Add scanner-only option to enable tls debugging.

CHANGELOG.md

@@ -17,6 +17,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 - Print the filter used by pcap in the error message.
   [#537](https://github.com/greenbone/openvas/pull/537)
   [#540](https://github.com/greenbone/openvas/pull/540)
+- Add scanner-only option to enable tls debugging. [#558](https://github.com/greenbone/openvas/pull/558)
 
 ### Changed
 - The logging of the NASL internal regexp functions was extended to include the pattern in case of a failed regcomp(). [#397](https://github.com/greenbone/openvas/pull/397)

doc/openvas.8.in

@@ -76,6 +76,16 @@ so you need to find a balance between these two options. Note that launching too
 .IP log_whole_attack
 If this option is set to 'yes', openvas will store the name, pid, date and target of each plugin launched. This is helpful for monitoring and debugging purpose, however this option might make openvas fill your disk rather quickly. 
 
+.IP debug_tls
+This is an scanner-only option which allows you to set the TLS log level.
+The level is an integer between 0 and 9. Higher values mean more verbosity.
+The default value is 0 (disabled).
+
+Larger values should only be used with care, since they may reveal sensitive
+information.
+
+Use a debug level over 10 to enable all debugging options.
+
 .IP log_plugins_name_at_load
 If this option is set to 'yes', openvas will log the name of each plugin being loaded at startup, or each time it receives the HUP signal.
 

src/openvas.c

@@ -45,6 +45,7 @@
 #include <fcntl.h>  /* for open() */
 #include <gcrypt.h> /* for gcry_control */
 #include <glib.h>
+#include <gnutls/gnutls.h> /* for gnutls_check_version */
 #include <grp.h>
 #include <gvm/base/logging.h> /* for setup_log_handler, load_log_configuration, free_log_configuration*/
 #include <gvm/base/nvti.h>      /* for prefs_get() */
@@ -127,8 +128,15 @@ static openvas_option openvas_defaults[] = {
   {"db_address", KB_PATH_DEFAULT},
   {"vendor_version", "\0"},
   {"test_alive_hosts_only", "no"},
+  {"debug_tls", "0"},
   {NULL, NULL}};
 
+static void
+my_gnutls_log_func (int level, const char *text)
+{
+  g_message ("(%d) %s", level, text);
+}
+
 static void
 set_globals_from_preferences (void)
 {
@@ -367,6 +375,14 @@ start_single_task_scan (void)
     g_message ("Could not initialize openvas SSL!");
 #endif
 
+  if (prefs_get ("debug_tls") != NULL && atoi (prefs_get ("debug_tls")) > 0)
+    {
+      g_warning ("TLS debug is enabled and should only be used with "
+                 "care, since they may reveal sensitive information.");
+      gnutls_global_set_log_function (my_gnutls_log_func);
+      gnutls_global_set_log_level (atoi (prefs_get ("debug_tls")));
+    }
+
 #ifdef OPENVAS_GIT_REVISION
   g_message ("openvas %s (GIT revision %s) started", OPENVAS_VERSION,
              OPENVAS_GIT_REVISION);

src/utils.c

@@ -255,8 +255,8 @@ is_scanner_only_pref (const char *pref)
       || !strcmp (pref, "log_whole_attack")
       || !strcmp (pref, "log_plugins_name_at_load")
       || !strcmp (pref, "nasl_no_signature_check")
-      || !strcmp (pref, "vendor_version")
-      || !strcmp (pref, "drop_privileges")
+      || !strcmp (pref, "vendor_version") || !strcmp (pref, "drop_privileges")
+      || !strcmp (pref, "debug_tls")
       /* Preferences starting with sys_ are scanner-side only. */
       || !strncmp (pref, "sys_", 4))
     return 1;