Logging TLS certificate validation and HTTPS proxy

Source commit: 85e5cce694b8c218a570c5ccb22467cca4a0d424

source/core/Http.cpp

@@ -5,6 +5,7 @@
 #include "Http.h"
 #include "NeonIntf.h"
 #include "Exceptions.h"
+#include "CoreMain.h"
 #include "ne_request.h"
 #include "TextsCore.h"
 #include <openssl/ssl.h>
@@ -234,12 +235,22 @@ int THttp::NeonServerSSLCallbackImpl(int Failures, const ne_ssl_certificate * Ce
   UnicodeString WindowsCertificateError;
   if (Failures != 0)
   {
-    NeonWindowsValidateCertificate(Failures, AsciiCert, WindowsCertificateError);
+    AppLogFmt(L"TLS failure: %s (%d)", (NeonCertificateFailuresErrorStr(Failures, FHostName), Failures));
+    AppLogFmt(L"Hostname: %s, Certificate: %s", (FHostName, AsciiCert, AsciiCert));
+    if (NeonWindowsValidateCertificate(Failures, AsciiCert, WindowsCertificateError))
+    {
+      AppLogFmt(L"Certificate trusted by Windows certificate store (%d)", (Failures));
+    }
+    if (!WindowsCertificateError.IsEmpty())
+    {
+      AppLogFmt(L"Error from Windows certificate store: %s", (WindowsCertificateError));
+    }
   }
 
   if (Failures != 0)
   {
     FCertificateError = NeonCertificateFailuresErrorStr(Failures, FHostName);
+    AppLogFmt(L"TLS certificate error: %s", (FCertificateError));
     AddToList(FCertificateError, WindowsCertificateError, L"\n");
   }
 

source/core/Security.cpp

@@ -151,7 +151,11 @@ bool WindowsValidateCertificate(const unsigned char * Certificate, size_t Len, U
     CertCreateCertificateContext(
       X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, Certificate, Len);
 
-  if (CertContext != NULL)
+  if (CertContext == NULL)
+  {
+    Error = L"Cannot create certificate context";
+  }
+  else
   {
     CERT_CHAIN_PARA ChainPara;
     // Retrieve the certificate chain of the certificate
@@ -182,13 +186,21 @@ bool WindowsValidateCertificate(const unsigned char * Certificate, size_t Len, U
 
     HCERTCHAINENGINE ChainEngine;
     bool ChainEngineResult = CertCreateCertificateChainEngine(&ChainConfig, &ChainEngine);
-    if (ChainEngineResult)
+    if (!ChainEngineResult)
+    {
+      Error = L"Cannot create certificate chain engine";
+    }
+    else
     {
       const CERT_CHAIN_CONTEXT * ChainContext = NULL;
-      if (CertGetCertificateChain(ChainEngine, CertContext, NULL, NULL, &ChainPara,
+      if (!CertGetCertificateChain(ChainEngine, CertContext, NULL, NULL, &ChainPara,
             CERT_CHAIN_CACHE_END_CERT |
             CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT,
             NULL, &ChainContext))
+      {
+        Error = L"Cannot get certificate chain";
+      }
+      else
       {
         CERT_CHAIN_POLICY_PARA PolicyPara;
 
@@ -199,8 +211,11 @@ bool WindowsValidateCertificate(const unsigned char * Certificate, size_t Len, U
         CERT_CHAIN_POLICY_STATUS PolicyStatus;
         PolicyStatus.cbSize = sizeof(PolicyStatus);
 
-        if (CertVerifyCertificateChainPolicy(CERT_CHAIN_POLICY_SSL,
-              ChainContext, &PolicyPara, &PolicyStatus))
+        if (!CertVerifyCertificateChainPolicy(CERT_CHAIN_POLICY_SSL, ChainContext, &PolicyPara, &PolicyStatus))
+        {
+          Error = L"Cannot verify certificate chain policy";
+        }
+        else
         {
           // Windows thinks the certificate is valid.
           Result = (PolicyStatus.dwError == S_OK);

source/windows/Setup.cpp

@@ -875,6 +875,10 @@ static THttp * __fastcall CreateHttp(const TUpdatesConfiguration & Updates)
       break;
   }
 
+  if (!ProxyHost.IsEmpty())
+  {
+    AppLogFmt("Using proxy: %s:%d", (ProxyHost, ProxyPort));
+  }
   Http->ProxyHost = ProxyHost;
   Http->ProxyPort = ProxyPort;
 
@@ -944,6 +948,7 @@ static bool __fastcall DoQueryUpdates(TUpdatesConfiguration & Updates, bool Coll
     {
       if (CheckForUpdatesHTTP->IsCertificateError())
       {
+        AppLog(L"Certificate error detected.");
         Configuration->Usage->Inc(L"UpdateCertificateErrors");
       }
       throw;

source/windows/Tools.cpp

@@ -1628,6 +1628,7 @@ bool __fastcall AutodetectProxy(UnicodeString & HostName, int & PortNumber)
     {
       HostName = CutToChar(Proxy, L':', true);
       PortNumber = StrToIntDef(Proxy, ProxyPortNumber);
+      AppLogFmt("Proxy autodetected: %s:%d", (HostName, PortNumber));
     }
   }