Merge pull request #8553 from zmstone/0722-add-ssl-debug

feat: make possible to debug ssl handshake

CHANGES-4.3.md

@@ -24,9 +24,11 @@ File format:
   This causes the clients to not expire as long as a new UDP packet arrives [#8575]
 
 ### Enhancements
+
 - HTTP API(GET /rules/) support for pagination and fuzzy filtering. [#8450]
 - Add check_conf cli to check config format. [#8486]
 - Optimize performance of shared subscription
+- Make possible to debug-print SSL handshake procedure by setting listener config `log_level=debug` [#8553](https://github.com/emqx/emqx/pull/8553)
 
 ## v4.3.16
 

etc/emqx.conf

@@ -1575,6 +1575,14 @@ listener.ssl.external.ciphers = TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256,TL
 ## Value: cn | dn | crt | pem | md5
 ## listener.ssl.external.peer_cert_as_clientid = cn
 
+## Default is 'notice', set 'debug' to inspect TLS handshake messaes.
+## This log level is not related to EMQX's log level.
+##
+## NOTE: never set to 'debug' in production environemnts.
+##
+## Value: emergency | alert | critical | error | warning | notice | info | debug
+## listener.ssl.external.log_level = notice
+#
 ## TCP backlog for the SSL connection.
 ##
 ## See listener.tcp.$name.backlog
@@ -2086,6 +2094,10 @@ listener.wss.external.ciphers = TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256,TL
 ## Value: cn | dn | crt | pem | md5
 ## listener.wss.external.peer_cert_as_clientid = cn
 
+## See: listener.ssl.$name.log_level
+## Value: emergency | alert | critical | error | warning | notice | info | debug
+## listener.wss.external.log_level = notice
+
 ## TCP backlog for the WebSocket/SSL connection.
 ##
 ## See: listener.tcp.$name.backlog

priv/emqx.schema

@@ -1595,6 +1595,10 @@ end}.
   {datatype, {enum, [cn, dn, crt, pem, md5]}}
 ]}.
 
+{mapping, "listener.ssl.$name.log_level", "emqx.listeners", [
+  {datatype, {enum, [emergency, alert, critical, error, warning, notice, info, debug, none, all]}}
+]}.
+
 %%--------------------------------------------------------------------
 %% MQTT/WebSocket Listeners
 
@@ -2047,6 +2051,10 @@ end}.
   hidden
 ]}.
 
+{mapping, "listener.wss.$name.log_level", "emqx.listeners", [
+  {datatype, {enum, [emergency, alert, critical, error, warning, notice, info, debug, none, all]}}
+]}.
+
 {translation, "emqx.listeners", fun(Conf) ->
 
     Filter  = fun(Opts) -> [{K, V} || {K, V} <- Opts, V =/= undefined] end,
@@ -2117,7 +2125,9 @@ end}.
                           {mqtt_piggyback, cuttlefish:conf_get(Prefix ++ ".mqtt_piggyback", Conf, undefined)},
                           {check_origin_enable, cuttlefish:conf_get(Prefix ++ ".check_origin_enable", Conf, undefined)},
                           {allow_origin_absence, cuttlefish:conf_get(Prefix ++ ".allow_origin_absence", Conf, undefined)},
-                          {check_origins, WsOpts(Prefix)} | AccOpts(Prefix)])
+                          {check_origins, WsOpts(Prefix)}
+                         | AccOpts(Prefix)
+                         ])
               end,
     DeflateOpts = fun(Prefix) ->
                       Filter([{level, cuttlefish:conf_get(Prefix ++ ".deflate_opts.level", Conf, undefined)},
@@ -2210,7 +2220,9 @@ end}.
                           {fail_if_no_peer_cert, cuttlefish:conf_get(Prefix ++ ".fail_if_no_peer_cert", Conf, undefined)},
                           {secure_renegotiate, cuttlefish:conf_get(Prefix ++ ".secure_renegotiate", Conf, undefined)},
                           {reuse_sessions, cuttlefish:conf_get(Prefix ++ ".reuse_sessions", Conf, undefined)},
-                          {honor_cipher_order, cuttlefish:conf_get(Prefix ++ ".honor_cipher_order", Conf, undefined)}])
+                          {honor_cipher_order, cuttlefish:conf_get(Prefix ++ ".honor_cipher_order", Conf, undefined)},
+                          {log_level, cuttlefish:conf_get(Prefix ++ ".log_level", Conf, undefined)}
+                         ])
               end,
 
     Listen_fix = fun({Ip, Port}) -> case inet:parse_address(Ip) of