Verbose SSL error logs

iocore/net/SSLClientUtils.cc

@@ -268,7 +268,8 @@ SSLCreateClientContext(const struct SSLConfigParams *params, const char *ca_bund
   }
 
   if (!SSL_CTX_use_certificate_chain_file(ctx.get(), cert_path)) {
-    SSLError("SSLCreateClientContext(): failed to load client certificate.");
+    SSLError("SSLCreateClientContext(): failed to load client certificate: %s",
+             (!cert_path || cert_path[0] == '\0') ? "[empty file name]" : cert_path);
     return nullptr;
   }
 
@@ -277,17 +278,23 @@ SSLCreateClientContext(const struct SSLConfigParams *params, const char *ca_bund
   }
 
   if (!SSL_CTX_use_PrivateKey_file(ctx.get(), key_path, SSL_FILETYPE_PEM)) {
-    SSLError("SSLCreateClientContext(): failed to load client private key.");
+    SSLError("SSLCreateClientContext(): failed to load client private key: %s",
+             (!key_path || key_path[0] == '\0') ? "[empty file]" : key_path);
     return nullptr;
   }
 
   if (!SSL_CTX_check_private_key(ctx.get())) {
-    SSLError("SSLCreateClientContext(): client private key does not match client certificate.");
+    SSLError("SSLCreateClientContext(): client private key: %s does not match client certificate: %s",
+             (!key_path || key_path[0] == '\0') ? "[empty file]" : key_path,
+             (!cert_path || cert_path[0] == '\0') ? "[empty file]" : cert_path);
     return nullptr;
   }
 
   if (ca_bundle_file || ca_bundle_path) {
     if (!SSL_CTX_load_verify_locations(ctx.get(), ca_bundle_file, ca_bundle_path)) {
+      SSLError("SSLCreateClientContext(): Invalid CA Certificate file: %s or CA Certificate path: %s",
+               (!ca_bundle_file || ca_bundle_file[0] == '\0') ? "[empty file name]" : ca_bundle_file,
+               (!ca_bundle_path || ca_bundle_path[0] == '\0') ? "[empty path]" : ca_bundle_path);
       SSLError("SSLCreateClientContext(): Invalid client CA cert file/CA path.");
       return nullptr;
     }

iocore/net/SSLConfig.cc

@@ -496,7 +496,7 @@ SSLConfig::startup()
 void
 SSLConfig::reconfigure()
 {
-  Debug("ssl", "Reload SSLConfig");
+  Debug("ssl_load", "Reload SSLConfig");
   SSLConfigParams *params;
   params = new SSLConfigParams;
   // start loading the next config
@@ -555,7 +555,7 @@ SSLCertificateConfig::reconfigure()
   // twice the healthcheck period to simulate a loading a large certificate set.
   if (is_action_tag_set("test.multicert.delay")) {
     const int secs = 60;
-    Debug("ssl", "delaying certificate reload by %d secs", secs);
+    Debug("ssl_load", "delaying certificate reload by %d secs", secs);
     ink_hrtime_sleep(HRTIME_SECONDS(secs));
   }
 
@@ -631,7 +631,7 @@ SSLTicketParams::LoadTicket(bool &nochange)
     struct stat sdata;
     if (last_load_time && (stat(ticket_key_filename, &sdata) >= 0)) {
       if (sdata.st_mtime && sdata.st_mtime <= last_load_time) {
-        Debug("ssl", "ticket key %s has not changed", ticket_key_filename);
+        Debug("ssl_load", "ticket key %s has not changed", ticket_key_filename);
         // No updates since last load
         return true;
       }
@@ -653,7 +653,7 @@ SSLTicketParams::LoadTicket(bool &nochange)
   default_global_keyblock = keyblock;
   load_time               = time(nullptr);
 
-  Debug("ssl", "ticket key reloaded from %s", ticket_key_filename);
+  Debug("ssl_load", "ticket key reloaded from %s", ticket_key_filename);
 #endif
   return true;
 }
@@ -746,7 +746,7 @@ void
 SSLConfigParams::updateCTX(const std::string &cert_secret_name) const
 {
   // Clear the corresponding client CTXs.  They will be lazy loaded later
-  Debug("ssl", "Update cert %s", cert_secret_name.c_str());
+  Debug("ssl_load", "Update cert %s", cert_secret_name.c_str());
   this->clearCTX(cert_secret_name);
 
   // Update the server cert
@@ -762,7 +762,7 @@ SSLConfigParams::clearCTX(const std::string &client_cert) const
     auto ctx_iter = ctx_map_iter->second.find(client_cert);
     if (ctx_iter != ctx_map_iter->second.end()) {
       ctx_iter->second = nullptr;
-      Debug("ssl", "Clear client cert %s %s", ctx_map_iter->first.c_str(), ctx_iter->first.c_str());
+      Debug("ssl_load", "Clear client cert %s %s", ctx_map_iter->first.c_str(), ctx_iter->first.c_str());
     }
   }
   ink_mutex_release(&ctxMapLock);

iocore/net/SSLSecret.cc

@@ -55,12 +55,14 @@ SSLSecret::loadFile(const std::string &name, std::string &data_item)
   struct stat statdata;
   // Load the secret and add it to the map
   if (stat(name.c_str(), &statdata) < 0) {
+    Debug("ssl_secret", "File: %s received error: %s", name.c_str(), strerror(errno));
     return false;
   }
   std::error_code error;
   data_item = ts::file::load(ts::file::path(name), error);
   if (error) {
     // Loading file failed
+    Debug("ssl_secret", "Loading file: %s failed ", name.c_str());
     return false;
   }
   if (SSLConfigParams::load_ssl_file_cb) {
@@ -116,7 +118,7 @@ SSLSecret::getSecret(const std::string &name, std::string_view &data) const
 bool
 SSLSecret::getOrLoadSecret(const std::string &name1, const std::string &name2, std::string_view &data1, std::string_view &data2)
 {
-  Debug("ssl_secret", "lookup up secrets for %s and %s", name1.c_str(), name2.c_str());
+  Debug("ssl_secret", "lookup up secrets for %s and %s", name1.c_str(), name2.empty() ? "[empty]" : name2.c_str());
   std::scoped_lock lock(secret_map_mutex);
   bool found_secret1 = this->getSecret(name1, data1);
   bool found_secret2 = name2.empty() || this->getSecret(name2, data2);