<div dir="ltr">Hi!<div><br></div><div>Sounds interesting, but remember that not all information is desirable to have in the logs. Sometimes the protocol will hide certain errors on purpose. Also too extensive logging can be bad. Although as a developer I appreciate as informative error messages as possible.</div><div><br></div><div>Regards Ingela Erlang/OTP team - Ericsson AB </div><div><br></div><div><div class="gmail_extra"><br><div class="gmail_quote">2016-04-28 18:50 GMT+02:00 Alexey Lebedeff <span dir="ltr"><<a href="mailto:binarin@binarin.ru" target="_blank">binarin@binarin.ru</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Hi,<br><br>I have some ideas about making SSL error reporting more friendlier for<br>operators, because currently troubleshooting can be very<br>problematic. If the solution outlined at the end of the message is<br>acceptable, I'll make proper PR on github.<br><br>There are several places where SSL/TLS handshake errors are being<br>converted to SSL alerts. During this process some details about errors<br>are being discarded, so they will fit SSL alert protocol. But the<br>problem is that the same simplified errors are then used for event<br>logging - and sometimes they are completely useless.<br><br>So several times I've had to resort to adding debug print statements<br>to ssl app just to find what I've done wrong in my SSL config.<br><br>Some examples I've observed:<br>- Certificate was in wrong format, but detailed error was discarded at [1]<br> And 'internal error' message wasn't helpful at all.<br>- Certificate had wrong ext-key-usage field (there was attempt to use<br> server certificate as a client one) This info was happily discarded<br> at [2]. And again, the error was logged as unhelful 'handshake<br> failure'.<br><br>This situation can be improved. I have a suggestion to add additional<br>field to SSL alert record at [3] which will contain detailed error<br>description which is currently being throwed out. And then use this<br>description in ssl_alert:alert_txt/1 at [4].<br><br>[1] <a href="https://github.com/erlang/otp/blob/523e048754f5086a6cc4fd9a250e1b495fc5b9b8/lib/ssl/src/ssl_handshake.erl#L169" target="_blank">https://github.com/erlang/otp/blob/523e048754f5086a6cc4fd9a250e1b495fc5b9b8/lib/ssl/src/ssl_handshake.erl#L169</a><br>[2] <a href="https://github.com/erlang/otp/blob/523e048754f5086a6cc4fd9a250e1b495fc5b9b8/lib/ssl/src/ssl_handshake.erl#L1491" target="_blank">https://github.com/erlang/otp/blob/523e048754f5086a6cc4fd9a250e1b495fc5b9b8/lib/ssl/src/ssl_handshake.erl#L1491</a><br>[3] <a href="https://github.com/erlang/otp/blob/523e048754f5086a6cc4fd9a250e1b495fc5b9b8/lib/ssl/src/ssl_alert.hrl#L116" target="_blank">https://github.com/erlang/otp/blob/523e048754f5086a6cc4fd9a250e1b495fc5b9b8/lib/ssl/src/ssl_alert.hrl#L116</a><br>[4] <a href="https://github.com/erlang/otp/blob/523e048754f5086a6cc4fd9a250e1b495fc5b9b8/lib/ssl/src/ssl_alert.erl#L77" target="_blank">https://github.com/erlang/otp/blob/523e048754f5086a6cc4fd9a250e1b495fc5b9b8/lib/ssl/src/ssl_alert.erl#L77</a><br><br>Best,<br>Alexey<br><br></div>
<br>_______________________________________________<br>
erlang-questions mailing list<br>
<a href="mailto:erlang-questions@erlang.org">erlang-questions@erlang.org</a><br>
<a href="http://erlang.org/mailman/listinfo/erlang-questions" rel="noreferrer" target="_blank">http://erlang.org/mailman/listinfo/erlang-questions</a><br>
<br></blockquote></div><br></div></div></div>