Add new debug.tls option logging any mbedTLS debug output to webserver.log

Signed-off-by: DL6ER <dl6er@dl6er.de>
2025-12-24 22:25:28 +00:00 · 2023-05-25 18:28:34 +02:00
parent f785e181f8
commit 54cf9ad1f9
10 changed files with 95 additions and 1 deletions
--- a/patch/civetweb.sh
+++ b/patch/civetweb.sh
@@ -5,5 +5,6 @@ patch -p1 < patch/civetweb/0001-add-pihole-mods.patch
 patch -p1 < patch/civetweb/0001-Add-NO_DLOPEN-option-to-civetweb-s-LUA-routines.patch
 patch -p1 < patch/civetweb/0001-Always-Kepler-syntax-for-Lua-server-pages.patch
 patch -p1 < patch/civetweb/0001-Add-FTL-URI-rewriting-changes-to-CivetWeb.patch
+patch -p1 < patch/civetweb/0001-Add-mbedTLS-debug-logging-hook.patch

 echo "ALL PATCHES APPLIED OKAY"
--- a/patch/civetweb/0001-Add-mbedTLS-debug-logging-hook.patch
+++ b/patch/civetweb/0001-Add-mbedTLS-debug-logging-hook.patch
@@ -0,0 +1,44 @@
+From f785e181f8b43fa9f77bf7dcc6711f16206c9e89 Mon Sep 17 00:00:00 2001
+From: DL6ER <dl6er@dl6er.de>
+Date: Thu, 25 May 2023 18:26:45 +0200
+Subject: [PATCH] Add mbedTLS debug logging hook
+
+Signed-off-by: DL6ER <dl6er@dl6er.de>
+---
+ src/webserver/civetweb/civetweb.h      | 4 ++++
+ src/webserver/civetweb/mod_mbedtls.inl | 4 ++++
+ 2 files changed, 8 insertions(+)
+
+diff --git a/src/webserver/civetweb/civetweb.h b/src/webserver/civetweb/civetweb.h
+index 2ad76693..52724199 100644
+--- a/src/webserver/civetweb/civetweb.h
+++ b/src/webserver/civetweb/civetweb.h
+@@ -938,6 +938,10 @@ int my_send_http_error_headers(struct mg_connection *conn,
+ void FTL_rewrite_pattern(char *filename, size_t filename_buf_len,
+                          const char *root, const char *uri);
+ 
+#define MG_CONFIG_MBEDTLS_DEBUG 3
+void FTL_mbed_debug(void *user_param, int level, const char *file,
+                    int line, const char *message);
+
+ // Buffer used for additional "Set-Cookie" headers
+ #define PIHOLE_HEADERS_MAXLEN 1024
+ extern char pi_hole_extra_headers[PIHOLE_HEADERS_MAXLEN];
+diff --git a/src/webserver/civetweb/mod_mbedtls.inl b/src/webserver/civetweb/mod_mbedtls.inl
+index e72685f4..00b9280a 100644
+--- a/src/webserver/civetweb/mod_mbedtls.inl
+++ b/src/webserver/civetweb/mod_mbedtls.inl
+@@ -83,6 +83,10 @@ mbed_sslctx_init(SSL_CTX *ctx, const char *crt)
+ 	mbedtls_ssl_conf_dbg(conf, mbed_debug, (void *)ctx);
+ #endif
+ 
+	/****************** Pi-hole change ******************/
+	mbedtls_ssl_conf_dbg(conf, FTL_mbed_debug, NULL);
+	/****************************************************/
+
+ #ifdef MBEDTLS_SSL_PROTO_TLS1_3
+ 	psa_status_t status = psa_crypto_init();
+ 	if (status != PSA_SUCCESS) {
+-- 
+2.34.1
+
--- a/src/api/docs/content/specs/config.yaml
+++ b/src/api/docs/content/specs/config.yaml
@@ -468,6 +468,8 @@ components:
                  type: boolean
                api:
                  type: boolean
+                tls:
+                  type: boolean
                overtime:
                  type: boolean
                status:
@@ -678,6 +680,7 @@ components:
            arp: false
            regex: false
            api: false
+            tls: false
            overtime: false
            status: false
            caps: false
--- a/src/config/config.c
+++ b/src/config/config.c
@@ -1116,6 +1116,12 @@ void initConfig(struct config *conf)
 	conf->debug.api.f = FLAG_ADVANCED_SETTING;
 	conf->debug.api.d.b = false;

+	conf->debug.tls.k = "debug.tls";
+	conf->debug.tls.h = "Print extra debugging information about TLS connections. This includes the TLS version, the cipher suite, the certificate chain and much more. This very verbose output should only be used when debugging specific TLS issues and can be helpful, e.g., when a client cannot connect due to an obscure TLS error as modern browsers do not provide much information about the underlying TLS connection and most often give only very generic error messages without much/any underlying technical information.";
+	conf->debug.tls.t = CONF_BOOL;
+	conf->debug.tls.f = FLAG_ADVANCED_SETTING;
+	conf->debug.tls.d.b = false;
+
 	conf->debug.overtime.k = "debug.overtime";
 	conf->debug.overtime.h = "Print information about overTime memory operations, such as initializing or moving overTime slots.";
 	conf->debug.overtime.t = CONF_BOOL;
--- a/src/config/config.h
+++ b/src/config/config.h
@@ -269,6 +269,7 @@ struct config {
 		struct conf_item arp;
 		struct conf_item regex;
 		struct conf_item api;
+		struct conf_item tls;
 		struct conf_item overtime;
 		struct conf_item status;
 		struct conf_item caps;
--- a/src/enums.h
+++ b/src/enums.h
@@ -143,6 +143,7 @@ enum debug_flag {
 	DEBUG_ARP,
 	DEBUG_REGEX,
 	DEBUG_API,
+	DEBUG_TLS,
 	DEBUG_OVERTIME,
 	DEBUG_STATUS,
 	DEBUG_CAPS,
--- a/src/log.c
+++ b/src/log.c
@@ -195,6 +195,9 @@ void debugstr(const enum debug_flag flag, const char **name)
 		case DEBUG_API:
 			*name = "DEBUG_API";
 			return;
+		case DEBUG_TLS:
+			*name = "DEBUG_TLS";
+			return;
 		case DEBUG_OVERTIME:
 			*name = "DEBUG_OVERTIME";
 			return;
--- a/src/webserver/webserver.c
+++ b/src/webserver/webserver.c
@@ -134,6 +134,30 @@ static int log_http_access(const struct mg_connection *conn, const char *message
 	return 1;
 }

+void FTL_mbed_debug(void *user_param, int level, const char *file, int line, const char *message)
+{
+	// Only log when in TLS debugging mode
+	if(!config.debug.tls.v.b)
+		return;
+
+	(void)user_param;
+
+	// Skip initial pointer in message (like 0x7f73000279e0) if present
+	size_t len = strlen(message);
+	if(len > 0 && message[0] == '0' && message[1] == 'x')
+	{
+		message = strstr(message, ": ") + 2;
+		len = strlen(message);
+	}
+
+	// Truncate trailing newline in message if present
+	if(len > 0 && message[len - 1] == '\n')
+		len--;
+
+	// Log the message
+	log_web("mbedTLS(%s:%d, %d): %.*s", file, line, level, (int)len, message);
+}
+
 void http_init(void)
 {
 	log_web("Initializing HTTP server on port %s", config.webserver.port.v.s);
--- a/test/pihole.toml
+++ b/test/pihole.toml
@@ -613,6 +613,9 @@
    # 86400)
    maxHistory = 86400

+    # Allow destructive API calls (e.g. deleting all queries, powering off the system, ...)
+    allow_destructive = true
+
    [webserver.api.temp]
      # Which upper temperature limit should be used by Pi-hole? Temperatures above this
      # limit will be shown as "hot". The number specified here is in the unit defined below
@@ -786,6 +789,14 @@
  # send extra information when getting all queries.
  api = true ### CHANGED, default = false

+  # Print extra debugging information about TLS connections. This includes the TLS
+  # version, the cipher suite, the certificate chain and much more. This very verbose
+  # output should only be used when debugging specific TLS issues and can be helpful,
+  # e.g., when a client cannot connect due to an obscure TLS error as modern browsers do
+  # not provide much information about the underlying TLS connection and most often give
+  # only very generic error messages without much/any underlying technical information.
+  tls = true ### CHANGED, default = false
+
  # Print information about overTime memory operations, such as initializing or moving
  # overTime slots.
  overtime = true ### CHANGED, default = false
--- a/test/test_suite.bats
+++ b/test/test_suite.bats
@@ -1242,7 +1242,7 @@
@test "API authorization (without password): No login required" {
  run bash -c 'curl -s 127.0.0.1:8080/api/auth'
  printf "%s\n" "${lines[@]}"
-  [[ ${lines[0]} == '{"challenge":null,"session":{"valid":true,"totp":false,"sid":null,"validity":-1},"took":'*'}' ]]
+  [[ ${lines[0]} == '{"challenge":null,"session":{"valid":true,"totp":false,"sid":null,"validity":-1},"dns":true,"took":'*'}' ]]
 }

@test "API authorization (with password): FTL challenges us" {