Move SSL information callback earlier to capture more information

The callback for retrieving state change information during connection
setup was only installed when the connection was mostly set up, and
thus didn't provide much information and missed all the details related
to the handshake.

This also extends the callback with SSL_state_string_long() to print
more information about the state change within the SSL object handled.

While there, fix some comments which were incorrectly referring to the
callback and its previous location in fe-secure.c.

Author: Daniel Gustafsson
Discussion: https://postgr.es/m/232CF476-94E1-42F1-9408-719E2AEC5491@yesql.se

diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c
index 0494ad7ded91871b9201a7ae8c82c921d18e37f0..1e2ecc6e7ab7411a6178d2c331c39de2f80f6779 100644 (file)
--- a/src/backend/libpq/be-secure-openssl.c
+++ b/src/backend/libpq/be-secure-openssl.c
@@ -381,6 +381,9 @@ be_tls_open_server(Port *port)
        return -1;
    }
 
+   /* set up debugging/info callback */
+   SSL_CTX_set_info_callback(SSL_context, info_cb);
+
    if (!(port->ssl = SSL_new(SSL_context)))
    {
        ereport(COMMERROR,
@@ -562,9 +565,6 @@ aloop:
        port->peer_cert_valid = true;
    }
 
-   /* set up debugging/info callback */
-   SSL_CTX_set_info_callback(SSL_context, info_cb);
-
    return 0;
 }
 
@@ -999,39 +999,43 @@ verify_cb(int ok, X509_STORE_CTX *ctx)
 static void
 info_cb(const SSL *ssl, int type, int args)
 {
+   const char *desc;
+
+   desc = SSL_state_string_long(ssl);
+
    switch (type)
    {
        case SSL_CB_HANDSHAKE_START:
            ereport(DEBUG4,
-                   (errmsg_internal("SSL: handshake start")));
+                   (errmsg_internal("SSL: handshake start: \"%s\"", desc)));
            break;
        case SSL_CB_HANDSHAKE_DONE:
            ereport(DEBUG4,
-                   (errmsg_internal("SSL: handshake done")));
+                   (errmsg_internal("SSL: handshake done: \"%s\"", desc)));
            break;
        case SSL_CB_ACCEPT_LOOP:
            ereport(DEBUG4,
-                   (errmsg_internal("SSL: accept loop")));
+                   (errmsg_internal("SSL: accept loop: \"%s\"", desc)));
            break;
        case SSL_CB_ACCEPT_EXIT:
            ereport(DEBUG4,
-                   (errmsg_internal("SSL: accept exit (%d)", args)));
+                   (errmsg_internal("SSL: accept exit (%d): \"%s\"", args, desc)));
            break;
        case SSL_CB_CONNECT_LOOP:
            ereport(DEBUG4,
-                   (errmsg_internal("SSL: connect loop")));
+                   (errmsg_internal("SSL: connect loop: \"%s\"", desc)));
            break;
        case SSL_CB_CONNECT_EXIT:
            ereport(DEBUG4,
-                   (errmsg_internal("SSL: connect exit (%d)", args)));
+                   (errmsg_internal("SSL: connect exit (%d): \"%s\"", args, desc)));
            break;
        case SSL_CB_READ_ALERT:
            ereport(DEBUG4,
-                   (errmsg_internal("SSL: read alert (0x%04x)", args)));
+                   (errmsg_internal("SSL: read alert (0x%04x): \"%s\"", args, desc)));
            break;
        case SSL_CB_WRITE_ALERT:
            ereport(DEBUG4,
-                   (errmsg_internal("SSL: write alert (0x%04x)", args)));
+                   (errmsg_internal("SSL: write alert (0x%04x): \"%s\"", args, desc)));
            break;
    }
 }

diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c
index 075f754e1fb61ecad1938564edecd660b2fb0fb9..5b4a4157d5ce8560dfa2987437391f5fc3a990ea 100644 (file)
--- a/src/interfaces/libpq/fe-secure-openssl.c
+++ b/src/interfaces/libpq/fe-secure-openssl.c
@@ -14,7 +14,7 @@
  * NOTES
  *
  *   We don't provide informational callbacks here (like
- *   info_cb() in be-secure.c), since there's no good mechanism to
+ *   info_cb() in be-secure-openssl.c), since there's no good mechanism to
  *   display such information to the user.
  *
  *-------------------------------------------------------------------------

diff --git a/src/interfaces/libpq/fe-secure.c b/src/interfaces/libpq/fe-secure.c
index 67b1e78512973ac91f93824975d9e6fb3bb54daa..00b87bdc96d7ea999a827129261016946b8e910d 100644 (file)
--- a/src/interfaces/libpq/fe-secure.c
+++ b/src/interfaces/libpq/fe-secure.c
@@ -13,12 +13,6 @@
  * IDENTIFICATION
  *   src/interfaces/libpq/fe-secure.c
  *
- * NOTES
- *
- *   We don't provide informational callbacks here (like
- *   info_cb() in be-secure.c), since there's no good mechanism to
- *   display such information to the user.
- *
  *-------------------------------------------------------------------------
  */