Next: , Previous: , Up: Introduction to the library   [Contents][Index]

6.1.4 Debugging and auditing

In many cases things may not go as expected and further information, to assist debugging, from GnuTLS is desired. Those are the cases where the gnutls_global_set_log_level and gnutls_global_set_log_function are to be used. Those will print verbose information on the GnuTLS functions internal flow.

void gnutls_global_set_log_level (int level)
void gnutls_global_set_log_function (gnutls_log_func log_func)

Alternatively the environment variable GNUTLS_DEBUG_LEVEL can be set to a logging level and GnuTLS will output debugging output to standard error. Other available environment variables are shown in Table 6.1.

GNUTLS_DEBUG_LEVELWhen set to a numeric value, it sets the default debugging level for GnuTLS applications.
SSLKEYLOGFILEWhen set to a filename, GnuTLS will append to it the session keys in the NSS Key Log format. That format can be read by wireshark and will allow decryption of the session for debugging.
GNUTLS_CPUID_OVERRIDEThat environment variable can be used to explicitly enable/disable the use of certain CPU capabilities. Note that CPU detection cannot be overridden, i.e., VIA options cannot be enabled on an Intel CPU. The currently available options are:
  • 0x1: Disable all run-time detected optimizations
  • 0x2: Enable AES-NI
  • 0x4: Enable SSSE3
  • 0x8: Enable PCLMUL
  • 0x10: Enable AVX
  • 0x100000: Enable VIA padlock
  • 0x200000: Enable VIA PHE
  • 0x400000: Enable VIA PHE SHA512
GNUTLS_FORCE_FIPS_MODEIn setups where GnuTLS is compiled with support for FIPS140-2 (see –enable-fips140-mode in configure), that option if set to one enforces the FIPS140 mode.

Table 6.1: Environment variables used by the library.

When debugging is not required, important issues, such as detected attacks on the protocol still need to be logged. This is provided by the logging function set by gnutls_global_set_audit_log_function. The provided function will receive an message and the corresponding TLS session. The session information might be used to derive IP addresses or other information about the peer involved.

Function: void gnutls_global_set_audit_log_function (gnutls_audit_log_func log_func)

log_func: it is the audit log function

This is the function to set the audit logging function. This is a function to report important issues, such as possible attacks in the protocol. This is different from gnutls_global_set_log_function() because it will report also session-specific events. The session parameter will be null if there is no corresponding TLS session.

gnutls_audit_log_func is of the form, void (*gnutls_audit_log_func)( gnutls_session_t, const char*);

Since: 3.0

Next: , Previous: , Up: Introduction to the library   [Contents][Index]