Added SSL Error Trace Log and mTLS Samples (#222)

Author: irineu

trantor/net/inner/TcpConnectionImpl.cc

@@ -321,11 +321,19 @@ std::shared_ptr<SSLContext> newSSLServerContext(
         throw std::runtime_error("SSL_CTX_check_private_key error");
     }
 
+    if (!SSL_CTX_set_ecdh_auto(ctx->get(), 1))
+    {
+        LOG_TRACE << "Failed to set_ecdh_auto, set_ecdh_auto DISABLED";
+    }
+    else
+    {
+        LOG_TRACE << "set_ecdh_auto ENABLED";
+    }
+
     if (!caPath.empty())
     {
         auto checkCA =
             SSL_CTX_load_verify_locations(ctx->get(), caPath.c_str(), NULL);
-        LOG_DEBUG << "CA CHECK LOC: " << checkCA;
         if (checkCA)
         {
             STACK_OF(X509_NAME) *cert_names =
@@ -335,6 +343,7 @@ std::shared_ptr<SSLContext> newSSLServerContext(
                 SSL_CTX_set_client_CA_list(ctx->get(), cert_names);
             }
             ctx->mtlsEnabled = true;
+            LOG_TRACE << "mTLS session ENABLED";
         }
         else
         {
@@ -2005,6 +2014,17 @@ bool TcpConnectionImpl::validatePeerCertificate()
     }
 }
 
+std::string TcpConnectionImpl::getOpenSSLErrorStack()
+{
+    BIO *bio = BIO_new(BIO_s_mem());
+    ERR_print_errors(bio);
+    char *buf;
+    size_t len = BIO_get_mem_data(bio, &buf);
+    std::string ret(buf, len);
+    BIO_free(bio);
+    return ret;
+}
+
 void TcpConnectionImpl::doHandshaking()
 {
     assert(sslEncryptionPtr_->statusOfSSL_ == SSLStatus::Handshaking);
@@ -2013,8 +2033,9 @@ void TcpConnectionImpl::doHandshaking()
     LOG_TRACE << "hand shaking: " << r;
     if (r == 1)
     {
-        // Clients don't commonly have certificates. Let's not validate
-        // that
+        // Clients don't commonly have certificates (except on mTLS).
+        // So if the SSL session is on server-side and without mTLS enabled,
+        // let's not validate the client certificate.
         if (validateCert_ && (!sslEncryptionPtr_->isServer_ ||
                               sslEncryptionPtr_->sslPtr_->mtlsEnabled))
         {
@@ -2059,8 +2080,8 @@ void TcpConnectionImpl::doHandshaking()
     }
     else
     {
-        // ERR_print_errors(err);
         LOG_TRACE << "SSL handshake err: " << err;
+        LOG_TRACE << "SSL error stack: " << getOpenSSLErrorStack();
         ioChannelPtr_->disableReading();
         sslEncryptionPtr_->statusOfSSL_ = SSLStatus::DisConnected;
         if (sslErrorCallback_)

trantor/net/inner/TcpConnectionImpl.h

@@ -370,6 +370,7 @@ class TcpConnectionImpl : public TcpConnection,
   private:
     void doHandshaking();
     bool validatePeerCertificate();
+    std::string getOpenSSLErrorStack();
     struct SSLEncryption
     {
         SSLStatus statusOfSSL_ = SSLStatus::Handshaking;

trantor/tests/MTLSClient.cc

@@ -0,0 +1,115 @@
+/**
+ *
+ * # Generate CA file
+ * openssl req -new -x509 -days 365 -keyout ca-key.pem -out ca-crt.pem
+ *
+ * # Generate Key File (ie: same for client and server, but you can create one
+ * for each one) openssl genrsa -out server-key.pem 4096
+ *
+ * # Generate Server certificate:
+ * openssl req -new -sha256 -key server-key.pem -out ca-csr.pem
+ * openssl x509 -req -days 365 -in ca-csr.pem -CA ca-crt.pem -CAkey ca-key.pem
+ * -CAcreateserial -out server-crt.pem openssl verify -CAfile ca-crt.pem
+ * server-crt.pem
+ *
+ *
+ * # For client (to specify a certificate client mode only - no domain):
+ * # Create file client_cert_ext.cnf:
+ * cat client_cert_ext.cnf
+ *
+ *   keyUsage = critical, digitalSignature, keyEncipherment
+ *   extendedKeyUsage = clientAuth
+ *   basicConstraints = critical, CA:FALSE
+ *   authorityKeyIdentifier = keyid,issuer
+ *   subjectAltName = DNS:Client
+ *
+ * Create client cert (using the same serve key and CA)
+ * openssl x509 -req -in ca-csr.pem -days 1000 -CA ca-crt.pem -CAkey ca-key.pem
+ * -set_serial 01 -extfile client_cert_ext.cnf  > client-crt.pem
+ *
+ * openssl verify -CAfile ca-crt.pem client-crt.pem
+ * openssl x509 -in client-crt.pem -text -noout -purpose
+ *
+ * # Compile sample:
+ *
+ * g++ -o MTLSClient MTLSClient.cc -ltrantor -lssl -lcrypto -lpthread
+ *
+ * # Tests
+ *
+ * # Listen generic SSL server
+ * openssl s_server -accept 8888  -CAfile ./ca-crt.pem  -cert ./server-crt.pem
+ * -key ./server-key.pem  -state
+ *
+ * # Listen generic SSL server with mTLS verification
+ * openssl s_server -accept 8888  -CAfile ./ca-crt.pem  -cert ./server-crt.pem
+ * -key ./server-key.pem  -state -verify_return_error -Verify 1
+ *
+ * # Test the mTLS client bin
+ * ./MTLSClient
+ *
+ * **/
+
+#include <trantor/net/TcpClient.h>
+#include <trantor/utils/Logger.h>
+#include <trantor/net/EventLoopThread.h>
+#include <string>
+#include <iostream>
+#include <atomic>
+using namespace trantor;
+#define USE_IPV6 0
+int main()
+{
+    trantor::Logger::setLogLevel(trantor::Logger::kTrace);
+    LOG_DEBUG << "TcpClient class test!";
+    EventLoop loop;
+#if USE_IPV6
+    InetAddress serverAddr("::1", 8888, true);
+#else
+    InetAddress serverAddr("127.0.0.1", 8888);
+#endif
+    std::shared_ptr<trantor::TcpClient> client[10];
+    std::atomic_int connCount;
+    connCount = 1;
+    for (int i = 0; i < connCount; ++i)
+    {
+        client[i] = std::make_shared<trantor::TcpClient>(&loop,
+                                                         serverAddr,
+                                                         "tcpclienttest");
+        std::vector<std::pair<std::string, std::string>> sslcmd = {};
+        // That key is common for client and server
+        // The CA file must be the client CA, for this sample the CA is common
+        // for both
+        client[i]->enableSSL(false,
+                             false,
+                             "localhost",
+                             sslcmd,
+                             "./client-crt.pem",
+                             "./server-key.pem",
+                             "./ca-crt.pem");
+        client[i]->setConnectionCallback(
+            [i, &loop, &connCount](const TcpConnectionPtr &conn) {
+                if (conn->connected())
+                {
+                    LOG_DEBUG << i << " connected!";
+                    char tmp[20];
+                    sprintf(tmp, "%d client!!", i);
+                    conn->send(tmp);
+                }
+                else
+                {
+                    LOG_DEBUG << i << " disconnected";
+                    --connCount;
+                    if (connCount == 0)
+                        loop.quit();
+                }
+            });
+        client[i]->setMessageCallback(
+            [](const TcpConnectionPtr &conn, MsgBuffer *buf) {
+                LOG_DEBUG << std::string(buf->peek(), buf->readableBytes());
+                buf->retrieveAll();
+                conn->shutdown();
+            });
+        client[i]->connect();
+    }
+    loop.loop();
+}

trantor/tests/MTLSServer.cc

@@ -0,0 +1,95 @@
+/**
+ *
+ * # Generate CA file
+ * openssl req -new -x509 -days 365 -keyout ca-key.pem -out ca-crt.pem
+ *
+ * # Generate Key File (ie: same for client and server, but you can create one
+ * for each one) openssl genrsa -out server-key.pem 4096
+ *
+ * # Generate Server certificate:
+ * openssl req -new -sha256 -key server-key.pem -out ca-csr.pem
+ * openssl x509 -req -days 365 -in ca-csr.pem -CA ca-crt.pem -CAkey ca-key.pem
+ * -CAcreateserial -out server-crt.pem openssl verify -CAfile ca-crt.pem
+ * server-crt.pem
+ *
+ *
+ * # For client (to specify a certificate client mode only - no domain):
+ * # Create file client_cert_ext.cnf:
+ * cat client_cert_ext.cnf
+ *
+ *   keyUsage = critical, digitalSignature, keyEncipherment
+ *   extendedKeyUsage = clientAuth
+ *   basicConstraints = critical, CA:FALSE
+ *   authorityKeyIdentifier = keyid,issuer
+ *   subjectAltName = DNS:Client
+ *
+ * Create client cert (using the same serve key and CA)
+ * openssl x509 -req -in ca-csr.pem -days 1000 -CA ca-crt.pem -CAkey ca-key.pem
+ * -set_serial 01 -extfile client_cert_ext.cnf  > client-crt.pem
+ *
+ * openssl verify -CAfile ca-crt.pem client-crt.pem
+ * openssl x509 -in client-crt.pem -text -noout -purpose
+ *
+ * # Compile sample:
+ *
+ * g++ -o MTLSServer MTLSServer.cc -ltrantor -lssl -lcrypto -lpthread
+ *
+ * # Tests
+ *
+ * # Should Fail
+ * openssl s_client -connect 0.0.0.0:8888 -state
+ *
+ * # Should Connect (the CA file must be the server CA), for this sample the CA
+ * is common for both openssl s_client -connect 0.0.0.0:8888 -key
+ * ./server-key.pem -cert ./server-crt.pem -CAfile ./ca-crt.pem -state
+ *
+ * **/
+
+#include <trantor/net/TcpServer.h>
+#include <trantor/utils/Logger.h>
+#include <trantor/net/EventLoopThread.h>
+#include <string>
+#include <iostream>
+using namespace trantor;
+#define USE_IPV6 0
+int main()
+{
+    LOG_DEBUG << "test start";
+    Logger::setLogLevel(Logger::kTrace);
+    EventLoopThread loopThread;
+    loopThread.run();
+#if USE_IPV6
+    InetAddress addr(8888, true, true);
+#else
+    InetAddress addr(8888);
+#endif
+    TcpServer server(loopThread.getLoop(), addr, "test");
+    std::vector<std::pair<std::string, std::string>> sslcmd = {};
+
+    // the CA file must be the client CA, for this sample the CA is common for
+    // both
+    server.enableSSL(
+        "server-crt.pem", "server-key.pem", false, sslcmd, "ca-crt.pem");
+    server.setRecvMessageCallback(
+        [](const TcpConnectionPtr &connectionPtr, MsgBuffer *buffer) {
+            // LOG_DEBUG<<"recv callback!";
+            std::cout << std::string(buffer->peek(), buffer->readableBytes());
+            connectionPtr->send(buffer->peek(), buffer->readableBytes());
+            buffer->retrieveAll();
+            connectionPtr->forceClose();
+        });
+    server.setConnectionCallback([](const TcpConnectionPtr &connPtr) {
+        if (connPtr->connected())
+        {
+            LOG_DEBUG << "New connection";
+            connPtr->send("Hello world\r\n");
+        }
+        else if (connPtr->disconnected())
+        {
+            LOG_DEBUG << "connection disconnected";
+        }
+    });
+    server.setIoLoopNum(3);
+    server.start();
+    loopThread.wait();
+}