git: 74c4cb9cc376 - stable/13 - rpc.tlsservd: Add logging of TLS version and cipher used
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Tue, 24 May 2022 01:03:25 UTC
The branch stable/13 has been updated by rmacklem: URL: https://cgit.FreeBSD.org/src/commit/?id=74c4cb9cc3763b536f3e9843b976b8bc42535512 commit 74c4cb9cc3763b536f3e9843b976b8bc42535512 Author: Rick Macklem <rmacklem@FreeBSD.org> AuthorDate: 2022-05-06 21:03:43 +0000 Commit: Rick Macklem <rmacklem@FreeBSD.org> CommitDate: 2022-05-24 01:02:18 +0000 rpc.tlsservd: Add logging of TLS version and cipher used This patch adds logging of the version of TLS and cipher negotiated successfully by the TLS handshake for each client, if the "-v" command line option has been specified. This information may be useful for monitoring and debugging NFS-over-TLS mounts. (cherry picked from commit d71c9f14682fee73f3694426fb47e66aab721835) --- usr.sbin/rpc.tlsservd/rpc.tlsservd.c | 18 ++++++++++++++---- 1 file changed, 14 insertions(+), 4 deletions(-) diff --git a/usr.sbin/rpc.tlsservd/rpc.tlsservd.c b/usr.sbin/rpc.tlsservd/rpc.tlsservd.c index 71787b162acd..16dd3e9c2d8b 100644 --- a/usr.sbin/rpc.tlsservd/rpc.tlsservd.c +++ b/usr.sbin/rpc.tlsservd/rpc.tlsservd.c @@ -679,13 +679,23 @@ rpctls_server(SSL_CTX *ctx, int s, uint32_t *flags, uint32_t *uidp, return (NULL); } *flags |= RPCTLS_FLAGS_HANDSHAKE; + if (rpctls_verbose) { + gethostret = rpctls_gethost(s, sad, hostnam, sizeof(hostnam)); + if (gethostret == 0) + hostnam[0] = '\0'; + rpctls_verbose_out("rpctls_server: SSL handshake ok for host %s" + " <%s %s>\n", hostnam, SSL_get_version(ssl), + SSL_get_cipher(ssl)); + } if (rpctls_do_mutual) { cert = SSL_get_peer_certificate(ssl); if (cert != NULL) { - gethostret = rpctls_gethost(s, sad, hostnam, - sizeof(hostnam)); - if (gethostret == 0) - hostnam[0] = '\0'; + if (!rpctls_verbose) { + gethostret = rpctls_gethost(s, sad, hostnam, + sizeof(hostnam)); + if (gethostret == 0) + hostnam[0] = '\0'; + } cp2 = X509_NAME_oneline( X509_get_subject_name(cert), NULL, 0); *flags |= RPCTLS_FLAGS_GOTCERT;