From dc2f797c61b0747c9446e1b8c0f95b13d50125a7 Mon Sep 17 00:00:00 2001 From: Heikki Hannikainen Date: Tue, 25 Oct 2022 01:35:02 +0300 Subject: [PATCH] tls: Rename SSL to TLS in log messages --- src/accept.c | 12 ++++++------ src/config.c | 2 +- src/login.c | 4 ++-- src/tls.c | 18 +++++++++--------- src/uplink.c | 24 ++++++++++++------------ src/worker.c | 6 +++--- 6 files changed, 33 insertions(+), 33 deletions(-) diff --git a/src/accept.c b/src/accept.c index c2085ec..6519d30 100644 --- a/src/accept.c +++ b/src/accept.c @@ -328,19 +328,19 @@ static int open_listener(struct listen_config_t *lc) hlog(LOG_DEBUG, "... ok, bound"); - /* Set up an SSL context if necessary */ + /* Set up a TLS context if necessary */ #ifdef USE_SSL if (lc->keyfile && lc->certfile) { l->ssl = ssl_alloc(); if (ssl_create(l->ssl, (void *)l)) { - hlog(LOG_ERR, "Failed to create SSL context for '%s*': %s", lc->name, l->addr_s); + hlog(LOG_ERR, "Failed to create TLS context for '%s*': %s", lc->name, l->addr_s); listener_free(l); return -1; } if (ssl_certificate(l->ssl, lc->certfile, lc->keyfile)) { - hlog(LOG_ERR, "Failed to load SSL key and certificates for '%s*': %s", lc->name, l->addr_s); + hlog(LOG_ERR, "Failed to load TLS key and certificates for '%s*': %s", lc->name, l->addr_s); listener_free(l); return -1; } @@ -348,13 +348,13 @@ static int open_listener(struct listen_config_t *lc) /* optional client cert validation */ if (lc->cafile) { if (ssl_ca_certificate(l->ssl, lc->cafile, 2)) { - hlog(LOG_ERR, "Failed to load trusted SSL CA certificates for '%s*': %s", lc->name, l->addr_s); + hlog(LOG_ERR, "Failed to load trusted TLS CA certificates for '%s*': %s", lc->name, l->addr_s); listener_free(l); return -1; } } - hlog(LOG_INFO, "SSL initialized for '%s': %s%s", lc->name, l->addr_s, (lc->cafile) ? " (client validation enabled)" : ""); + hlog(LOG_INFO, "TLS initialized for '%s': %s%s", lc->name, l->addr_s, (lc->cafile) ? " (client validation enabled)" : ""); } #endif @@ -1311,7 +1311,7 @@ static int accept_liveupgrade_single(cJSON *client, int *rxerr_map, int rxerr_ma /* Add the client to the client list. */ int old_fd = clientlist_add(c); if (c->validated && old_fd != -1) { - /* TODO: If old connection is SSL validated, and this one is not, do not disconnect it. */ + /* TODO: If old connection is TLS validated, and this one is not, do not disconnect it. */ hlog(LOG_INFO, "fd %d: Disconnecting duplicate validated client with username '%s'", old_fd, c->username); shutdown(old_fd, SHUT_RDWR); } diff --git a/src/config.c b/src/config.c index f5e7a06..13260e2 100644 --- a/src/config.c +++ b/src/config.c @@ -1100,7 +1100,7 @@ int do_listen(struct listen_config_t **lq, int argc, char **argv) /* SSL requires both a cert and a key */ if ((l->certfile && !l->keyfile) || (l->keyfile && !l->certfile)) { - hlog(LOG_ERR, "Listen: Only one of sslkey and sslcert defined for '%' - both needed for SSL", argv[1]); + hlog(LOG_ERR, "Listen: Only one of tlskey and tlscert defined for '%' - both needed for TLS", argv[1]); free_listen_config(&l); return -2; } diff --git a/src/login.c b/src/login.c index a7fc016..13e8d9e 100644 --- a/src/login.c +++ b/src/login.c @@ -205,7 +205,7 @@ int login_setup_udp_feed(struct client_t *c, int port) #ifdef USE_SSL static int login_client_validate_cert(struct worker_t *self, struct client_t *c) { - hlog(LOG_DEBUG, "%s/%s: login: doing SSL client cert validation", c->addr_rem, c->username); + hlog(LOG_DEBUG, "%s/%s: login: doing TLS client cert validation", c->addr_rem, c->username); int ssl_res = ssl_validate_peer_cert_phase1(c); if (ssl_res == 0) ssl_res = ssl_validate_peer_cert_phase2(c); @@ -215,7 +215,7 @@ static int login_client_validate_cert(struct worker_t *self, struct client_t *c) return 1; } - hlog(LOG_WARNING, "%s/%s: SSL client cert validation failed: %s", c->addr_rem, c->username, ssl_strerror(ssl_res)); + hlog(LOG_WARNING, "%s/%s: TLS client cert validation failed: %s", c->addr_rem, c->username, ssl_strerror(ssl_res)); int rc; if (ssl_res == SSL_VALIDATE_CLIENT_CERT_UNVERIFIED) rc = client_printf(self, c, "# Client certificate not accepted: %s\r\n", X509_verify_cert_error_string(c->ssl_con->ssl_err_code)); diff --git a/src/tls.c b/src/tls.c index c80afa4..95f06d9 100644 --- a/src/tls.c +++ b/src/tls.c @@ -261,14 +261,14 @@ static void ssl_info_callback(SSL *ssl, int where, int ret) } if (where & SSL_CB_HANDSHAKE_START) { - hlog(LOG_INFO, "%s/%d: SSL handshake start", c->addr_rem, c->fd); + hlog(LOG_INFO, "%s/%d: TLS handshake start", c->addr_rem, c->fd); if (ssl_conn->handshaked) { ssl_conn->renegotiation = 1; } } if (where & SSL_CB_HANDSHAKE_DONE) { - hlog(LOG_INFO, "%s/%d: SSL handshake done", c->addr_rem, c->fd); + hlog(LOG_INFO, "%s/%d: TLS handshake done", c->addr_rem, c->fd); } } @@ -450,20 +450,20 @@ int ssl_create(struct ssl_t *ssl, void *data) int ssl_certificate(struct ssl_t *ssl, const char *certfile, const char *keyfile) { if (SSL_CTX_use_certificate_chain_file(ssl->ctx, certfile) == 0) { - hlog(LOG_ERR, "Error while loading SSL certificate chain file \"%s\"", certfile); + hlog(LOG_ERR, "Error while loading TLS certificate chain file \"%s\"", certfile); ssl_error(LOG_ERR, "SSL_CTX_use_certificate_chain_file"); return -1; } if (SSL_CTX_use_PrivateKey_file(ssl->ctx, keyfile, SSL_FILETYPE_PEM) == 0) { - hlog(LOG_ERR, "Error while loading SSL private key file \"%s\"", keyfile); + hlog(LOG_ERR, "Error while loading TLS private key file \"%s\"", keyfile); ssl_error(LOG_ERR, "SSL_CTX_use_PrivateKey_file"); return -1; } if (!SSL_CTX_check_private_key(ssl->ctx)) { - hlog(LOG_ERR, "SSL private key (%s) does not work with this certificate (%s)", keyfile, certfile); + hlog(LOG_ERR, "TLS private key (%s) does not work with this certificate (%s)", keyfile, certfile); ssl_error(LOG_ERR, "SSL_CTX_check_private_key"); return -1; } @@ -644,7 +644,7 @@ int ssl_validate_peer_cert_phase1(struct client_t *c) if (rc != X509_V_OK) { /* client gave a certificate, but it's not valid */ - hlog(LOG_DEBUG, "%s/%s: Peer SSL certificate verification error %d: %s", + hlog(LOG_DEBUG, "%s/%s: Peer TLS certificate verification error %d: %s", c->addr_rem, c->username, rc, X509_verify_cert_error_string(rc)); c->ssl_con->ssl_err_code = rc; return SSL_VALIDATE_CLIENT_CERT_UNVERIFIED; @@ -740,7 +740,7 @@ int ssl_validate_peer_cert_phase2(struct client_t *c) issuer = iname ? X509_NAME_oneline(iname, NULL, 0) : "(none)"; ret = 0; - hlog(LOG_INFO, "%s/%s: Peer validated using SSL certificate: subject '%s' callsign '%s' CN '%s' issuer '%s'", + hlog(LOG_INFO, "%s/%s: Peer validated using TLS certificate: subject '%s' callsign '%s' CN '%s' issuer '%s'", c->addr_rem, c->username, subject, subj_call, (subj_cn) ? subj_cn : "(none)", issuer); /* store copies of cert subject and issuer */ @@ -901,7 +901,7 @@ int ssl_readable(struct worker_t *self, struct client_t *c) } if (sslerr == SSL_ERROR_WANT_WRITE) { - hlog(LOG_INFO, "ssl_readable fd %d: SSL_read wants to write (peer starts SSL renegotiation?), calling ssl_write", c->fd); + hlog(LOG_INFO, "ssl_readable fd %d: SSL_read wants to write (peer starts TLS renegotiation?), calling ssl_write", c->fd); return ssl_write(self, c); } @@ -909,7 +909,7 @@ int ssl_readable(struct worker_t *self, struct client_t *c) c->ssl_con->no_send_shutdown = 1; if (sslerr == SSL_ERROR_ZERO_RETURN || ERR_peek_error() == 0) { - hlog(LOG_DEBUG, "ssl_readable fd %d: peer shutdown SSL cleanly", c->fd); + hlog(LOG_DEBUG, "ssl_readable fd %d: peer shutdown TLS cleanly", c->fd); client_close(self, c, CLIERR_EOF); return -1; } diff --git a/src/uplink.c b/src/uplink.c index f45008d..781beee 100644 --- a/src/uplink.c +++ b/src/uplink.c @@ -262,11 +262,11 @@ int uplink_logresp_handler(struct worker_t *self, struct client_t *c, int l4prot /* check the server name against certificate */ #ifdef USE_SSL if (c->ssl_con && c->ssl_con->validate) { - hlog(LOG_DEBUG, "%s/%s: Uplink: Validating SSL server cert subject", c->addr_rem, c->username); + hlog(LOG_DEBUG, "%s/%s: Uplink: Validating TLS server cert subject", c->addr_rem, c->username); int ssl_res = ssl_validate_peer_cert_phase2(c); if (ssl_res != 0) { - hlog(LOG_WARNING, "%s/%s: SSL server cert validation failed: %s", c->addr_rem, c->username, ssl_strerror(ssl_res)); + hlog(LOG_WARNING, "%s/%s: TLS server cert validation failed: %s", c->addr_rem, c->username, ssl_strerror(ssl_res)); client_close(self, c, CLIERR_UPLINK_PEER_CERT_FAIL); return 0; } @@ -301,11 +301,11 @@ int uplink_login_handler(struct worker_t *self, struct client_t *c, int l4proto, #ifdef USE_SSL if (c->ssl_con && c->ssl_con->validate) { - hlog(LOG_DEBUG, "%s/%s: Uplink: Validating SSL server cert against CA", c->addr_rem, c->username); + hlog(LOG_DEBUG, "%s/%s: Uplink: Validating TLS server cert against CA", c->addr_rem, c->username); int ssl_res = ssl_validate_peer_cert_phase1(c); if (ssl_res != 0) { - hlog(LOG_WARNING, "%s/%s: SSL server cert validation failed: %s", c->addr_rem, c->username, ssl_strerror(ssl_res)); + hlog(LOG_WARNING, "%s/%s: TLS server cert validation failed: %s", c->addr_rem, c->username, ssl_strerror(ssl_res)); client_close(self, c, CLIERR_UPLINK_PEER_CERT_FAIL); return 0; } @@ -351,14 +351,14 @@ int config_uplink_ssl_setup(struct uplink_config_t *l) l->ssl = ssl_alloc(); if (ssl_create(l->ssl, (void *)l)) { - hlog(LOG_ERR, "Uplink: Failed to create SSL context for '%s*'", l->name); + hlog(LOG_ERR, "Uplink: Failed to create TLS context for '%s*'", l->name); return -1; } /* optional client cert for server-side validation */ if (l->certfile && l->keyfile) { if (ssl_certificate(l->ssl, l->certfile, l->keyfile)) { - hlog(LOG_ERR, "Uplink '%s': Failed to load SSL certificatess", l->name); + hlog(LOG_ERR, "Uplink '%s': Failed to load TLS certificatess", l->name); ssl_free(l->ssl); l->ssl = NULL; return -1; @@ -368,14 +368,14 @@ int config_uplink_ssl_setup(struct uplink_config_t *l) /* optional server cert validation */ if (l->cafile) { if (ssl_ca_certificate(l->ssl, l->cafile, 2)) { - hlog(LOG_ERR, "Uplink '%s': Failed to load trusted SSL CA certificates", l->name); + hlog(LOG_ERR, "Uplink '%s': Failed to load trusted TLS CA certificates", l->name); ssl_free(l->ssl); l->ssl = NULL; return -1; } } - hlog(LOG_INFO, "Uplink %s: SSL initialized%s%s", + hlog(LOG_INFO, "Uplink %s: TLS initialized%s%s", l->name, (l->cafile) ? ", server validated" : "", (l->certfile) ? ", client cert loaded" : ""); @@ -412,15 +412,15 @@ int make_uplink(struct uplink_config_t *l) #ifdef USE_SSL /* SSL requires both a cert and a key, or none at all */ if ((l->certfile && !l->keyfile) || (l->keyfile && !l->certfile)) { - hlog(LOG_ERR, "Uplink %s: Only one of sslkey and sslcert defined - both needed for SSL authentication", l->name); + hlog(LOG_ERR, "Uplink %s: Only one of tlskey and tlscert defined - both needed for TLS authentication", l->name); return -2; } - /* todo: allow triggering SSL without client auth */ + /* todo: allow triggering TLS without client auth */ if (l->keyfile && l->certfile) { if (!l->ssl) { if (config_uplink_ssl_setup(l)) { - hlog(LOG_ERR, "Uplink '%s': SSL setup failed", l->name); + hlog(LOG_ERR, "Uplink '%s': TLS setup failed", l->name); return -2; } } @@ -667,7 +667,7 @@ connerr: l->state = UPLINK_ST_CONNECTED; - /* set up SSL if necessary */ + /* set up TLS if necessary */ #ifdef USE_SSL if (l->ssl) { if (ssl_create_connection(l->ssl, c, 1)) diff --git a/src/worker.c b/src/worker.c index 354c9c8..7fc6fe7 100644 --- a/src/worker.c +++ b/src/worker.c @@ -1561,7 +1561,7 @@ static void collect_new_clients(struct worker_t *self) #endif #ifdef USE_SSL if (c->ssl_con) { - hlog(LOG_DEBUG, "collect_new_clients(worker %d): fd %d uses SSL", self->id, c->fd); + hlog(LOG_DEBUG, "collect_new_clients(worker %d): fd %d uses TLS", self->id, c->fd); c->handler_client_readable = &ssl_readable; c->handler_client_writable = &ssl_writable; c->write = &ssl_client_write; @@ -1825,12 +1825,12 @@ void worker_thread(struct worker_t *self) if (self->shutting_down == 2) { /* live upgrade: must free all UDP client structs - we need to close the UDP listener fd. */ - /* Must also disconnect all SSL clients - the SSL crypto state cannot be moved over. */ + /* Must also disconnect all TLS clients - the TLS crypto state cannot be moved over. */ struct client_t *c, *next; for (c = self->clients; (c); c = next) { next = c->next; #ifdef USE_SSL - /* SSL client? */ + /* TLS client? */ if (c->ssl_con) { client_close(self, c, CLIOK_THREAD_SHUTDOWN); continue;