Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Can we get DEBUG loggin from the OpenSSL library? #800

Open
valentijnscholten opened this issue Sep 17, 2024 · 2 comments
Open

Can we get DEBUG loggin from the OpenSSL library? #800

valentijnscholten opened this issue Sep 17, 2024 · 2 comments

Comments

@valentijnscholten
Copy link

valentijnscholten commented Sep 17, 2024
edited
Loading

Hi,

Problem

As a developer I would like to see (DEBUG) logging from OpenSSL. We have a Ruby application that connects to Amazon Cloudfront to retrieve a file. This runs through a network outside of our control containing NAT gateways, proxies, etc.

This works 99% of the time, but Intermittently we get a self signed certificate error:

OpenSSL::SSL::SSLError (SSL_connect returned=1 errno=0 
peeraddr=18.66.171.65:443 state=error: certificate verify failed 
(self signed certificate in certificate chain))

But it doesn't show WHICH certificate (or subject, fignerprint, ...) is being seen.

Question / Request
Ideally we would have a ruby OpenSSL flag that instructs OpenSSL to do its (DEBUG) logging so we can get this information. I can see OpenSSL is logging the desired information in:

https://github.com/openssl/openssl/blob/6288aa440c1ba111eaf52cf79659a25329205022/crypto/x509/t_x509.c#L484-L501

Is it possible to get the Ruby app to log this information?

I have found OpenSSL::debug=true, but this only seems to trigger debug logging done in this Ruby Gem.

In java we have -Djava.net.debug=ssl, but I realize that is not using OpenSSL underneath.

Alternative
I have found a way to get Ruby to log the self-signed certificate that is being seen in Ruby via https://github.com/mislav/ssl-tools/blob/master/doctor.rb. Something along these lines, where the store_context contains the failed certificat:

  http.verify_callback = lambda { |verify_ok, store_context|
    if !verify_ok
      failed_cert = store_context.current_cert
      failed_cert_reason = "%d: %s" % [ store_context.error, store_context.error_string ]
    end
    verify_ok
  }

This is not ideal as it requires code changes in our Ruby apps, which is using httparty as a wrapper. Also we would be replicating logging that is already done by OpenSSL.

The fact that this SSL Docter script exists seems to confirm there is no Ruby OpenSSL::xxx flag to achieve this?

Would it be possible to implement such a flag? Is there an alternative way to achieve the same?
@valentijnscholten
Copy link
Author

Additionally, we tried setting the environment variable SSL_DEBUG=1, but this doens't seem to output any extra logging.

@bdewater
Copy link
Contributor

I don't think the comparison is fair about reuse - the code linked is from the openssl x509 utility, not the OpenSSL library. Both use the same callback mechanism to hook into the verification process.

Would it be possible to implement such a flag? Is there an alternative way to achieve the same?

You could open a PR to tweak the error message here:

openssl/ext/openssl/ossl_ssl.c

Line 1803 in 2b9f444

ERR_GET_REASON(err) == SSL_R_CERTIFICATE_VERIFY_FAILED) {

Or fork httparty and change it to allow passing through a lambda to http.verify_callback around here, so you can do in your app whatever you need: https://github.com/jnunemaker/httparty/blob/f0c42a7198c9357f0d95633e46512c92769f6476/lib/httparty/connection_adapter.rb#L189

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@bdewater @valentijnscholten