[jira] [Assigned] (MESOS-5320) SSL related error messages can be misguiding or incomplete

Mon, 19 Sep 2016 05:45:40 -0700 

     [ 
https://issues.apache.org/jira/browse/MESOS-5320?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Till Toenshoff reassigned MESOS-5320:
-------------------------------------

    Assignee: Till Toenshoff

> SSL related error messages can be misguiding or incomplete
> ----------------------------------------------------------
>
>                 Key: MESOS-5320
>                 URL: https://issues.apache.org/jira/browse/MESOS-5320
>             Project: Mesos
>          Issue Type: Bug
>    Affects Versions: 1.0.0
>            Reporter: Till Toenshoff
>            Assignee: Till Toenshoff
>              Labels: ssl
>
> I was trying to activate SSL within Mesos but had rendered an invalid 
> certificate, it was signed with a mismatching key. Once I started the master, 
> the error message I received was rather confusing to me:
> {noformat}
> W0503 10:15:58.027343  6696 openssl.cpp:363] Failed SSL connections will be 
> downgraded to a non-SSL socket
> Could not load key file
> {noformat} 
> To me, this error message hinted that the key file was not existing or had 
> rights issues. However, a quick {{strace}} revealed  that the key-file was 
> properly accessed, no sign of a file-not-found or alike.
> The problem here is the hardcoded error-message, not taking OpenSSL's human 
> readable error strings into account.
> The code that misguided me is located at  
> https://github.com/apache/mesos/blob/master/3rdparty/libprocess/src/openssl.cpp#L471
> We might want to change
> {noformat}
>   // Set private key.
>   if (SSL_CTX_use_PrivateKey_file(
>           ctx,
>           ssl_flags->key_file.get().c_str(),
>           SSL_FILETYPE_PEM) != 1) {
>     EXIT(EXIT_FAILURE) << "Could not load key file";
>   }
> {noformat}
> Towards something like this
> {noformat}
>   // Set private key.
>   if (SSL_CTX_use_PrivateKey_file(
>           ctx,
>           ssl_flags->key_file.get().c_str(),
>           SSL_FILETYPE_PEM) != 1) {
>     EXIT(EXIT_FAILURE) << "Could not use key file: " << 
> ERR_error_string(ERR_get_error(), NULL);
>   }
> {noformat}
> To receive a much more helpful message like this
> {noformat}
> W0503 13:18:12.551364 11572 openssl.cpp:363] Failed SSL connections will be 
> downgraded to a non-SSL socket
> Could not use key file: error:0B080074:x509 certificate 
> routines:X509_check_private_key:key values mismatch
> {noformat}
> A quick scan of the implementation within {{openssl.cpp}} to me suggests that 
> there are more places that we might want to update with more deterministic 
> error messages. 



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to