diff options
| author | Spencer Jackson <spencer.jackson@mongodb.com> | 2020-03-27 09:46:44 -0400 |
|---|---|---|
| committer | Evergreen Agent <no-reply@evergreen.mongodb.com> | 2020-03-27 14:17:48 +0000 |
| commit | ac70762faba7453831782a7681618e3560659eac (patch) | |
| tree | a6c8d4d75f33d3c385ca809d7f289682ff1a48c8 | |
| parent | acc824bf085f1c255578e5e48f5e8d337ef84402 (diff) | |
| download | mongo-ac70762faba7453831782a7681618e3560659eac.tar.gz | |
Revert "SERVER-46950 Add message-strings for TLS"
This reverts commit 81885344c49450f1618d056543ff35a05440324e.
| -rw-r--r-- | src/mongo/db/free_mon/free_mon_processor.cpp | 5 | ||||
| -rw-r--r-- | src/mongo/util/net/openssl_init.cpp | 7 | ||||
| -rw-r--r-- | src/mongo/util/net/private/ssl_expiration.cpp | 4 | ||||
| -rw-r--r-- | src/mongo/util/net/sock.cpp | 109 | ||||
| -rw-r--r-- | src/mongo/util/net/sockaddr.cpp | 12 | ||||
| -rw-r--r-- | src/mongo/util/net/socket_utils.cpp | 28 | ||||
| -rw-r--r-- | src/mongo/util/net/ssl_manager.cpp | 44 | ||||
| -rw-r--r-- | src/mongo/util/net/ssl_manager_apple.cpp | 11 | ||||
| -rw-r--r-- | src/mongo/util/net/ssl_manager_openssl.cpp | 99 | ||||
| -rw-r--r-- | src/mongo/util/net/ssl_manager_windows.cpp | 30 |
10 files changed, 139 insertions, 210 deletions
diff --git a/src/mongo/db/free_mon/free_mon_processor.cpp b/src/mongo/db/free_mon/free_mon_processor.cpp index 4498617172b..72d2fc1dfde 100644 --- a/src/mongo/db/free_mon/free_mon_processor.cpp +++ b/src/mongo/db/free_mon/free_mon_processor.cpp @@ -260,11 +260,10 @@ void FreeMonProcessor::run() { _queue.stop(); LOGV2_WARNING(20619, - "Uncaught exception in '{error}' in free monitoring subsystem. " + "Uncaught exception in '{exception}' in free monitoring subsystem. " "Shutting down the free monitoring subsystem.", - "Uncaught exception in free monitoring subsystem. " "Shutting down the free monitoring subsystem.", - "error"_attr = exceptionToStatus()); + "exception"_attr = exceptionToStatus()); } } diff --git a/src/mongo/util/net/openssl_init.cpp b/src/mongo/util/net/openssl_init.cpp index 1ef1e0ed26d..d7a94e07767 100644 --- a/src/mongo/util/net/openssl_init.cpp +++ b/src/mongo/util/net/openssl_init.cpp @@ -153,9 +153,10 @@ void setupFIPS() { int status = FIPS_mode_set(1); if (!status) { LOGV2_FATAL(23173, - "can't activate FIPS mode: {error}", - "Can't activate FIPS mode", - "error"_attr = SSLManagerInterface::getSSLErrorMessage(ERR_get_error())); + "can't activate FIPS mode: {sslManagerError}", + "can't activate FIPS mode", + "sslManagerError"_attr = + SSLManagerInterface::getSSLErrorMessage(ERR_get_error())); fassertFailedNoTrace(16703); } LOGV2(23172, "FIPS 140-2 mode activated"); diff --git a/src/mongo/util/net/private/ssl_expiration.cpp b/src/mongo/util/net/private/ssl_expiration.cpp index 9bdcc797cec..5f37d67d2f1 100644 --- a/src/mongo/util/net/private/ssl_expiration.cpp +++ b/src/mongo/util/net/private/ssl_expiration.cpp @@ -60,7 +60,6 @@ void CertificateExpirationMonitor::taskDoWork() { // The certificate has expired. LOGV2_WARNING(23785, "Server certificate is now invalid. It expired on {certExpiration}", - "Server certificate has expired", "certExpiration"_attr = dateToISOStringUTC(_certExpiration)); return; } @@ -72,9 +71,8 @@ void CertificateExpirationMonitor::taskDoWork() { LOGV2_WARNING(23786, "Server certificate will expire on {certExpiration} in " "{validDuration}.", - "Server certificate will expire soon", "certExpiration"_attr = dateToISOStringUTC(_certExpiration), - "validDuration"_attr = durationCount<Hours>(remainingValidDuration)); + "validDuration"_attr = durationCount<Hours>(remainingValidDuration) / 24); } } diff --git a/src/mongo/util/net/sock.cpp b/src/mongo/util/net/sock.cpp index 574c33e2b1a..eedfc13fdda 100644 --- a/src/mongo/util/net/sock.cpp +++ b/src/mongo/util/net/sock.cpp @@ -103,9 +103,8 @@ void networkWarnWithDescription(const Socket& socket, StringData call, int error #endif auto ewd = errnoWithDescription(errorCode); LOGV2_WARNING(23190, - "failed to connect to {remoteSocketAddress}:{remoteSocketAddressPort}, " + "Failed to connect to {remoteSocketAddress}:{remoteSocketAddressPort}, " "in({call}), reason: {error}", - "Failed to connect to remote host", "remoteSocketAddress"_attr = socket.remoteAddr().getAddr(), "remoteSocketAddressPort"_attr = socket.remoteAddr().getPort(), "call"_attr = call, @@ -122,16 +121,14 @@ void setSockTimeouts(int sock, double secs) { setsockopt(sock, SOL_SOCKET, SO_RCVTIMEO, reinterpret_cast<char*>(&timeout), sizeof(DWORD)); if (report && (status == SOCKET_ERROR)) LOGV2(23177, - "unable to set SO_RCVTIMEO: {reason}", - "Unable to set SO_RCVTIMEO", - "reason"_attr = errnoWithDescription(WSAGetLastError())); + "unable to set SO_RCVTIMEO: {wsaError}", + "wsaError"_attr = errnoWithDescription(WSAGetLastError())); status = setsockopt(sock, SOL_SOCKET, SO_SNDTIMEO, reinterpret_cast<char*>(&timeout), sizeof(DWORD)); if (kDebugBuild && report && (status == SOCKET_ERROR)) LOGV2(23178, - "unable to set SO_SNDTIMEO: {reason}", - "Unable to set SO_SNDTIME0", - "reason"_attr = errnoWithDescription(WSAGetLastError())); + "unable to set SO_SNDTIMEO: {wsaError}", + "wsaError"_attr = errnoWithDescription(WSAGetLastError())); #else struct timeval tv; tv.tv_sec = (int)secs; @@ -158,7 +155,7 @@ void disableNagle(int sock) { if (setsockopt(sock, level, TCP_NODELAY, (char*)&x, sizeof(x))) LOGV2_ERROR(23195, "disableNagle failed: {error}", - "DisableNagle failed", + "disableNagle failed", "error"_attr = errnoWithDescription()); #ifdef SO_KEEPALIVE @@ -186,10 +183,10 @@ SockAddr getLocalAddrForBoundSocketFd(int fd) { if (rc != 0) { LOGV2_WARNING(23191, "Could not resolve local address for socket with fd {fd}: " - "{error}", - "Could not resolve local address for socket with fd", + "{socketError}", + "Could not resolve local address for socket", "fd"_attr = fd, - "error"_attr = getAddrInfoStrError(socketGetLastError())); + "socketError"_attr = getAddrInfoStrError(socketGetLastError())); result = SockAddr(); } return result; @@ -362,7 +359,6 @@ bool Socket::connect(SockAddr& remote, Milliseconds connectTimeoutMillis) { LOGV2_WARNING(23192, "Failed to connect to {remoteAddr}:{remotePort} after " "{connectTimeout} milliseconds, giving up.", - "Failed to connect to remote host. Giving up", "remoteAddr"_attr = _remote.getAddr(), "remotePort"_attr = _remote.getPort(), "connectTimeout"_attr = connectTimeoutMillis); @@ -577,19 +573,17 @@ void Socket::handleSendError(int ret, const char* context) { #endif LOGV2_DEBUG(23181, logSeverityV1toV2(_logLevel).toInt(), - "Socket {context} send() timed out {remoteHost}", - "Socket send() to remote host timed out", + "Socket {context} send() timed out {remoteString}", "context"_attr = context, - "remoteHost"_attr = remoteString()); + "remoteString"_attr = remoteString()); throwSocketError(SocketErrorKind::SEND_TIMEOUT, remoteString()); } else if (mongo_errno != EINTR) { LOGV2_DEBUG(23182, logSeverityV1toV2(_logLevel).toInt(), - "Socket {context} send() {error} {remoteHost}", - "Socket send() to remote host failed", + "Socket {context} send() {mongoError} {remoteString}", "context"_attr = context, - "error"_attr = errnoWithDescription(mongo_errno), - "remoteHost"_attr = remoteString()); + "mongoError"_attr = errnoWithDescription(mongo_errno), + "remoteString"_attr = remoteString()); throwSocketError(SocketErrorKind::SEND_ERROR, remoteString()); } } // namespace mongo @@ -598,9 +592,8 @@ void Socket::handleRecvError(int ret, int len) { if (ret == 0) { LOGV2_DEBUG(23183, 3, - "Socket recv() conn closed? {remoteHost}", - "Socket recv() failed; connection may have been closed", - "remoteHost"_attr = remoteString()); + "Socket recv() conn closed? {remoteString}", + "remoteString"_attr = remoteString()); throwSocketError(SocketErrorKind::CLOSED, remoteString()); } @@ -625,18 +618,16 @@ void Socket::handleRecvError(int ret, int len) { // this is a timeout LOGV2_DEBUG(23184, logSeverityV1toV2(_logLevel).toInt(), - "Socket recv() timeout {remoteHost}", - "Socket recv() timeout", - "remoteHost"_attr = remoteString()); + "Socket recv() timeout {remoteString}", + "remoteString"_attr = remoteString()); throwSocketError(SocketErrorKind::RECV_TIMEOUT, remoteString()); } LOGV2_DEBUG(23185, logSeverityV1toV2(_logLevel).toInt(), - "Socket recv() {error} {remoteHost}", - "Socket recv() error", + "Socket recv() {error} {remoteString}", "error"_attr = errnoWithDescription(e), - "remoteHost"_attr = remoteString()); + "remoteString"_attr = remoteString()); throwSocketError(SocketErrorKind::RECV_ERROR, remoteString()); } @@ -690,10 +681,10 @@ bool Socket::isStillConnected() { LOGV2_DEBUG( 23186, 2, - "polling for status of connection to {remoteHost}, {errorOrEventDetected}", - "Polling for status of connection to remote host", - "remoteHost"_attr = remoteString(), - "errorOrEventDetected"_attr = + "polling for status of connection to {remoteString}, " + "{nEvents_0_no_events_nEvents_1_error_detected_event_detected}", + "remoteString"_attr = remoteString(), + "nEvents_0_no_events_nEvents_1_error_detected_event_detected"_attr = (nEvents == 0 ? "no events" : nEvents == -1 ? "error detected" : "event detected")); if (nEvents == 0) { @@ -703,11 +694,10 @@ bool Socket::isStillConnected() { // Poll itself failed, this is weird, warn and log errno LOGV2_WARNING(23193, "Socket poll() failed during connectivity check (idle {idleTimeSecs} secs, " - "remote host {remoteHost}){error}", - "Socket poll() to remote host failed during connectivity check", + "remote host {remoteString}){causedBy_errnoWithDescription}", "idleTimeSecs"_attr = idleTimeSecs, - "remoteHost"_attr = remoteString(), - "error"_attr = causedBy(errnoWithDescription())); + "remoteString"_attr = remoteString(), + "causedBy_errnoWithDescription"_attr = causedBy(errnoWithDescription())); // Return true since it's not clear that we're disconnected. return true; @@ -732,74 +722,63 @@ bool Socket::isStillConnected() { // An error occurred during recv, warn and log errno LOGV2_WARNING(23194, "Socket recv() failed during connectivity check (idle {idleTimeSecs} " - "secs, remote host {remoteHost}){error}", - "Socket recv() failed during connectivity check", + "secs, remote host {remoteString}){causedBy_errnoWithDescription}", "idleTimeSecs"_attr = idleTimeSecs, - "remoteHost"_attr = remoteString(), - "error"_attr = causedBy(errnoWithDescription())); + "remoteString"_attr = remoteString(), + "causedBy_errnoWithDescription"_attr = causedBy(errnoWithDescription())); } else if (recvd > 0) { // We got nonzero data from this socket, very weird? // Log and warn at runtime, log and abort at devtime // TODO: Dump the data to the log somehow? LOGV2_ERROR(23197, - "Socket found pending {recvd} bytes of data during connectivity " - "check (idle {idleTimeSecs} secs, remote host {remoteHost})", - "Socket found pending bytes of data during connectivity check to remote " - "host", + "Socket found pending {recvd} bytes of data during connectivity check " + "(idle {idleTimeSecs} secs, remote host {remoteString})", "recvd"_attr = recvd, "idleTimeSecs"_attr = idleTimeSecs, - "remoteHost"_attr = remoteString()); + "remoteString"_attr = remoteString()); if (kDebugBuild) { std::string hex = hexdump(testBuf, recvd); - LOGV2_ERROR(23198, - "Hex dump of stale log data: {hex}", - "Hex dump of stale log data", - "hex"_attr = hex); + LOGV2_ERROR(23198, "Hex dump of stale log data: {hex}", "hex"_attr = hex); } dassert(false); } else { // recvd == 0, socket closed remotely, just return false LOGV2(23187, "Socket closed remotely, no longer connected (idle {idleTimeSecs} secs, remote " - "host {remoteHost})", - "Socket closed remotely, no longer connected to remote host", + "host {remoteString})", "idleTimeSecs"_attr = idleTimeSecs, - "remoteHost"_attr = remoteString()); + "remoteString"_attr = remoteString()); } } else if (pollInfo.revents & POLLHUP) { // A hangup has occurred on this socket LOGV2(23188, "Socket hangup detected, no longer connected (idle {idleTimeSecs} secs, remote host " - "{remoteHost})", - "Socket hangup detected, no longer connected to remote host", + "{remoteString})", "idleTimeSecs"_attr = idleTimeSecs, - "remoteHost"_attr = remoteString()); + "remoteString"_attr = remoteString()); } else if (pollInfo.revents & POLLERR) { // An error has occurred on this socket LOGV2(23189, "Socket error detected, no longer connected (idle {idleTimeSecs} secs, remote host " - "{remoteHost})", - "Socket error detected, no longer connected to remote host", + "{remoteString})", "idleTimeSecs"_attr = idleTimeSecs, - "remoteHost"_attr = remoteString()); + "remoteString"_attr = remoteString()); } else if (pollInfo.revents & POLLNVAL) { // Socket descriptor itself is weird // Log and warn at runtime, log and abort at devtime LOGV2_ERROR(23199, "Socket descriptor detected as invalid (idle {idleTimeSecs} secs, remote host " - "{remoteHost})", - "Socket descriptor detected as invalid", + "{remoteString})", "idleTimeSecs"_attr = idleTimeSecs, - "remoteHost"_attr = remoteString()); + "remoteString"_attr = remoteString()); dassert(false); } else { // Don't know what poll is saying here // Log and warn at runtime, log and abort at devtime LOGV2_ERROR(23200, - "Socket had unknown event ({pollEvents}) (idle " + "Socket had unknown event ({static_cast_int_pollInfo_revents}) (idle " "{idleTimeSecs} secs, remote host {remoteString})", - "Socket had unknown event", - "pollEvents"_attr = static_cast<int>(pollInfo.revents), + "static_cast_int_pollInfo_revents"_attr = static_cast<int>(pollInfo.revents), "idleTimeSecs"_attr = idleTimeSecs, "remoteString"_attr = remoteString()); dassert(false); diff --git a/src/mongo/util/net/sockaddr.cpp b/src/mongo/util/net/sockaddr.cpp index 33b3e50b865..962f71aed14 100644 --- a/src/mongo/util/net/sockaddr.cpp +++ b/src/mongo/util/net/sockaddr.cpp @@ -158,10 +158,10 @@ SockAddr::SockAddr(StringData target, int port, sa_family_t familyHint) if (_hostOrIp != "0.0.0.0") { // don't log if this as it is a // CRT construction and log() may not work yet. LOGV2(23175, - "getaddrinfo(\"{host}\") failed: {error}", - "Command getaddrinfo failed", + "getaddrinfo(\"{host}\") failed: {reason}", + "getaddrinfo failed", "host"_attr = _hostOrIp, - "error"_attr = getAddrInfoStrError(addrErr.err)); + "reason"_attr = getAddrInfoStrError(addrErr.err)); _isValid = false; return; } @@ -191,10 +191,10 @@ std::vector<SockAddr> SockAddr::createAll(StringData target, int port, sa_family auto addrErr = resolveAddrInfo(hostOrIp, port, familyHint); if (addrErr.err) { LOGV2(23176, - "getaddrinfo(\"{host}\") failed: {error}", - "getaddrinfo invocation failed", + "getaddrinfo(\"{host}\") failed: {reason}", + "getaddrinfo failed", "host"_attr = hostOrIp, - "error"_attr = getAddrInfoStrError(addrErr.err)); + "reason"_attr = getAddrInfoStrError(addrErr.err)); return {}; } diff --git a/src/mongo/util/net/socket_utils.cpp b/src/mongo/util/net/socket_utils.cpp index 3d321bf3810..11fec0298ac 100644 --- a/src/mongo/util/net/socket_utils.cpp +++ b/src/mongo/util/net/socket_utils.cpp @@ -71,9 +71,9 @@ const struct WinsockInit { WSADATA d; if (WSAStartup(MAKEWORD(2, 2), &d) != 0) { LOGV2(23201, - "ERROR: wsastartup failed {error}", + "ERROR: wsastartup failed {errnoWithDescription}", "ERROR: wsastartup failed", - "error"_attr = errnoWithDescription()); + "errnoWithDescription"_attr = errnoWithDescription()); quickExit(EXIT_NTSERVICE_ERROR); } } @@ -119,9 +119,9 @@ void setSocketKeepAliveParams(int sock, return val ? (val.get() / 1000) : default_value; } LOGV2_ERROR(23203, - "can't get KeepAlive parameter: {error}", - "Can't get KeepAlive parameter", - "error"_attr = withval.getStatus()); + "can't get KeepAlive parameter: {status}", + "can't get KeepAlive parameter", + "status"_attr = withval.getStatus()); return default_value; }; @@ -145,7 +145,7 @@ void setSocketKeepAliveParams(int sock, nullptr)) { LOGV2_ERROR(23204, "failed setting keepalive values: {error}", - "Failed setting keepalive values", + "failed setting keepalive values", "error"_attr = WSAGetLastError()); } } @@ -157,20 +157,18 @@ void setSocketKeepAliveParams(int sock, if (getsockopt(sock, level, optnum, (char*)&optval, &len)) { LOGV2_ERROR(23205, - "can't get {optname}: {error}", - "Can't get socket option", + "can't get {optname}: {errnoWithDescription}", "optname"_attr = optname, - "error"_attr = errnoWithDescription()); + "errnoWithDescription"_attr = errnoWithDescription()); } if (optval > maxval) { optval = maxval; if (setsockopt(sock, level, optnum, (char*)&optval, sizeof(optval))) { LOGV2_ERROR(23206, - "can't set {optname}: {error}", - "Can't set socket option", + "can't set {optname}: {errnoWithDescription}", "optname"_attr = optname, - "error"_attr = errnoWithDescription()); + "errnoWithDescription"_attr = errnoWithDescription()); } } }; @@ -215,9 +213,9 @@ std::string getHostName() { int ec = gethostname(buf, 127); if (ec || *buf == 0) { LOGV2(23202, - "can't get this server's hostname {error}", - "Can't get this server's hostname", - "error"_attr = errnoWithDescription()); + "can't get this server's hostname {errnoWithDescription}", + "can't get this server's hostname", + "errnoWithDescription"_attr = errnoWithDescription()); return ""; } return buf; diff --git a/src/mongo/util/net/ssl_manager.cpp b/src/mongo/util/net/ssl_manager.cpp index e162ac28c49..56ff7878ea6 100644 --- a/src/mongo/util/net/ssl_manager.cpp +++ b/src/mongo/util/net/ssl_manager.cpp @@ -555,21 +555,19 @@ MONGO_INITIALIZER_WITH_PREREQUISITES(SSLManagerLogger, ("SSLManager", "GlobalLog if (!config.clientSubjectName.empty()) { LOGV2_DEBUG(23214, 1, - "Client Certificate Name: {name}", - "Client certificate name", - "name"_attr = config.clientSubjectName); + "Client Certificate Name: {clientSubjectName}", + "clientSubjectName"_attr = config.clientSubjectName); } if (!config.serverSubjectName().empty()) { LOGV2_DEBUG(23215, 1, - "Server Certificate Name: {name}", - "Server certificate name", - "name"_attr = config.serverSubjectName()); + "Server Certificate Name: {serverSubjectName}", + "serverSubjectName"_attr = config.serverSubjectName()); LOGV2_DEBUG(23216, 1, - "Server Certificate Expiration: {expiration}", - "Server certificate expiration", - "expiration"_attr = config.serverCertificateExpirationDate); + "Server Certificate Expiration: {serverCertificateExpirationDate}", + "serverCertificateExpirationDate"_attr = + config.serverCertificateExpirationDate); } } @@ -609,10 +607,10 @@ Status SSLX509Name::normalizeStrings() { LOGV2_DEBUG(23217, 1, "Certificate subject name contains unknown string type: " - "{entryType} (string value is \"{entryValue}\")", + "{entry_type} (string value is \"{entry_value}\")", "Certificate subject name contains unknown string type", - "entryType"_attr = entry.type, - "entryValue"_attr = entry.value); + "entry_type"_attr = entry.type, + "entry_value"_attr = entry.value); break; } } @@ -695,18 +693,18 @@ bool SSLConfiguration::isClusterMember(StringData subjectName) const { auto swClient = parseDN(subjectName); if (!swClient.isOK()) { LOGV2_WARNING(23219, - "Unable to parse client subject name: {error}", + "Unable to parse client subject name: {status}", "Unable to parse client subject name", - "error"_attr = swClient.getStatus()); + "status"_attr = swClient.getStatus()); return false; } auto& client = swClient.getValue(); auto status = client.normalizeStrings(); if (!status.isOK()) { LOGV2_WARNING(23220, - "Unable to normalize client subject name: {error}", + "Unable to normalize client subject name: {status}", "Unable to normalize client subject name", - "error"_attr = status); + "status"_attr = status); return false; } @@ -1202,10 +1200,9 @@ void recordTLSVersion(TLSVersion version, const HostAndPort& hostForLogging) { if (!versionString.empty()) { LOGV2(23218, - "Accepted connection with TLS Version {tlsVersion} from connection {remoteHost}", - "Accepted connection with TLS", - "tlsVersion"_attr = versionString, - "remoteHost"_attr = hostForLogging); + "Accepted connection with TLS Version {version} from connection {connection}", + "version"_attr = versionString, + "connection"_attr = hostForLogging); } } @@ -1233,16 +1230,13 @@ bool hostNameMatchForX509Certificates(std::string nameToMatch, std::string certH } void tlsEmitWarningExpiringClientCertificate(const SSLX509Name& peer) { - LOGV2_WARNING(23221, - "Peer certificate '{peerSubjectName}' expires soon", - "Peer certificate expires soon", - "peerSubjectName"_attr = peer); + LOGV2_WARNING( + 23221, "Peer certificate '{peerSubjectName}' expires soon", "peerSubjectName"_attr = peer); } void tlsEmitWarningExpiringClientCertificate(const SSLX509Name& peer, Days days) { LOGV2_WARNING(23222, "Peer certificate '{peerSubjectName}' expires in {days}", - "Peer certificate expiration information", "peerSubjectName"_attr = peer, "days"_attr = days); } diff --git a/src/mongo/util/net/ssl_manager_apple.cpp b/src/mongo/util/net/ssl_manager_apple.cpp index d2c75beb3f8..88af2c0d93b 100644 --- a/src/mongo/util/net/ssl_manager_apple.cpp +++ b/src/mongo/util/net/ssl_manager_apple.cpp @@ -1471,17 +1471,19 @@ Future<SSLPeerInfo> SSLManagerApple::parseAndValidatePeerCertificate( } const auto badCert = [&](StringData msg, bool warn = false) -> Future<SSLPeerInfo> { + constexpr StringData prefix = "SSL peer certificate validation failed: "_sd; if (warn) { LOGV2_WARNING(23209, - "SSL peer certificate validation failed: {error}", + "{prefix}{msg}", "SSL peer certificate validation failed", - "error"_attr = msg); + "prefix"_attr = prefix, + "msg"_attr = msg); return Future<SSLPeerInfo>::makeReady(SSLPeerInfo(sniName)); } else { LOGV2_ERROR(23212, - "SSL peer certificate validation failed {error}; connection rejected", + "SSL peer certificate validation failed {status}; connection rejected", "SSL peer certificate validation failed; connection rejected", - "error"_attr = msg); + "status"_attr = msg); return Status(ErrorCodes::SSLHandshakeFailed, msg); } }; @@ -1585,7 +1587,6 @@ Future<SSLPeerInfo> SSLManagerApple::parseAndValidatePeerCertificate( LOGV2_DEBUG(23207, 2, "Accepted TLS connection from peer: {peerSubjectName}", - "Accepted TLS connection from peer", "peerSubjectName"_attr = peerSubjectName); // Server side. diff --git a/src/mongo/util/net/ssl_manager_openssl.cpp b/src/mongo/util/net/ssl_manager_openssl.cpp index 22f4170bd92..5d7ec9831ab 100644 --- a/src/mongo/util/net/ssl_manager_openssl.cpp +++ b/src/mongo/util/net/ssl_manager_openssl.cpp @@ -1540,9 +1540,8 @@ int ocspClientCallback(SSL* ssl, void* arg) { if (swStapleOK.getStatus() == ErrorCodes::OCSPCertificateStatusRevoked) { LOGV2_DEBUG(23225, 1, - "Stapled Certificate validation failed: {error}", - "Stapled Certificate validation failed", - "error"_attr = swStapleOK.getStatus()); + "Stapled Certificate validation failed: {reason}", + "reason"_attr = swStapleOK.getStatus().reason()); return OCSP_CLIENT_RESPONSE_NOT_ACCEPTABLE; } @@ -1966,19 +1965,19 @@ bool SSLManagerOpenSSL::_parseAndValidateCertificate(const std::string& keyFile, BIO* inBIO = BIO_new(BIO_s_file()); if (inBIO == nullptr) { LOGV2_ERROR(23243, - "failed to allocate BIO object: {error}", - "Failed to allocate BIO object", - "error"_attr = getSSLErrorMessage(ERR_get_error())); + "failed to allocate BIO object: {openSSLError}", + "failed to allocate BIO object", + "openSSLError"_attr = getSSLErrorMessage(ERR_get_error())); return false; } ON_BLOCK_EXIT([&] { BIO_free(inBIO); }); if (BIO_read_filename(inBIO, keyFile.c_str()) <= 0) { LOGV2_ERROR(23244, - "cannot read key file when setting subject name: {keyFile} {error}", - "Cannot read key file when setting subject name", + "cannot read key file when setting subject name: {keyFile} {openSSLError}", + "cannot read key file when setting subject name", "keyFile"_attr = keyFile, - "error"_attr = getSSLErrorMessage(ERR_get_error())); + "openSSLError"_attr = getSSLErrorMessage(ERR_get_error())); return false; } @@ -1986,10 +1985,10 @@ bool SSLManagerOpenSSL::_parseAndValidateCertificate(const std::string& keyFile, inBIO, nullptr, &SSLManagerOpenSSL::password_cb, static_cast<void*>(&keyPassword)); if (x509 == nullptr) { LOGV2_ERROR(23245, - "cannot retrieve certificate from keyfile: {keyFile} {error}", - "Cannot retrieve certificate from keyfile", + "cannot retrieve certificate from keyfile: {keyFile} {openSSLError}", + "cannot retrieve certificate from keyfile", "keyFile"_attr = keyFile, - "error"_attr = getSSLErrorMessage(ERR_get_error())); + "openSSLError"_attr = getSSLErrorMessage(ERR_get_error())); return false; } ON_BLOCK_EXIT([&] { X509_free(x509); }); @@ -2023,29 +2022,29 @@ bool SSLManagerOpenSSL::_setupPEM(SSL_CTX* context, PasswordFetcher* password) { if (SSL_CTX_use_certificate_chain_file(context, keyFile.c_str()) != 1) { LOGV2_ERROR(23248, - "cannot read certificate file: {keyFile} {error}", - "Cannot read certificate file", + "cannot read certificate file: {keyFile} {openSSLError}", + "cannot read certificate file", "keyFile"_attr = keyFile, - "error"_attr = getSSLErrorMessage(ERR_get_error())); + "openSSLError"_attr = getSSLErrorMessage(ERR_get_error())); return false; } BIO* inBio = BIO_new(BIO_s_file()); if (!inBio) { LOGV2_ERROR(23249, - "failed to allocate BIO object: {error}", - "Failed to allocate BIO object", - "error"_attr = getSSLErrorMessage(ERR_get_error())); + "failed to allocate BIO object: {openSSLError}", + "failed to allocate BIO object", + "openSSLError"_attr = getSSLErrorMessage(ERR_get_error())); return false; } const auto bioGuard = makeGuard([&inBio]() { BIO_free(inBio); }); if (BIO_read_filename(inBio, keyFile.c_str()) <= 0) { LOGV2_ERROR(23250, - "cannot read PEM key file: {keyFile} {error}", - "Cannot read PEM key file", + "cannot read PEM key file: {keyFile} {openSSLError}", + "cannot read PEM key file", "keyFile"_attr = keyFile, - "error"_attr = getSSLErrorMessage(ERR_get_error())); + "openSSLError"_attr = getSSLErrorMessage(ERR_get_error())); return false; } @@ -2055,29 +2054,29 @@ bool SSLManagerOpenSSL::_setupPEM(SSL_CTX* context, EVP_PKEY* privateKey = PEM_read_bio_PrivateKey(inBio, nullptr, password_cb, userdata); if (!privateKey) { LOGV2_ERROR(23251, - "cannot read PEM key file: {keyFile} {error}", - "Cannot read PEM key file", + "cannot read PEM key file: {keyFile} {openSSLError}", + "cannot read PEM key file", "keyFile"_attr = keyFile, - "error"_attr = getSSLErrorMessage(ERR_get_error())); + "openSSLError"_attr = getSSLErrorMessage(ERR_get_error())); return false; } const auto privateKeyGuard = makeGuard([&privateKey]() { EVP_PKEY_free(privateKey); }); if (SSL_CTX_use_PrivateKey(context, privateKey) != 1) { LOGV2_ERROR(23252, - "cannot use PEM key file: {keyFile} {error}", - "Cannot use PEM key file", + "cannot use PEM key file: {keyFile} {openSSLError}", + "cannot use PEM key file", "keyFile"_attr = keyFile, - "error"_attr = getSSLErrorMessage(ERR_get_error())); + "openSSLError"_attr = getSSLErrorMessage(ERR_get_error())); return false; } // Verify that the certificate and the key go together. if (SSL_CTX_check_private_key(context) != 1) { LOGV2_ERROR(23253, - "SSL certificate validation failed: {error}", + "SSL certificate validation failed: {openSSLError}", "SSL certificate validation failed", - "error"_attr = getSSLErrorMessage(ERR_get_error())); + "openSSLError"_attr = getSSLErrorMessage(ERR_get_error())); return false; } @@ -2144,10 +2143,10 @@ bool SSLManagerOpenSSL::_setupCRL(SSL_CTX* context, const std::string& crlFile) int status = X509_load_crl_file(lookup, crlFile.c_str(), X509_FILETYPE_PEM); if (status == 0) { LOGV2_ERROR(23254, - "cannot read CRL file: {crlFile} {error}", - "Cannot read CRL file", + "cannot read CRL file: {crlFile} {openSSLError}", + "cannot read CRL file", "crlFile"_attr = crlFile, - "error"_attr = getSSLErrorMessage(ERR_get_error())); + "openSSLError"_attr = getSSLErrorMessage(ERR_get_error())); return false; } @@ -2156,7 +2155,6 @@ bool SSLManagerOpenSSL::_setupCRL(SSL_CTX* context, const std::string& crlFile) } else { LOGV2(4652602, "ssl imported {numberCerts} revoked certificates from the revocation list", - "SSL imported revoked certificates from the revocation list", "numberCerts"_attr = status); } @@ -2378,15 +2376,11 @@ Future<SSLPeerInfo> SSLManagerOpenSSL::parseAndValidatePeerCertificate( if (_weakValidation) { // do not give warning if certificate warnings are suppressed if (!_suppressNoCertificateWarning) { - LOGV2_WARNING(23234, - "no SSL certificate provided by peer", - "No SSL certificate provided by peer"); + LOGV2_WARNING(23234, "no SSL certificate provided by peer"); } return SSLPeerInfo(sni); } else { - LOGV2_ERROR(23255, - "no SSL certificate provided by peer; connection rejected", - "No SSL certificate provided by peer; connection rejected"); + LOGV2_ERROR(23255, "no SSL certificate provided by peer; connection rejected"); return Status(ErrorCodes::SSLHandshakeFailed, "no SSL certificate provided by peer; connection rejected"); } @@ -2565,21 +2559,10 @@ Future<SSLPeerInfo> SSLManagerOpenSSL::parseAndValidatePeerCertificate( msgBuilder << "The server certificate does not match the host name. Hostname: " << remoteHost << " does not match " << certificateNames.str(); std::string msg = msgBuilder.str(); - if (_allowInvalidCertificates || _allowInvalidHostnames || isUnixDomainSocket(remoteHost)) { - LOGV2_WARNING(23238, - "The server certificate does not match the host name. Hostname: " - "{remoteHost} does not match {certificateNames}", - "The server certificate does not match the remote host name", - "remoteHost"_attr = remoteHost, - "certificateNames"_attr = certificateNames.str()); + LOGV2_WARNING(23238, "{msg}", "msg"_attr = msg); } else { - LOGV2_ERROR(23257, - "The server certificate does not match the host name. Hostname: " - "{remoteHost} does not match {certificateNames}", - "The server certificate does not match the remote host name", - "remoteHost"_attr = remoteHost, - "certificateNames"_attr = certificateNames.str()); + LOGV2_ERROR(23257, "{msg}", "msg"_attr = msg); return Future<SSLPeerInfo>::makeReady(Status(ErrorCodes::SSLHandshakeFailed, msg)); } } @@ -2673,10 +2656,8 @@ void SSLManagerOpenSSL::_handleSSLError(SSLConnectionOpenSSL* conn, int ret) { // manner. errToThrow = (code == SSL_ERROR_WANT_READ) ? SocketErrorKind::RECV_ERROR : SocketErrorKind::SEND_ERROR; - LOGV2_ERROR(23258, - "SSL: {error}, possibly timed out during connect", - "SSL: possibly timed out during connect", - "error"_attr = code); + LOGV2_ERROR( + 23258, "SSL: {code}, possibly timed out during connect", "code"_attr = code); break; case SSL_ERROR_ZERO_RETURN: @@ -2688,19 +2669,17 @@ void SSLManagerOpenSSL::_handleSSLError(SSLConnectionOpenSSL* conn, int ret) { // If ERR_get_error returned 0, the error queue is empty // check the return value of the actual SSL operation if (err != 0) { - LOGV2_ERROR( - 23260, "SSL: {error}", "SSL error", "error"_attr = getSSLErrorMessage(err)); + LOGV2_ERROR(23260, "SSL: {error}", "error"_attr = getSSLErrorMessage(err)); } else if (ret == 0) { LOGV2_ERROR(23261, "Unexpected EOF encountered during SSL communication"); } else { LOGV2_ERROR(23262, "The SSL BIO reported an I/O error {error}", - "The SSL BIO reported an I/O error", "error"_attr = errnoWithDescription()); } break; case SSL_ERROR_SSL: { - LOGV2_ERROR(23263, "SSL: {error}", "SSL error", "error"_attr = getSSLErrorMessage(err)); + LOGV2_ERROR(23263, "SSL: {error}", "error"_attr = getSSLErrorMessage(err)); break; } diff --git a/src/mongo/util/net/ssl_manager_windows.cpp b/src/mongo/util/net/ssl_manager_windows.cpp index 6ab4fc2d485..499c74b97eb 100644 --- a/src/mongo/util/net/ssl_manager_windows.cpp +++ b/src/mongo/util/net/ssl_manager_windows.cpp @@ -566,9 +566,9 @@ int SSLManagerWindows::SSL_write(SSLConnectionInterface* connInterface, const vo } default: LOGV2_FATAL(23283, - "Unexpected ASIO state: {state}", + "Unexpected ASIO state: {wantStateInt}", "Unexpected ASIO state", - "state"_attr = static_cast<int>(want)); + "wantStateInt"_attr = static_cast<int>(want)); MONGO_UNREACHABLE; } } @@ -1821,30 +1821,16 @@ Status validatePeerCertificate(const std::string& remoteHost, msg << "The server certificate does not match the host name. Hostname: " << remoteHost << " does not match " << certificateNames.str(); - if (allowInvalidCertificates) { LOGV2_WARNING(23274, "SSL peer certificate validation failed ({errorCode}): {error}", - "SSL peer certificate validation failed", "errorCode"_attr = integerToHex(certChainPolicyStatus.dwError), "error"_attr = errnoWithDescription(certChainPolicyStatus.dwError)); - - LOGV2_WARNING(23275, - "The server certificate does not match the host name. Hostname: " - "{remoteHost} does not match {certificateNames}", - "The server certificate does not match the host name", - "remoteHost"_attr = remoteHost, - "certificateNames"_attr = certificateNames.str()); - + LOGV2_WARNING(23275, "{msg}", "msg"_attr = msg.ss.str()); *peerSubjectName = SSLX509Name(); return Status::OK(); } else if (allowInvalidHostnames) { - LOGV2_WARNING(23276, - "The server certificate does not match the host name. Hostname: " - "{remoteHost} does not match {certificateNames}", - "The server certificate does not match the host name", - "remoteHost"_attr = remoteHost, - "certificateNames"_attr = certificateNames.str()); + LOGV2_WARNING(23276, "{msg}", "msg"_attr = msg.ss.str()); return Status::OK(); } else { return Status(ErrorCodes::SSLHandshakeFailed, msg); @@ -1854,13 +1840,7 @@ Status validatePeerCertificate(const std::string& remoteHost, msg << "SSL peer certificate validation failed: (" << integerToHex(certChainPolicyStatus.dwError) << ")" << errnoWithDescription(certChainPolicyStatus.dwError); - - - LOGV2_ERROR(23279, - "SSL peer certificate validation failed: ({errorCode}){error}", - "SSL peer certificate validation failed", - "errorCode"_attr = integerToHex(certChainPolicyStatus.dwError), - "error"_attr = errnoWithDescription(certChainPolicyStatus.dwError)); + LOGV2_ERROR(23279, "{msg}", "msg"_attr = msg.ss.str()); return Status(ErrorCodes::SSLHandshakeFailed, msg); } } |