[erlang-questions] Improvements in TLS error reporting

Alexey Lebedeff <>
Thu Apr 28 18:50:25 CEST 2016


Hi,

I have some ideas about making SSL error reporting more friendlier for
operators, because currently troubleshooting can be very
problematic. If the solution outlined at the end of the message is
acceptable, I'll make proper PR on github.

There are several places where SSL/TLS handshake errors are being
converted to SSL alerts. During this process some details about errors
are being discarded, so they will fit SSL alert protocol. But the
problem is that the same simplified errors are then used for event
logging - and sometimes they are completely useless.

So several times I've had to resort to adding debug print statements
to ssl app just to find what I've done wrong in my SSL config.

Some examples I've observed:
- Certificate was in wrong format, but detailed error was discarded at [1]
  And 'internal error' message wasn't helpful at all.
- Certificate had wrong ext-key-usage field (there was attempt to use
  server certificate as a client one) This info was happily discarded
  at [2]. And again, the error was logged as unhelful 'handshake
  failure'.

This situation can be improved. I have a suggestion to add additional
field to SSL alert record at [3] which will contain detailed error
description which is currently being throwed out. And then use this
description in ssl_alert:alert_txt/1 at [4].

[1]
https://github.com/erlang/otp/blob/523e048754f5086a6cc4fd9a250e1b495fc5b9b8/lib/ssl/src/ssl_handshake.erl#L169
[2]
https://github.com/erlang/otp/blob/523e048754f5086a6cc4fd9a250e1b495fc5b9b8/lib/ssl/src/ssl_handshake.erl#L1491
[3]
https://github.com/erlang/otp/blob/523e048754f5086a6cc4fd9a250e1b495fc5b9b8/lib/ssl/src/ssl_alert.hrl#L116
[4]
https://github.com/erlang/otp/blob/523e048754f5086a6cc4fd9a250e1b495fc5b9b8/lib/ssl/src/ssl_alert.erl#L77

Best,
Alexey
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20160428/cc5e4a17/attachment.html>


More information about the erlang-questions mailing list