From 9bd9a67e938101fe3e9ee91cbf0af3960815a5e8 Mon Sep 17 00:00:00 2001
From: Maciej Szlosarczyk <maciej.szlosarczyk@eestiinternet.ee>
Date: Mon, 29 Jul 2019 11:19:11 +0300
Subject: [PATCH] Add more logging for failed SSL handshake

---
 apps/epp_proxy/src/epp_tls_worker.erl    | 19 ++++++++++++++++---
 apps/epp_proxy/test/tls_client_SUITE.erl | 21 ++++++++++++++++++---
 2 files changed, 34 insertions(+), 6 deletions(-)

diff --git a/apps/epp_proxy/src/epp_tls_worker.erl b/apps/epp_proxy/src/epp_tls_worker.erl
index d5263bb..e7d7aad 100644
--- a/apps/epp_proxy/src/epp_tls_worker.erl
+++ b/apps/epp_proxy/src/epp_tls_worker.erl
@@ -43,9 +43,16 @@ start_link(Socket) ->
 %% If certificate is revoked, this will fail right away here.
 %% mod_epp does exactly the same thing.
 handle_cast(serve, State = #state{socket = Socket}) ->
-    {ok, SecureSocket} = ssl:handshake(Socket),
-    NewState = state_from_socket(SecureSocket, State),
-    {noreply, NewState};
+    {ok, {PeerIp, _PeerPort}} = ssl:peername(Socket),
+
+    case ssl:handshake(Socket) of
+	{ok, SecureSocket} ->
+	    NewState = state_from_socket(SecureSocket, State),
+	    {noreply, NewState};
+	{error, Error} ->
+	    log_on_invalid_handshake(PeerIp, Error)
+    end;
+
 %% Step two: Using the state of the connection, get the hello route
 %% from http server.  Send the response from HTTP server back to EPP
 %% client.  When this succeeds, send "process_command" to self and
@@ -160,6 +167,12 @@ log_on_timeout(State) ->
     lager:info("Client timed out: [~p]~n", [State]),
     exit(normal).
 
+log_on_invalid_handshake(Ip, Error) ->
+    ReadableIp = epp_util:readable_ip(Ip),
+    lager:info("Failed SSL handshake. IP: ~s, Error: [~p]~n",
+	       [ReadableIp, Error]),
+    exit(normal).
+
 %% Extract state info from socket. Fail if you must.
 state_from_socket(Socket, State) ->
     {ok, PeerCert} = ssl:peercert(Socket),
diff --git a/apps/epp_proxy/test/tls_client_SUITE.erl b/apps/epp_proxy/test/tls_client_SUITE.erl
index 5ed1e65..a9e8eb0 100644
--- a/apps/epp_proxy/test/tls_client_SUITE.erl
+++ b/apps/epp_proxy/test/tls_client_SUITE.erl
@@ -11,7 +11,8 @@
          valid_command_test_case/1,
          long_message_test_case/1,
          invalid_command_test_case/1,
-         error_test_case/1]).
+         error_test_case/1,
+         revoked_cert_test_case/1]).
 
 all() ->
     [frame_size_test_case,
@@ -20,7 +21,8 @@ all() ->
      valid_command_test_case,
      long_message_test_case,
      invalid_command_test_case,
-     error_test_case].
+     error_test_case,
+     revoked_cert_test_case].
 
 init_per_suite(Config) ->
     application:ensure_all_started(epp_proxy),
@@ -30,7 +32,11 @@ init_per_suite(Config) ->
                {certfile, filename:join(CWD, "test_ca/certs/client.crt.pem")},
 	       {keyfile, filename:join(CWD, "test_ca/private/client.key.pem")},
                {active, false}],
-    [{ssl_options, Options} | Config].
+    RevokedOptions = [binary,
+               {certfile, filename:join(CWD, "test_ca/certs/revoked.crt.pem")},
+	       {keyfile, filename:join(CWD, "test_ca/private/revoked.key.pem")},
+               {active, false}],
+    [{ssl_options, Options}, {revoked_options, RevokedOptions} | Config].
 
 end_per_suite(Config) ->
     application:stop(epp_proxy),
@@ -170,6 +176,15 @@ error_test_case(Config) ->
                "Command syntax error."),
     ok.
 
+revoked_cert_test_case(Config) ->
+    Options = proplists:get_value(revoked_options, Config),
+    {error, Error} = ssl:connect("localhost", 1443, Options, 2000),
+    ct:pal("~p", [Error]),
+    {tls_alert,
+     {certificate_revoked,
+      "received CLIENT ALERT: Fatal - Certificate Revoked"}} = Error,
+    ok.
+
 %% Helper functions:
 length_of_data(Data) ->
     EPPEnvelope = binary:part(Data, {0, 4}),