summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMichael Paquier2021-01-22 00:26:27 +0000
committerMichael Paquier2021-01-22 00:26:27 +0000
commitaf0e79c8f4f4c3c2306855045c0d02a6be6485f0 (patch)
treeef0db125e70673b5b568436575961fc47361ff2b
parent27a48e5a16ff2227ddf44ee717d9bcd89d22a7aa (diff)
Move SSL information callback earlier to capture more information
The callback for retrieving state change information during connection setup was only installed when the connection was mostly set up, and thus didn't provide much information and missed all the details related to the handshake. This also extends the callback with SSL_state_string_long() to print more information about the state change within the SSL object handled. While there, fix some comments which were incorrectly referring to the callback and its previous location in fe-secure.c. Author: Daniel Gustafsson Discussion: https://postgr.es/m/[email protected]
-rw-r--r--src/backend/libpq/be-secure-openssl.c26
-rw-r--r--src/interfaces/libpq/fe-secure-openssl.c2
-rw-r--r--src/interfaces/libpq/fe-secure.c6
3 files changed, 16 insertions, 18 deletions
diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c
index 0494ad7ded..1e2ecc6e7a 100644
--- a/src/backend/libpq/be-secure-openssl.c
+++ b/src/backend/libpq/be-secure-openssl.c
@@ -381,6 +381,9 @@ be_tls_open_server(Port *port)
return -1;
}
+ /* set up debugging/info callback */
+ SSL_CTX_set_info_callback(SSL_context, info_cb);
+
if (!(port->ssl = SSL_new(SSL_context)))
{
ereport(COMMERROR,
@@ -562,9 +565,6 @@ aloop:
port->peer_cert_valid = true;
}
- /* set up debugging/info callback */
- SSL_CTX_set_info_callback(SSL_context, info_cb);
-
return 0;
}
@@ -999,39 +999,43 @@ verify_cb(int ok, X509_STORE_CTX *ctx)
static void
info_cb(const SSL *ssl, int type, int args)
{
+ const char *desc;
+
+ desc = SSL_state_string_long(ssl);
+
switch (type)
{
case SSL_CB_HANDSHAKE_START:
ereport(DEBUG4,
- (errmsg_internal("SSL: handshake start")));
+ (errmsg_internal("SSL: handshake start: \"%s\"", desc)));
break;
case SSL_CB_HANDSHAKE_DONE:
ereport(DEBUG4,
- (errmsg_internal("SSL: handshake done")));
+ (errmsg_internal("SSL: handshake done: \"%s\"", desc)));
break;
case SSL_CB_ACCEPT_LOOP:
ereport(DEBUG4,
- (errmsg_internal("SSL: accept loop")));
+ (errmsg_internal("SSL: accept loop: \"%s\"", desc)));
break;
case SSL_CB_ACCEPT_EXIT:
ereport(DEBUG4,
- (errmsg_internal("SSL: accept exit (%d)", args)));
+ (errmsg_internal("SSL: accept exit (%d): \"%s\"", args, desc)));
break;
case SSL_CB_CONNECT_LOOP:
ereport(DEBUG4,
- (errmsg_internal("SSL: connect loop")));
+ (errmsg_internal("SSL: connect loop: \"%s\"", desc)));
break;
case SSL_CB_CONNECT_EXIT:
ereport(DEBUG4,
- (errmsg_internal("SSL: connect exit (%d)", args)));
+ (errmsg_internal("SSL: connect exit (%d): \"%s\"", args, desc)));
break;
case SSL_CB_READ_ALERT:
ereport(DEBUG4,
- (errmsg_internal("SSL: read alert (0x%04x)", args)));
+ (errmsg_internal("SSL: read alert (0x%04x): \"%s\"", args, desc)));
break;
case SSL_CB_WRITE_ALERT:
ereport(DEBUG4,
- (errmsg_internal("SSL: write alert (0x%04x)", args)));
+ (errmsg_internal("SSL: write alert (0x%04x): \"%s\"", args, desc)));
break;
}
}
diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c
index 075f754e1f..5b4a4157d5 100644
--- a/src/interfaces/libpq/fe-secure-openssl.c
+++ b/src/interfaces/libpq/fe-secure-openssl.c
@@ -14,7 +14,7 @@
* NOTES
*
* We don't provide informational callbacks here (like
- * info_cb() in be-secure.c), since there's no good mechanism to
+ * info_cb() in be-secure-openssl.c), since there's no good mechanism to
* display such information to the user.
*
*-------------------------------------------------------------------------
diff --git a/src/interfaces/libpq/fe-secure.c b/src/interfaces/libpq/fe-secure.c
index 67b1e78512..00b87bdc96 100644
--- a/src/interfaces/libpq/fe-secure.c
+++ b/src/interfaces/libpq/fe-secure.c
@@ -13,12 +13,6 @@
* IDENTIFICATION
* src/interfaces/libpq/fe-secure.c
*
- * NOTES
- *
- * We don't provide informational callbacks here (like
- * info_cb() in be-secure.c), since there's no good mechanism to
- * display such information to the user.
- *
*-------------------------------------------------------------------------
*/