Add more TLS negotiation info in logging and UI

2025-07-12 10:44:58 +03:00 · 2021-12-26 12:31:53 +08:00
parent f94ac6351e
commit 0a4455ac40
16 changed files with 173 additions and 12 deletions
--- a/src/Cedar/AzureClient.c
+++ b/src/Cedar/AzureClient.c
@ -9,6 +9,7 @@

 #include "Cedar.h"
 #include "Command.h"
+#include "Logging.h"
 #include "Wpc.h"

 #include "Mayaqua/Encrypt.h"
@ -19,6 +20,7 @@
 #include "Mayaqua/Object.h"
 #include "Mayaqua/Pack.h"
 #include "Mayaqua/Str.h"
+#include "Mayaqua/Table.h"
 #include "Mayaqua/Tick64.h"

 #include <stdlib.h>
@ -80,6 +82,9 @@ void AcWaitForRequest(AZURE_CLIENT *ac, SOCK *s, AZURE_PARAM *param)
 						{
 							SOCK *ns;
 							Debug("Connect Request from %r:%u\n", &client_ip, client_port);
+							char ipstr[128];
+							IPToStr(ipstr, sizeof(ipstr), &client_ip);
+							SLog(ac->Cedar, "LS_AZURE_START", ipstr, client_port);

 							// Create new socket and connect VPN Azure Server
 							if (ac->DDnsStatusCopy.InternetSetting.ProxyType == PROXY_DIRECT)
@ -103,9 +108,10 @@ void AcWaitForRequest(AZURE_CLIENT *ac, SOCK *s, AZURE_PARAM *param)

 								SetTimeout(ns, param->DataTimeout);

+								UINT ssl_err = 0;
 								Copy(&ns->SslAcceptSettings, &ac->Cedar->SslAcceptSettings, sizeof(SSL_ACCEPT_SETTINGS));

-								if (StartSSLEx(ns, NULL, NULL, 0, NULL))
+								if (StartSSLEx3(ns, NULL, NULL, NULL, 0, NULL, NULL, &ssl_err))
 								{
 									// Check certification
 									char server_cert_hash_str[MAX_SIZE];
@ -159,6 +165,13 @@ void AcWaitForRequest(AZURE_CLIENT *ac, SOCK *s, AZURE_PARAM *param)
 										}
 									}
 								}
+								else
+								{
+									if (ssl_err != 0)
+									{
+										SLog(ac->Cedar, "LS_AZURE_SSL_ERROR", GetUniErrorStr(ssl_err), ssl_err);
+									}
+								}

 								ReleaseSock(ns);
 							}
--- a/src/Cedar/CM.c
+++ b/src/Cedar/CM.c
@ -9576,7 +9576,11 @@ void CmPrintStatusToListViewEx(LVB *b, RPC_CLIENT_GET_CONNECTION_STATUS *s, bool
 		}
 		else
 		{
-			if (StrLen(s->CipherName) != 0)
+			if (StrLen(s->CipherName) != 0 && StrLen(s->ProtocolName) != 0)
+			{
+				UniFormat(tmp, sizeof(tmp), _UU("CM_ST_USE_ENCRYPT_TRUE3"), s->ProtocolName, s->CipherName);
+			}
+			else if (StrLen(s->CipherName) != 0)
 			{
 				UniFormat(tmp, sizeof(tmp), _UU("CM_ST_USE_ENCRYPT_TRUE"), s->CipherName);
 			}
--- a/src/Cedar/Cedar.h
+++ b/src/Cedar/Cedar.h
@ -870,6 +870,9 @@
 #define	ERR_NOT_SUPPORTED_FUNCTION_ON_OPENSOURCE	147	// It is a feature that is not supported in the open source version
 #define	ERR_SUSPENDING					148	// System is suspending
 #define ERR_HOSTNAME_MISMATCH			149	// SSL hostname mismatch
+#define ERR_SSL_PROTOCOL_VERSION		150 // SSL version not supported
+#define ERR_SSL_SHARED_CIPHER			151 // Can't find common cipher
+#define ERR_SSL_HANDSHAKE				152 // Other SSL handshake error


 ////////////////////////////
--- a/src/Cedar/Client.c
+++ b/src/Cedar/Client.c
@ -4836,6 +4836,7 @@ void InRpcClientGetConnectionStatus(RPC_CLIENT_GET_CONNECTION_STATUS *s, PACK *p

 	PackGetStr(p, "ServerName", s->ServerName, sizeof(s->ServerName));
 	PackGetStr(p, "ServerProductName", s->ServerProductName, sizeof(s->ServerProductName));
+	PackGetStr(p, "ProtocolVersion", s->ProtocolName, sizeof(s->ProtocolName));
 	PackGetStr(p, "CipherName", s->CipherName, sizeof(s->CipherName));
 	PackGetStr(p, "SessionName", s->SessionName, sizeof(s->SessionName));
 	PackGetStr(p, "ConnectionName", s->ConnectionName, sizeof(s->ConnectionName));
@ -4911,6 +4912,7 @@ void OutRpcClientGetConnectionStatus(PACK *p, RPC_CLIENT_GET_CONNECTION_STATUS *

 	PackAddStr(p, "ServerName", c->ServerName);
 	PackAddStr(p, "ServerProductName", c->ServerProductName);
+	PackAddStr(p, "ProtocolVersion", c->ProtocolName);
 	PackAddStr(p, "CipherName", c->CipherName);
 	PackAddStr(p, "SessionName", c->SessionName);
 	PackAddStr(p, "ConnectionName", c->ConnectionName);
@ -5864,6 +5866,7 @@ void CiGetSessionStatus(RPC_CLIENT_GET_CONNECTION_STATUS *st, SESSION *s)
 				if (st->UseEncrypt)
 				{
 					StrCpy(st->CipherName, sizeof(st->CipherName), s->Connection->CipherName);
+					StrCpy(st->ProtocolName, sizeof(st->ProtocolName), s->Connection->SslVersion);
 				}
 				// Use of compression
 				st->UseCompress = s->UseCompress;
--- a/src/Cedar/Command.c
+++ b/src/Cedar/Command.c
@ -15534,7 +15534,11 @@ void CmdPrintStatusToListViewEx(CT *ct, RPC_CLIENT_GET_CONNECTION_STATUS *s, boo
 		}
 		else
 		{
-			if (StrLen(s->CipherName) != 0)
+			if (StrLen(s->CipherName) != 0 && StrLen(s->ProtocolName) != 0)
+			{
+				UniFormat(tmp, sizeof(tmp), _UU("CM_ST_USE_ENCRYPT_TRUE3"), s->ProtocolName, s->CipherName);
+			}
+			else if (StrLen(s->CipherName) != 0)
 			{
 				UniFormat(tmp, sizeof(tmp), _UU("CM_ST_USE_ENCRYPT_TRUE"), s->CipherName);
 			}
--- a/src/Cedar/Connection.c
+++ b/src/Cedar/Connection.c
@ -28,6 +28,7 @@
 #include "Mayaqua/Object.h"
 #include "Mayaqua/Pack.h"
 #include "Mayaqua/Str.h"
+#include "Mayaqua/Table.h"
 #include "Mayaqua/Tick64.h"

 #include <stdlib.h>
@ -3047,11 +3048,16 @@ void ConnectionAccept(CONNECTION *c)

 	// Start the SSL communication
 	Copy(&s->SslAcceptSettings, &c->Cedar->SslAcceptSettings, sizeof(SSL_ACCEPT_SETTINGS));
-	if (StartSSLEx2(s, x, k, chain, 0, NULL) == false)
+	UINT ssl_err = 0;
+	if (StartSSLEx3(s, x, k, chain, 0, NULL, NULL, &ssl_err) == false)
 	{
 		// Failed
 		AddNoSsl(c->Cedar, &s->RemoteIP);
 		Debug("ConnectionAccept(): StartSSL() failed\n");
+		if (ssl_err != 0)
+		{
+			SLog(c->Cedar, "LS_SSL_START_ERROR", c->Name, GetUniErrorStr(ssl_err), ssl_err);
+		}
 		FreeX(x);
 		FreeK(k);
 		FreeXList(chain);
@ -3063,7 +3069,7 @@ void ConnectionAccept(CONNECTION *c)
 	FreeK(k);
 	FreeXList(chain);

-	SLog(c->Cedar, "LS_SSL_START", c->Name, s->CipherName);
+	SLog(c->Cedar, "LS_SSL_START", c->Name, s->SslVersion, s->CipherName);

 	Copy(c->CToken_Hash, ctoken_hash, SHA1_SIZE);

@ -3399,6 +3405,11 @@ void CleanupConnection(CONNECTION *c)
 		Free(c->CipherName);
 	}

+	if (c->SslVersion != NULL)
+	{
+		Free(c->SslVersion);
+	}
+
 	Free(c);
 }

--- a/src/Cedar/Connection.h
+++ b/src/Cedar/Connection.h
@ -223,6 +223,7 @@ struct CONNECTION
 	X *ServerX;						// Server certificate
 	X *ClientX;						// Client certificate
 	char *CipherName;				// Encryption algorithm name
+	char *SslVersion;				// SSL protocol version
 	UINT64 ConnectedTick;			// Time it is connected
 	IP ClientIp;					// Client IP address
 	char ClientHostname[MAX_HOST_NAME_LEN + 1];	// Client host name
--- a/src/Cedar/Protocol.c
+++ b/src/Cedar/Protocol.c
@ -1573,6 +1573,12 @@ bool ServerAccept(CONNECTION *c)

 				c->CipherName = NULL;

+				if (c->SslVersion != NULL)
+				{
+					Free(c->SslVersion);
+				}
+				c->SslVersion = NULL;
+
 				if (IsEmptyStr(tmp) == false)
 				{
 					c->CipherName = CopyStr(tmp);
@ -1592,11 +1598,22 @@ bool ServerAccept(CONNECTION *c)
 				}
 				c->CipherName = NULL;

+				if (c->SslVersion != NULL)
+				{
+					Free(c->SslVersion);
+				}
+				c->SslVersion = NULL;
+
 				if (c->FirstSock != NULL && IsEmptyStr(c->FirstSock->CipherName) == false)
 				{
 					c->CipherName = CopyStr(c->FirstSock->CipherName);
 				}

+				if (c->FirstSock != NULL && IsEmptyStr(c->FirstSock->SslVersion) == false)
+				{
+					c->SslVersion = CopyStr(c->FirstSock->SslVersion);
+				}
+
 				Format(radius_login_opt.In_VpnProtocolState, sizeof(radius_login_opt.In_VpnProtocolState),
 					"L%u:%s", IPC_LAYER_2, "SEVPN");
 			}
@ -4975,6 +4992,13 @@ REDIRECTED:
 		}

 		c->CipherName = CopyStr(c->FirstSock->CipherName);
+
+		if (c->SslVersion != NULL)
+		{
+			Free(c->SslVersion);
+		}
+
+		c->SslVersion = CopyStr(c->FirstSock->SslVersion);
 	}
 	Unlock(c->lock);

@ -6183,6 +6207,8 @@ SOCK *ClientConnectToServer(CONNECTION *c)
 		return NULL;
 	}

+	CLog(c->Cedar->Client, "LC_SSL_CONNECTED", c->Session->ClientOption->AccountName,	s->SslVersion, s->CipherName);
+
 	return s;
 }