[ https://issues.apache.org/jira/browse/MESOS-5320?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Till Toenshoff reassigned MESOS-5320: ------------------------------------- Assignee: Till Toenshoff > SSL related error messages can be misguiding or incomplete > ---------------------------------------------------------- > > Key: MESOS-5320 > URL: https://issues.apache.org/jira/browse/MESOS-5320 > Project: Mesos > Issue Type: Bug > Affects Versions: 1.0.0 > Reporter: Till Toenshoff > Assignee: Till Toenshoff > Labels: ssl > > I was trying to activate SSL within Mesos but had rendered an invalid > certificate, it was signed with a mismatching key. Once I started the master, > the error message I received was rather confusing to me: > {noformat} > W0503 10:15:58.027343 6696 openssl.cpp:363] Failed SSL connections will be > downgraded to a non-SSL socket > Could not load key file > {noformat} > To me, this error message hinted that the key file was not existing or had > rights issues. However, a quick {{strace}} revealed that the key-file was > properly accessed, no sign of a file-not-found or alike. > The problem here is the hardcoded error-message, not taking OpenSSL's human > readable error strings into account. > The code that misguided me is located at > https://github.com/apache/mesos/blob/master/3rdparty/libprocess/src/openssl.cpp#L471 > We might want to change > {noformat} > // Set private key. > if (SSL_CTX_use_PrivateKey_file( > ctx, > ssl_flags->key_file.get().c_str(), > SSL_FILETYPE_PEM) != 1) { > EXIT(EXIT_FAILURE) << "Could not load key file"; > } > {noformat} > Towards something like this > {noformat} > // Set private key. > if (SSL_CTX_use_PrivateKey_file( > ctx, > ssl_flags->key_file.get().c_str(), > SSL_FILETYPE_PEM) != 1) { > EXIT(EXIT_FAILURE) << "Could not use key file: " << > ERR_error_string(ERR_get_error(), NULL); > } > {noformat} > To receive a much more helpful message like this > {noformat} > W0503 13:18:12.551364 11572 openssl.cpp:363] Failed SSL connections will be > downgraded to a non-SSL socket > Could not use key file: error:0B080074:x509 certificate > routines:X509_check_private_key:key values mismatch > {noformat} > A quick scan of the implementation within {{openssl.cpp}} to me suggests that > there are more places that we might want to update with more deterministic > error messages. -- This message was sent by Atlassian JIRA (v6.3.4#6332)