On Mar 9, 2023, at 10:47 AM, Andy Arp <bubbaandy89@gmail.com> wrote:
Looking for ways to configure version 3.0.x to emit additional log data when an SSL error occurs. Specifically looking for ways to emit the SAN or even the ID of the certificate being presented to make it easier to track down badly configured clients without having to turn on debug mode.
Example of log message we're seeing as too generic currently:
Mon Mar 6 10:32:59 2023 : ERROR: (0) ERROR: SSL says error 23 : certificate revoked
See the debug output. The certificate fields are placed into attributes, and those attributes can be logged. Those error messages should also be placed into the TLS-Session-Information attribute, and placed into the session-state list. Alan DeKok.