Currently the %err_detail access_log formating code does not display
something useful for the system admin in the case of the certificate
validation errors.
This patch in the case of an ERR_SECURE_CONNECT_FAIL error displays the
certificate validation error name.
Fill access log's %error_detail when responding with
ERR_SECURE_CONNECT_FAIL.
This is a Measurement Factory project
=== modified file 'src/format/Format.cc'
--- src/format/Format.cc 2011-10-14 01:49:17 +0000
+++ src/format/Format.cc 2011-10-25 15:46:23 +0000
@@ -1,32 +1,35 @@
#include "config.h"
#include "AccessLogEntry.h"
#include "comm/Connection.h"
#include "err_detail_type.h"
#include "errorpage.h"
#include "format/Format.h"
#include "format/Quoting.h"
#include "format/Tokens.h"
#include "HttpRequest.h"
#include "MemBuf.h"
#include "rfc1738.h"
#include "SquidTime.h"
+#if USE_SSL
+#include "ssl/ErrorDetail.h"
+#endif
#include "Store.h"
/// Convert a string to NULL pointer if it is ""
#define strOrNull(s) ((s)==NULL||(s)[0]=='\0'?NULL:(s))
Format::Format::Format(const char *n) :
format(NULL),
next(NULL)
{
name = xstrdup(n);
}
Format::Format::~Format()
{
// erase the list without consuming stack space
while (next) {
// unlink the next entry for deletion
Format *temp = next;
next = temp->next;
temp->next = NULL;
@@ -805,40 +808,48 @@
// or internal error messages).
break;
case LFT_SQUID_STATUS:
if (al->http.timedout || al->http.aborted) {
snprintf(tmp, sizeof(tmp), "%s%s", log_tags[al->cache.code],
al->http.statusSfx());
out = tmp;
} else {
out = log_tags[al->cache.code];
}
break;
case LFT_SQUID_ERROR:
if (al->request && al->request->errType != ERR_NONE)
out = errorPageName(al->request->errType);
break;
case LFT_SQUID_ERROR_DETAIL:
+#if USE_SSL
+ if (al->request && al->request->errType == ERR_SECURE_CONNECT_FAIL) {
+ if (! (out = Ssl::GetErrorName(al->request->errDetail))) {
+ snprintf(tmp, sizeof(tmp), "SSL_ERR=%d", al->request->errDetail);
+ out = tmp;
+ }
+ } else
+#endif
if (al->request && al->request->errDetail != ERR_DETAIL_NONE) {
if (al->request->errDetail > ERR_DETAIL_START &&
al->request->errDetail < ERR_DETAIL_MAX)
out = errorDetailName(al->request->errDetail);
else {
if (al->request->errDetail >= ERR_DETAIL_EXCEPTION_START)
snprintf(tmp, sizeof(tmp), "%s=0x%X",
errorDetailName(al->request->errDetail), (uint32_t) al->request->errDetail);
else
snprintf(tmp, sizeof(tmp), "%s=%d",
errorDetailName(al->request->errDetail), al->request->errDetail);
out = tmp;
}
}
break;
case LFT_SQUID_HIERARCHY:
if (al->hier.ping.timedout)
mb.append("TIMEOUT_", 8);
=== modified file 'src/forward.cc'
--- src/forward.cc 2011-10-10 11:54:04 +0000
+++ src/forward.cc 2011-10-25 15:34:45 +0000
@@ -315,40 +315,45 @@
anErr->xerrno = errno;
fail(anErr);
} // else use actual error from last connection attempt
self = NULL; // refcounted
}
}
void
FwdState::fail(ErrorState * errorState)
{
debugs(17, 3, HERE << err_type_str[errorState->type] << " \"" << httpStatusString(errorState->httpStatus) << "\"\n\t" << entry->url() );
if (err)
errorStateFree(err);
err = errorState;
if (!errorState->request)
errorState->request = HTTPMSGLOCK(request);
+#if USE_SSL
+ if (errorState->type == ERR_SECURE_CONNECT_FAIL && errorState->detail)
+ request->detailError(errorState->type, errorState->detail->errorNo());
+ else
+#endif
request->detailError(errorState->type, errorState->xerrno);
}
/**
* Frees fwdState without closing FD or generating an abort
*/
void
FwdState::unregister(Comm::ConnectionPointer &conn)
{
debugs(17, 3, HERE << entry->url() );
assert(serverConnection() == conn);
assert(Comm::IsConnOpen(conn));
comm_remove_close_handler(conn->fd, fwdServerClosedWrapper, this);
serverConn = NULL;
}
// Legacy method to be removed in favor of the above as soon as possible
void
FwdState::unregister(int fd)
{
=== modified file 'src/ssl/ErrorDetail.h'
--- src/ssl/ErrorDetail.h 2011-06-17 07:46:48 +0000
+++ src/ssl/ErrorDetail.h 2011-10-25 15:35:09 +0000
@@ -35,40 +35,42 @@
/**
\ingroup ServerProtocolSSLAPI
* A short description of the SSL error "value"
*/
const char *GetErrorDescr(ssl_error_t value);
/**
\ingroup ServerProtocolSSLAPI
* Used to pass SSL error details to the error pages returned to the
* end user.
*/
class ErrorDetail
{
public:
ErrorDetail(ssl_error_t err_no, X509 *cert);
ErrorDetail(ErrorDetail const &);
const String &toString() const; ///< An error detail string to embed in squid error pages
void useRequest(HttpRequest *aRequest) { if (request != NULL) request = aRequest;}
/// The error name to embed in squid error pages
const char *errorName() const {return err_code();}
+ /// The error no
+ ssl_error_t errorNo() const {return error_no;}
private:
typedef const char * (ErrorDetail::*fmt_action_t)() const;
/**
* Holds a formating code and its conversion method
*/
class err_frm_code
{
public:
const char *code; ///< The formating code
fmt_action_t fmt_action; ///< A pointer to the conversion method
};
static err_frm_code ErrorFormatingCodes[]; ///< The supported formating codes
const char *subject() const;
const char *ca_name() const;
const char *cn() const;
const char *notbefore() const;
const char *notafter() const;
const char *err_code() const;