Re: OpenSSL connection setup debug callback issue
Michael Paquier <michael@paquier.xyz>
From: Michael Paquier <michael@paquier.xyz>
To: Daniel Gustafsson <daniel@yesql.se>
Cc: Postgres hackers <pgsql-hackers@lists.postgresql.org>
Date: 2021-01-21T08:01:15Z
Lists: pgsql-hackers
On Thu, Dec 10, 2020 at 02:43:33PM +0100, Daniel Gustafsson wrote: > I went looking at the SSL connection state change information callback we > install when setting up connections with OpenSSL, and I wasn't getting the > state changes I expected. Turns out we install it at the tail end of setting > up the connection so we miss most of the calls. Moving it to the beginning of > be_tls_open_server allows us to catch the handshake etc. I also extended it by > printing the human readable state change message available from OpenSSL to make > the logs more detailed (SSL_state_string_long has existed since 0.9.8). Looking at the docs, SSL_state_string_long() is better than just SSL_state_string(), so that sounds right: https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_info_callback.html https://www.openssl.org/docs/manmaster/man3/SSL_state_string.html https://www.openssl.org/docs/manmaster/man3/SSL_state_string_long.html This is interesting for debugging, +1 for applying what you have here, and this works for 1.0.1~3.0.0. Worth noting that this returns a static string, as per ssl_stat.c. -- Michael
Commits
-
Move SSL information callback earlier to capture more information
- af0e79c8f4f4 14.0 landed