if we're a server and some peer has a broken tls certificate, don't

shout about it unless we want to hear about protocol violations.


svn:r6507

3 files changed, 17 insertions, 12 deletions

diff --git a/src/common/tortls.c b/src/common/tortls.c
index a20414267..4c3108ad8 100644
--- a/src/common/tortls.c
+++ b/src/common/tortls.c
@@ -648,7 +648,8 @@ tor_tls_peer_has_cert(tor_tls_t *tls)
  * NUL-terminate.  Return 0 on success, -1 on failure.
  */
 int
-tor_tls_get_peer_cert_nickname(tor_tls_t *tls, char *buf, size_t buflen)
+tor_tls_get_peer_cert_nickname(int severity, tor_tls_t *tls,
+                               char *buf, size_t buflen)
 {
   X509 *cert = NULL;
   X509_NAME *name = NULL;
@@ -657,11 +658,11 @@ tor_tls_get_peer_cert_nickname(tor_tls_t *tls, char *buf, size_t buflen)
   int r = -1;
 
   if (!(cert = SSL_get_peer_certificate(tls->ssl))) {
-    log_warn(LD_PROTOCOL, "Peer has no certificate");
+    log_fn(severity, LD_PROTOCOL, "Peer has no certificate");
     goto error;
   }
   if (!(name = X509_get_subject_name(cert))) {
-    log_warn(LD_PROTOCOL, "Peer certificate has no subject name");
+    log_fn(severity, LD_PROTOCOL, "Peer certificate has no subject name");
     goto error;
   }
   if ((nid = OBJ_txt2nid("commonName")) == NID_undef)
@@ -671,12 +672,13 @@ tor_tls_get_peer_cert_nickname(tor_tls_t *tls, char *buf, size_t buflen)
   if (lenout == -1)
     goto error;
   if (((int)strspn(buf, LEGAL_NICKNAME_CHARACTERS)) < lenout) {
-    log_warn(LD_PROTOCOL,
-             "Peer certificate nickname %s has illegal characters.",
-             escaped(buf));
+    log_fn(severity, LD_PROTOCOL,
+           "Peer certificate nickname %s has illegal characters.",
+           escaped(buf));
     if (strchr(buf, '.'))
-      log_warn(LD_PROTOCOL, "  (Maybe it is not really running Tor at its "
-               "advertised OR port.)");
+      log_fn(severity, LD_PROTOCOL,
+             "  (Maybe it is not really running Tor at its "
+             "advertised OR port.)");
     goto error;
   }
 
@@ -686,7 +688,7 @@ tor_tls_get_peer_cert_nickname(tor_tls_t *tls, char *buf, size_t buflen)
   if (cert)
     X509_free(cert);
 
-  tls_log_errors(LOG_WARN, "getting peer certificate nickname");
+  tls_log_errors(severity, "getting peer certificate nickname");
   return r;
 }
 
diff --git a/src/common/tortls.h b/src/common/tortls.h
index 9add9c7ce..82a64cb97 100644
--- a/src/common/tortls.h
+++ b/src/common/tortls.h
@@ -32,7 +32,8 @@ tor_tls_t *tor_tls_new(int sock, int is_server, int use_no_cert);
 int tor_tls_is_server(tor_tls_t *tls);
 void tor_tls_free(tor_tls_t *tls);
 int tor_tls_peer_has_cert(tor_tls_t *tls);
-int tor_tls_get_peer_cert_nickname(tor_tls_t *tls, char *buf, size_t buflen);
+int tor_tls_get_peer_cert_nickname(int severity, tor_tls_t *tls,
+                                   char *buf, size_t buflen);
 int tor_tls_verify(int severity, tor_tls_t *tls, crypto_pk_env_t **identity);
 int tor_tls_check_lifetime(tor_tls_t *tls, int tolerance);
 int tor_tls_read(tor_tls_t *tls, char *cp, size_t len);
diff --git a/src/or/connection_or.c b/src/or/connection_or.c
index 7fd717717..946cefbb2 100644
--- a/src/or/connection_or.c
+++ b/src/or/connection_or.c
@@ -581,11 +581,13 @@ connection_or_check_valid_handshake(connection_t *conn, char *digest_rcvd)
 
   check_no_tls_errors();
   if (! tor_tls_peer_has_cert(conn->tls)) {
-    log_info(LD_PROTOCOL,"Peer didn't send a cert! Closing.");
+    log_info(LD_PROTOCOL,"Peer (%s:%d) didn't send a cert! Closing.",
+             conn->address, conn->port);
     return -1;
   }
   check_no_tls_errors();
-  if (tor_tls_get_peer_cert_nickname(conn->tls, nickname, sizeof(nickname))) {
+  if (tor_tls_get_peer_cert_nickname(severity, conn->tls, nickname,
+                                     sizeof(nickname))) {
     log_fn(severity,LD_PROTOCOL,"Other side (%s:%d) has a cert without a "
            "valid nickname. Closing.",
            conn->address, conn->port);