ -526,7 +526,7 @@ void secure_webserver_process_request (mbedtls_ssl_config * conf, mbedtls_net_co
       if (connection_healthy) {
         ret = mbedtls_ssl_setup (&ssl, conf);
         if (ret != 0) {
-          filter_url_display_mbed_tls_error (ret, nullptr, true);
+          filter_url_display_mbed_tls_error (ret, nullptr, true, request.remote_address);
           connection_healthy = false;
         }
       }
@@ -541,7 +541,8 @@ void secure_webserver_process_request (mbedtls_ssl_config * conf, mbedtls_net_co
           if (config_globals_webserver_running) {
             // In case the secure server runs, display the error.
             // And in case the server is interrupted by e.g. Ctrl-C, don't display this error.
-            filter_url_display_mbed_tls_error (ret, nullptr, true);
+            std::cout << __LINE__ << std::endl; // Todo
+            filter_url_display_mbed_tls_error (ret, nullptr, true, request.remote_address);
           }
           connection_healthy = false;
         }
@@ -643,7 +644,7 @@ void secure_webserver_process_request (mbedtls_ssl_config * conf, mbedtls_net_co
           // until it returns a positive value.
           if (ret == MBEDTLS_ERR_SSL_WANT_READ) continue;
           if (ret == MBEDTLS_ERR_SSL_WANT_WRITE) continue;
-          filter_url_display_mbed_tls_error (ret, nullptr, true);
+          filter_url_display_mbed_tls_error (ret, nullptr, true, request.remote_address);
           connection_healthy = false;
         }
       }
@@ -689,7 +690,7 @@ void secure_webserver_process_request (mbedtls_ssl_config * conf, mbedtls_net_co
               // until it returns a positive value.
               if (ret == MBEDTLS_ERR_SSL_WANT_READ) continue;
               if (ret == MBEDTLS_ERR_SSL_WANT_WRITE) continue;
-              filter_url_display_mbed_tls_error (ret, nullptr, true);
+              filter_url_display_mbed_tls_error (ret, nullptr, true, request.remote_address);
               connection_healthy = false;
             }
           }
@@ -708,7 +709,7 @@ void secure_webserver_process_request (mbedtls_ssl_config * conf, mbedtls_net_co
         while ((ret = mbedtls_ssl_close_notify (&ssl)) < 0) {
           if (ret == MBEDTLS_ERR_SSL_WANT_READ) continue;
           if (ret == MBEDTLS_ERR_SSL_WANT_WRITE) continue;
-          filter_url_display_mbed_tls_error (ret, nullptr, true);
+          filter_url_display_mbed_tls_error (ret, nullptr, true, request.remote_address);
           connection_healthy = false;
           if (connection_healthy) {}; // Suppress static analyzer warning about unused code.
           break;
@@ -811,7 +812,7 @@ void https_server ()
   mbedtls_pk_init (&pkey);
   int ret = mbedtls_pk_parse_keyfile (&pkey, server_key_path.c_str (), nullptr);
   if (ret != 0) {
-    filter_url_display_mbed_tls_error (ret, nullptr, true);
+    filter_url_display_mbed_tls_error (ret, nullptr, true, std::string());
     Database_Logs::log("Invalid " + server_key_path + " so not running secure server");
     return;
   }
@@ -823,46 +824,46 @@ void https_server ()
   // Load the server certificate.
   ret = mbedtls_x509_crt_parse_file (&srvcert, server_certificate_path.c_str ());
   if (ret != 0) {
-    filter_url_display_mbed_tls_error (ret, nullptr, true);
+    filter_url_display_mbed_tls_error (ret, nullptr, true, std::string());
     Database_Logs::log("Invalid " + server_certificate_path + " so not running secure server");
     return;
   }
 
   // Load the chain of certificates of the certificate authorities.
   ret = mbedtls_x509_crt_parse_file (&srvcert, authorities_certificates_path.c_str ());
   if (ret != 0) {
-    filter_url_display_mbed_tls_error (ret, nullptr, true);
+    filter_url_display_mbed_tls_error (ret, nullptr, true, std::string());
     Database_Logs::log("Invalid " + authorities_certificates_path + " so not running secure server");
     return;
   }
 
   // Seed the random number generator.
   const char *pers = "Cloud";
-  ret = mbedtls_ctr_drbg_seed( &ctr_drbg, mbedtls_entropy_func, &entropy, reinterpret_cast<const unsigned char *> (pers), strlen (pers));
+  ret = mbedtls_ctr_drbg_seed (&ctr_drbg, mbedtls_entropy_func, &entropy, reinterpret_cast<const unsigned char *> (pers), strlen (pers));
   if (ret != 0) {
-    filter_url_display_mbed_tls_error (ret, nullptr, true);
+    filter_url_display_mbed_tls_error (ret, nullptr, true, std::string());
     return;
   }
 
   // Setup the listening TCP socket.
   ret = mbedtls_net_bind (&listen_fd, nullptr, network_port.c_str (), MBEDTLS_NET_PROTO_TCP);
   if (ret != 0) {
-    filter_url_display_mbed_tls_error (ret, nullptr, true);
+    filter_url_display_mbed_tls_error (ret, nullptr, true, std::string());
     return;
   }
 
   // Setup SSL/TLS default values for the lifetime of the https server.
   ret = mbedtls_ssl_config_defaults (&conf, MBEDTLS_SSL_IS_SERVER, MBEDTLS_SSL_TRANSPORT_STREAM, MBEDTLS_SSL_PRESET_DEFAULT);
   if (ret != 0) {
-    filter_url_display_mbed_tls_error (ret, nullptr, true);
+    filter_url_display_mbed_tls_error (ret, nullptr, true, std::string());
     return;
   }
   mbedtls_ssl_conf_rng (&conf, mbedtls_ctr_drbg_random, &ctr_drbg);
   mbedtls_ssl_conf_session_cache (&conf, &cache, mbedtls_ssl_cache_get, mbedtls_ssl_cache_set);
   mbedtls_ssl_conf_ca_chain (&conf, srvcert.next, nullptr);
   ret = mbedtls_ssl_conf_own_cert (&conf, &srvcert, &pkey);
   if (ret != 0) {
-    filter_url_display_mbed_tls_error (ret, nullptr, true);
+    filter_url_display_mbed_tls_error (ret, nullptr, true, std::string());
     return;
   }
 
@@ -885,10 +886,10 @@ void https_server ()
     // Wait until a client connects.
     ret = mbedtls_net_accept (&listen_fd, &client_fd, nullptr, 0, nullptr);
     if (ret != 0 ) {
-      filter_url_display_mbed_tls_error (ret, nullptr, true);
+      filter_url_display_mbed_tls_error (ret, nullptr, true, std::string());
       continue;
     }
-    
+
     // Handle this request in a thread, enabling parallel requests.
     std::thread request_thread = std::thread (secure_webserver_process_request, &conf, client_fd);
     // Detach and delete thread object.