From 7872b138a53a2c3fc49b77d127844f24063026a1 Mon Sep 17 00:00:00 2001 From: Mechiel Lukkien Date: Wed, 5 Mar 2025 21:58:24 +0100 Subject: [PATCH] Use consistent lower-case names when logging tls version and ciphersuite Less shouty than upper case names. --- imapserver/server.go | 11 +++-------- moxio/tlsinfo.go | 25 ++++++++----------------- smtpclient/client.go | 8 ++++---- smtpserver/server.go | 11 +++-------- store/loginattempt.go | 7 ++++--- 5 files changed, 22 insertions(+), 40 deletions(-) diff --git a/imapserver/server.go b/imapserver/server.go index 00772a2..80102f8 100644 --- a/imapserver/server.go +++ b/imapserver/server.go @@ -1096,9 +1096,10 @@ func (c *conn) xtlsHandshakeAndAuthenticate(conn net.Conn) { } } + version, ciphersuite := moxio.TLSInfo(cs) attrs := []slog.Attr{ - slog.Any("version", tlsVersion(cs.Version)), - slog.String("ciphersuite", tls.CipherSuiteName(cs.CipherSuite)), + slog.String("version", version), + slog.String("ciphersuite", ciphersuite), slog.String("sni", cs.ServerName), slog.Bool("resumed", cs.DidResume), slog.Int("clientcerts", len(cs.PeerCertificates)), @@ -1112,12 +1113,6 @@ func (c *conn) xtlsHandshakeAndAuthenticate(conn net.Conn) { c.log.Debug("tls handshake completed", attrs...) } -type tlsVersion uint16 - -func (v tlsVersion) String() string { - return strings.ReplaceAll(strings.ToLower(tls.VersionName(uint16(v))), " ", "-") -} - func (c *conn) command() { var tag, cmd, cmdlow string var p *parser diff --git a/moxio/tlsinfo.go b/moxio/tlsinfo.go index 960a3e3..52b1c44 100644 --- a/moxio/tlsinfo.go +++ b/moxio/tlsinfo.go @@ -2,28 +2,19 @@ package moxio import ( "crypto/tls" - "fmt" + "strings" ) // TLSInfo returns human-readable strings about the TLS connection, for use in // logging. -func TLSInfo(conn *tls.Conn) (version, ciphersuite string) { - st := conn.ConnectionState() +func TLSInfo(cs tls.ConnectionState) (version, ciphersuite string) { + // e.g. tls1.3, instead of "TLS 1.3" + version = tls.VersionName(cs.Version) + version = strings.ToLower(version) + version = strings.ReplaceAll(version, " ", "") - versions := map[uint16]string{ - tls.VersionTLS10: "TLS1.0", - tls.VersionTLS11: "TLS1.1", - tls.VersionTLS12: "TLS1.2", - tls.VersionTLS13: "TLS1.3", - } + ciphersuite = tls.CipherSuiteName(cs.CipherSuite) + ciphersuite = strings.ToLower(ciphersuite) - v, ok := versions[st.Version] - if ok { - version = v - } else { - version = fmt.Sprintf("TLS %x", st.Version) - } - - ciphersuite = tls.CipherSuiteName(st.CipherSuite) return } diff --git a/smtpclient/client.go b/smtpclient/client.go index 04e4524..d9302d3 100644 --- a/smtpclient/client.go +++ b/smtpclient/client.go @@ -311,9 +311,9 @@ func New(ctx context.Context, elog *slog.Logger, conn net.Conn, tlsMode TLSMode, c.firstReadAfterHandshake = true c.tlsResultAdd(1, 0, nil) c.conn = tlsconn - tlsversion, ciphersuite := moxio.TLSInfo(tlsconn) + version, ciphersuite := moxio.TLSInfo(tlsconn.ConnectionState()) c.log.Debug("tls client handshake done", - slog.String("tls", tlsversion), + slog.String("version", version), slog.String("ciphersuite", ciphersuite), slog.Any("servername", remoteHostname)) c.tls = true @@ -828,13 +828,13 @@ func (c *Client) hello(ctx context.Context, tlsMode TLSMode, ehloHostname dns.Do c.r = bufio.NewReader(c.tr) c.w = bufio.NewWriter(c.tw) - tlsversion, ciphersuite := moxio.TLSInfo(nconn) + version, ciphersuite := moxio.TLSInfo(nconn.ConnectionState()) c.log.Debug("starttls client handshake done", slog.Any("tlsmode", tlsMode), slog.Bool("verifypkix", c.tlsVerifyPKIX), slog.Bool("verifydane", c.daneRecords != nil), slog.Bool("ignoretlsverifyerrors", c.ignoreTLSVerifyErrors), - slog.String("tls", tlsversion), + slog.String("version", version), slog.String("ciphersuite", ciphersuite), slog.Any("servername", c.remoteHostname), slog.Any("danerecord", c.daneVerifiedRecord)) diff --git a/smtpserver/server.go b/smtpserver/server.go index 8d2ec96..358e48c 100644 --- a/smtpserver/server.go +++ b/smtpserver/server.go @@ -628,9 +628,10 @@ func (c *conn) xtlsHandshakeAndAuthenticate(conn net.Conn) { } } + version, ciphersuite := moxio.TLSInfo(cs) attrs := []slog.Attr{ - slog.Any("version", tlsVersion(cs.Version)), - slog.String("ciphersuite", tls.CipherSuiteName(cs.CipherSuite)), + slog.String("version", version), + slog.String("ciphersuite", ciphersuite), slog.String("sni", cs.ServerName), slog.Bool("resumed", cs.DidResume), slog.Int("clientcerts", len(cs.PeerCertificates)), @@ -644,12 +645,6 @@ func (c *conn) xtlsHandshakeAndAuthenticate(conn net.Conn) { c.log.Debug("tls handshake completed", attrs...) } -type tlsVersion uint16 - -func (v tlsVersion) String() string { - return strings.ReplaceAll(strings.ToLower(tls.VersionName(uint16(v))), " ", "-") -} - // completely reset connection state as if greeting has just been sent. // ../rfc/3207:210 func (c *conn) reset() { diff --git a/store/loginattempt.go b/store/loginattempt.go index 0cda44c..6621351 100644 --- a/store/loginattempt.go +++ b/store/loginattempt.go @@ -7,13 +7,13 @@ import ( "fmt" "log/slog" "runtime/debug" - "strings" "time" "github.com/mjl-/bstore" "github.com/mjl-/mox/metrics" "github.com/mjl-/mox/mlog" + "github.com/mjl-/mox/moxio" ) var loginAttemptsMaxPerAccount = 10 * 1000 // Lower during tests. @@ -353,9 +353,10 @@ func LoginAttemptTLS(state *tls.ConnectionState) string { return "" } + version, ciphersuite := moxio.TLSInfo(*state) return fmt.Sprintf("version=%s ciphersuite=%s sni=%s resumed=%v alpn=%s", - strings.ReplaceAll(strings.ToLower(tls.VersionName(state.Version)), " ", ""), // e.g. tls1.3 - strings.ToLower(tls.CipherSuiteName(state.CipherSuite)), + version, + ciphersuite, state.ServerName, state.DidResume, state.NegotiatedProtocol)