[erlang-questions] Log SSL errors' originating IP addresses
Roberto Ostinelli
roberto@REDACTED
Mon Nov 23 17:57:36 CET 2015
Hi Kaiduan,
Indeed, but I would most probably still need to catch errors (since these
are raised at ssl level:
https://github.com/otphub/ssl/blob/master/src/tls_handshake.erl#L174)
However, the SSL handshake is called by Cowboy.
I'm wondering if I can log this without patching it.
Best,
r.
On Mon, Nov 23, 2015 at 3:46 PM, Kaiduan Xie <kaiduanx@REDACTED> wrote:
> Looks like those errors happen at SSL handshake stage, you can log the
> IP address at your application.
>
> {ok, Socket} = ssl:transport_accept(Listen_socket)
> case ssl:ssl_accept(Socket) of
> ok->
> ....
> {error, Reason} ->
> log the source IP of Socket here
>
> /Kaiduan
>
> On Mon, Nov 23, 2015 at 9:09 AM, Roberto Ostinelli <roberto@REDACTED>
> wrote:
> > All,
> > I'm using Cowboy with SSL, and I'm often seeing errors like these ones:
> >
> > SSL: hello: tls_handshake.erl:174:Fatal error: protocol version
> > SSL: certify: ssl_alert.erl:93:Fatal error: illegal parameter
> > SSL: hello: tls_handshake.erl:167:Fatal error: insufficient security
> >
> > And so on.
> >
> > To my understanding, these are pretty normal and result from a variety of
> > reasons (attacks, bad clients using deprecated SSL protocols, etc).
> >
> > My question is, though: is there any way to log the IP addresses that
> > originate these errors?
> > Since these happen at Erlang level, they do not even hit my application
> and
> > am unsure of what my best options are.
> >
> > Thank you for reading this.
> >
> > Best,
> > r.
> >
> >
> > _______________________________________________
> > erlang-questions mailing list
> > erlang-questions@REDACTED
> > http://erlang.org/mailman/listinfo/erlang-questions
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20151123/6ac2d321/attachment.htm>
More information about the erlang-questions
mailing list