Add more logging for failed SSL handshake

2025-08-20 22:34:21 +02:00 · 2019-07-29 11:19:11 +03:00 · 2019-07-29 11:19:11 +03:00 · 9bd9a67e93
commit 9bd9a67e93
parent 1e04bff9b2
2 changed files with 34 additions and 6 deletions
--- a/apps/epp_proxy/src/epp_tls_worker.erl
+++ b/apps/epp_proxy/src/epp_tls_worker.erl
@ -43,9 +43,16 @@ start_link(Socket) ->
 %% If certificate is revoked, this will fail right away here.
 %% mod_epp does exactly the same thing.
 handle_cast(serve, State = #state{socket = Socket}) ->
-    {ok, SecureSocket} = ssl:handshake(Socket),
+    {ok, {PeerIp, _PeerPort}} = ssl:peername(Socket),
+
+    case ssl:handshake(Socket) of
+	{ok, SecureSocket} ->
 	    NewState = state_from_socket(SecureSocket, State),
 	    {noreply, NewState};
+	{error, Error} ->
+	    log_on_invalid_handshake(PeerIp, Error)
+    end;
+
 %% Step two: Using the state of the connection, get the hello route
 %% from http server.  Send the response from HTTP server back to EPP
 %% client.  When this succeeds, send "process_command" to self and
@ -160,6 +167,12 @@ log_on_timeout(State) ->
    lager:info("Client timed out: [~p]~n", [State]),
    exit(normal).

+log_on_invalid_handshake(Ip, Error) ->
+    ReadableIp = epp_util:readable_ip(Ip),
+    lager:info("Failed SSL handshake. IP: ~s, Error: [~p]~n",
+	       [ReadableIp, Error]),
+    exit(normal).
+
 %% Extract state info from socket. Fail if you must.
 state_from_socket(Socket, State) ->
    {ok, PeerCert} = ssl:peercert(Socket),
--- a/apps/epp_proxy/test/tls_client_SUITE.erl
+++ b/apps/epp_proxy/test/tls_client_SUITE.erl
@ -11,7 +11,8 @@
         valid_command_test_case/1,
         long_message_test_case/1,
         invalid_command_test_case/1,
-         error_test_case/1]).
+         error_test_case/1,
+         revoked_cert_test_case/1]).

 all() ->
    [frame_size_test_case,
@ -20,7 +21,8 @@ all() ->
     valid_command_test_case,
     long_message_test_case,
     invalid_command_test_case,
-     error_test_case].
+     error_test_case,
+     revoked_cert_test_case].

 init_per_suite(Config) ->
    application:ensure_all_started(epp_proxy),
@ -30,7 +32,11 @@ init_per_suite(Config) ->
               {certfile, filename:join(CWD, "test_ca/certs/client.crt.pem")},
 	       {keyfile, filename:join(CWD, "test_ca/private/client.key.pem")},
               {active, false}],
-    [{ssl_options, Options} | Config].
+    RevokedOptions = [binary,
+               {certfile, filename:join(CWD, "test_ca/certs/revoked.crt.pem")},
+	       {keyfile, filename:join(CWD, "test_ca/private/revoked.key.pem")},
+               {active, false}],
+    [{ssl_options, Options}, {revoked_options, RevokedOptions} | Config].

 end_per_suite(Config) ->
    application:stop(epp_proxy),
@ -170,6 +176,15 @@ error_test_case(Config) ->
               "Command syntax error."),
    ok.

+revoked_cert_test_case(Config) ->
+    Options = proplists:get_value(revoked_options, Config),
+    {error, Error} = ssl:connect("localhost", 1443, Options, 2000),
+    ct:pal("~p", [Error]),
+    {tls_alert,
+     {certificate_revoked,
+      "received CLIENT ALERT: Fatal - Certificate Revoked"}} = Error,
+    ok.
+
 %% Helper functions:
 length_of_data(Data) ->
    EPPEnvelope = binary:part(Data, {0, 4}),