search

cherokee / webserver

Cherokee Web Server
GNU General Public License v2.0
562 stars 105 forks source link

Trace Function Ignores SSL/TLS Protocol Configuration #1252

Open rdratlos opened 3 years ago

rdratlos commented 3 years ago

OpenSSL silently discards invalid ciphers that are provided within the configured cipher set list. The actually available SSL/TLS protocols and TLS v1.3 ciphersuites for a virtual server are important information for system administrators in case of Cherokee not accepting HTTPS connections.

Without this information it is extremely difficult to investigate on the root cause of encrypt web traffic issues in the network.

Current trace output is as follows:

  cryptor_libssl.c:0764 (                  _vserver_new): Ignoring libssl error: error:25066067:DSO support routines:dlfcn_load:could not load the shared library    
  cryptor_libssl.c:0764 (                  _vserver_new): Ignoring libssl error: error:25070067:DSO support routines:DSO_load:could not load the shared library      
  cryptor_libssl.c:0764 (                  _vserver_new): Ignoring libssl error: error:260B6084:engine routines:dynamic_load:dso not found                           
  cryptor_libssl.c:0764 (                  _vserver_new): Ignoring libssl error: error:2606A074:engine routines:ENGINE_by_id:no such engine
  cryptor_libssl.c:0898 (                  _vserver_new): Vserver 'default'. Reading certificate file '/etc/ssl/cherokee/webcert-srv.pem'
  cryptor_libssl.c:0911 (                  _vserver_new): Vserver 'default'. Reading key file '/etc/ssl/private/webkey-srv.pem'
skinkie commented 3 years ago

Given that TRACE brings you live information per incoming connection. What information would you like to receive about a connection only when debugging?

rdratlos commented 3 years ago

Fixed trace output is as follows:

  cryptor_libssl.c:1934 (   cherokee_plugin_libssl_init): Checking for pkcs11 engine ...
  cryptor_libssl.c:1937 (   cherokee_plugin_libssl_init): Ignoring libssl error: error:25066067:DSO support routines:dlfcn_load:could not load the shared library
  cryptor_libssl.c:1937 (   cherokee_plugin_libssl_init): Ignoring libssl error: error:25070067:DSO support routines:DSO_load:could not load the shared library
  cryptor_libssl.c:1937 (   cherokee_plugin_libssl_init): Ignoring libssl error: error:260B6084:engine routines:dynamic_load:dso not found
  cryptor_libssl.c:1937 (   cherokee_plugin_libssl_init): Ignoring libssl error: error:2606A074:engine routines:ENGINE_by_id:no such engine
  cryptor_libssl.c:1938 (   cherokee_plugin_libssl_init): pkcs11 engine is not installed
  cryptor_libssl.c:0535 (     trace_libssl_tls_settings): libssl security level for vserver default: 2 (SSLv3 and below not allowed)
  cryptor_libssl.c:0560 (     trace_libssl_tls_settings): Minimum supported TLS/SSL protocol version for vserver default: TLSv1.2 (auto-configured by libssl)
  cryptor_libssl.c:0582 (     trace_libssl_tls_settings): Maximum supported TLS/SSL protocol version for vserver default: auto-configured by libssl
  cryptor_libssl.c:0639 (     trace_libssl_tls_settings): TLS/SSL protocols switched off for vserver default: SSLv3
  cryptor_libssl.c:0886 (                  _vserver_new): Ciphers available for vserver default: TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
  cryptor_libssl.c:0898 (                  _vserver_new): Vserver 'unifi'. Reading certificate file '/etc/ssl/cherokee/webcert-srv.pem'
  cryptor_libssl.c:0911 (                  _vserver_new): Vserver 'unifi'. Reading key file '/etc/ssl/private/webkey-srv.pem'