Log SSL alerts received on the server.

Summary: Alerts may be sent by clients, potentially letting us know why connections fail.

Reviewed By: siyengar

Differential Revision: D3117395

fb-gh-sync-id: bddf51f2399eb9e7e397981d5440adb3e815d6d2
fbshipit-source-id: bddf51f2399eb9e7e397981d5440adb3e815d6d2

diff --git a/folly/io/async/AsyncSSLSocket.cpp b/folly/io/async/AsyncSSLSocket.cpp
index ad282a2ed49c7fcc6de934e3e467da7a2c722198..7dc76a7f42284bfe911b9aa999a5fb196499c224 100644 (file)
--- a/folly/io/async/AsyncSSLSocket.cpp
+++ b/folly/io/async/AsyncSSLSocket.cpp
@@ -1586,11 +1586,19 @@ int AsyncSSLSocket::eorAwareSSLWrite(SSL *ssl, const void *buf, int n,
   return n;
 }
 
-void AsyncSSLSocket::sslInfoCallback(const SSL* ssl, int where, int /* ret */) {
+void AsyncSSLSocket::sslInfoCallback(const SSL* ssl, int where, int ret) {
   AsyncSSLSocket *sslSocket = AsyncSSLSocket::getFromSSL(ssl);
   if (sslSocket->handshakeComplete_ && (where & SSL_CB_HANDSHAKE_START)) {
     sslSocket->renegotiateAttempted_ = true;
   }
+  if (where & SSL_CB_READ_ALERT) {
+    const char* type = SSL_alert_type_string(ret);
+    if (type) {
+      const char* desc = SSL_alert_desc_string(ret);
+      sslSocket->alertsReceived_.emplace_back(
+          *type, StringPiece(desc, std::strlen(desc)));
+    }
+  }
 }
 
 int AsyncSSLSocket::eorAwareBioWrite(BIO *b, const char *in, int inl) {

diff --git a/folly/io/async/AsyncSSLSocket.h b/folly/io/async/AsyncSSLSocket.h
index a95270464378250bf959c057126ecd2697dd573c..1bb3fc170b79a8028839d5705dd2911018d1b8cd 100644 (file)
--- a/folly/io/async/AsyncSSLSocket.h
+++ b/folly/io/async/AsyncSSLSocket.h
@@ -625,6 +625,19 @@ class AsyncSSLSocket : public virtual AsyncSocket {
     return sigAlgs;
   }
 
+  std::string getSSLAlertsReceived() const {
+    std::string ret;
+
+    for (const auto& alert : alertsReceived_) {
+      if (!ret.empty()) {
+        ret.append(",");
+      }
+      ret.append(folly::to<std::string>(alert.first, ": ", alert.second));
+    }
+
+    return ret;
+  }
+
   /**
    * Get the list of shared ciphers between the server and the client.
    * Works well for only SSLv2, not so good for SSLv3 or TLSv1.
@@ -842,6 +855,7 @@ class AsyncSSLSocket : public virtual AsyncSocket {
   bool cacheAddrOnFailure_{false};
   bool bufferMovableEnabled_{false};
   std::unique_ptr<ssl::ClientHelloInfo> clientHelloInfo_;
+  std::vector<std::pair<char, StringPiece>> alertsReceived_;
 
   // Time taken to complete the ssl handshake.
   std::chrono::steady_clock::time_point handshakeStartTime_;