Add scanner-only option to enable tls debugging.

CHANGELOG.md

@@ -6,6 +6,9 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 
 ## [unreleased]
 
+### Added
+- Add scanner-only option to enable tls debugging. [#558](https://github.com/greenbone/openvas/pull/558)
+
 ### Changed
 -Store results in main_kb instead of host_kb. [#550](https://github.com/greenbone/openvas/pull/550)
 

doc/openvas.8.in

@@ -76,6 +76,17 @@ so you need to find a balance between these two options. Note that launching too
 .IP log_whole_attack
 If this option is set to 'yes', openvas will store the name, pid, date and target of each plugin launched. This is helpful for monitoring and debugging purpose, however this option might make openvas fill your disk rather quickly. 
 
+.IP debug_tls
+This is an scanner-only option which allows you to set the TLS log level.
+The level is an integer between 0 and 9. Higher values mean more verbosity and
+might make openvas fill your disk rather quickly.
+The default value is 0 (disabled).
+
+Larger values should only be used with care, since they may reveal sensitive
+information in the scanner logs.
+
+Use a debug level over 10 to enable all debugging options.
+
 .IP log_plugins_name_at_load
 If this option is set to 'yes', openvas will log the name of each plugin being loaded at startup, or each time it receives the HUP signal.
 

src/openvas.c

@@ -45,6 +45,7 @@
 #include <fcntl.h>  /* for open() */
 #include <gcrypt.h> /* for gcry_control */
 #include <glib.h>
+#include <gnutls/gnutls.h> /* for gnutls_global_set_log_*  */
 #include <grp.h>
 #include <gvm/base/logging.h> /* for setup_log_handler, load_log_configuration, free_log_configuration*/
 #include <gvm/base/nvti.h>      /* for prefs_get() */
@@ -127,8 +128,15 @@ static openvas_option openvas_defaults[] = {
   {"db_address", KB_PATH_DEFAULT},
   {"vendor_version", "\0"},
   {"test_alive_hosts_only", "no"},
+  {"debug_tls", "0"},
   {NULL, NULL}};
 
+static void
+my_gnutls_log_func (int level, const char *text)
+{
+  g_message ("(%d) %s", level, text);
+}
+
 static void
 set_globals_from_preferences (void)
 {
@@ -363,6 +371,15 @@ start_single_task_scan (void)
     g_message ("Could not initialize openvas SSL!");
 #endif
 
+  if (prefs_get ("debug_tls") != NULL && atoi (prefs_get ("debug_tls")) > 0)
+    {
+      g_warning ("TLS debug is enabled and should only be used with care, "
+                 "since it may reveal sensitive information in the scanner "
+                 "logs and might make openvas fill your disk rather quickly.");
+      gnutls_global_set_log_function (my_gnutls_log_func);
+      gnutls_global_set_log_level (atoi (prefs_get ("debug_tls")));
+    }
+
 #ifdef OPENVAS_GIT_REVISION
   g_message ("openvas %s (GIT revision %s) started", OPENVAS_VERSION,
              OPENVAS_GIT_REVISION);

src/utils.c

@@ -255,7 +255,8 @@ is_scanner_only_pref (const char *pref)
       || !strcmp (pref, "log_whole_attack")
       || !strcmp (pref, "log_plugins_name_at_load")
       || !strcmp (pref, "nasl_no_signature_check")
-      || !strcmp (pref, "vendor_version")
+      || !strcmp (pref, "vendor_version") || !strcmp (pref, "drop_privileges")
+      || !strcmp (pref, "debug_tls")
       /* Preferences starting with sys_ are scanner-side only. */
       || !strncmp (pref, "sys_", 4))
     return 1;