Improve TLS error reporting.

Before 9f2d647 TLS errors included additional details in at least some cases. After 9f2d647 a connection to an HTTP server threw `TLS error [1]` instead of `unable to negotiate TLS connection: [336031996] unknown protocol`. Bring back the detailed messages to make debugging TLS errors easier. Since the error routine is now generic the `unable to negotiate TLS connection context` is not available so the error looks like `TLS error [1:336031996] unknown protocol`.
2024-12-12 10:04:14 +02:00 · 2020-08-04 15:15:24 -04:00 · 2020-08-04 15:15:24 -04:00 · 847e61ce21
commit 847e61ce21
parent 94d3a01f73
3 changed files with 30 additions and 6 deletions
--- a/doc/xml/release.xml
+++ b/doc/xml/release.xml
@ -64,6 +64,15 @@

                        <p>Proactively close file descriptors after forking async process.</p>
                    </release-item>
+
+                    <release-item>
+                        <release-item-contributor-list>
+                            <release-item-reviewer id="cynthia.shang"/>
+                            <release-item-reviewer id="stephen.frost"/>
+                        </release-item-contributor-list>
+
+                        <p>Improve TLS error reporting.</p>
+                    </release-item>
                </release-improvement-list>
            </release-core-list>

--- a/src/common/io/tls/session.c
+++ b/src/common/io/tls/session.c
@ -86,11 +86,12 @@ Returns:
 ***********************************************************************************************************************************/
 // Helper to process error conditions
 static int
-tlsSessionResultProcess(TlsSession *this, int errorTls, int errorSys, bool closeOk)
+tlsSessionResultProcess(TlsSession *this, int errorTls, long unsigned int errorTlsDetail, int errorSys, bool closeOk)
 {
    FUNCTION_LOG_BEGIN(logLevelTrace);
        FUNCTION_LOG_PARAM(TLS_SESSION, this);
        FUNCTION_LOG_PARAM(INT, errorTls);
+        FUNCTION_LOG_PARAM(UINT64, errorTlsDetail);
        FUNCTION_LOG_PARAM(INT, errorSys);
        FUNCTION_LOG_PARAM(BOOL, closeOk);
    FUNCTION_LOG_END();
@ -134,7 +135,14 @@ tlsSessionResultProcess(TlsSession *this, int errorTls, int errorSys, bool close

        // Any other error that we cannot handle
        default:
-            THROW_FMT(ServiceError, "TLS error [%d]", errorTls);
+        {
+            // Get detailed error message when available
+            const char *errorTlsDetailMessage = ERR_reason_error_string(errorTlsDetail);
+
+            THROW_FMT(
+                ServiceError, "TLS error [%d:%lu] %s", errorTls, errorTlsDetail,
+                errorTlsDetailMessage == NULL ? "no details available" : errorTlsDetailMessage);
+        }
    }

    FUNCTION_LOG_RETURN(INT, result);
@ -157,9 +165,10 @@ tlsSessionResult(TlsSession *this, int result, bool closeOk)
    {
        // Get TLS error and store errno in case of syscall error
        int errorTls = SSL_get_error(this->session, result);
+        long unsigned int errorTlsDetail = ERR_get_error();
        int errorSys = errno;

-        result = tlsSessionResultProcess(this, errorTls, errorSys, closeOk);
+        result = tlsSessionResultProcess(this, errorTls, errorTlsDetail, errorSys, closeOk);
    }

    FUNCTION_LOG_RETURN(INT, result);
--- a/test/src/module/common/ioTlsTest.c
+++ b/test/src/module/common/ioTlsTest.c
@ -414,9 +414,15 @@ testRun(void)
                // -----------------------------------------------------------------------------------------------------------------
                TEST_TITLE("uncovered errors");

-                TEST_RESULT_INT(tlsSessionResultProcess(session, SSL_ERROR_WANT_WRITE, 0, false), 0, "write ready");
-                TEST_ERROR(tlsSessionResultProcess(session, SSL_ERROR_WANT_X509_LOOKUP, 0, false), ServiceError, "TLS error [4]");
-                TEST_ERROR(tlsSessionResultProcess(session, SSL_ERROR_ZERO_RETURN, 0, false), ProtocolError, "unexpected TLS eof");
+                TEST_RESULT_INT(tlsSessionResultProcess(session, SSL_ERROR_WANT_WRITE, 0, 0, false), 0, "write ready");
+                TEST_ERROR(
+                    tlsSessionResultProcess(session, SSL_ERROR_WANT_X509_LOOKUP, 336031996, 0, false), ServiceError,
+                    "TLS error [4:336031996] unknown protocol");
+                TEST_ERROR(
+                    tlsSessionResultProcess(session, SSL_ERROR_WANT_X509_LOOKUP, 0, 0, false), ServiceError,
+                    "TLS error [4:0] no details available");
+                TEST_ERROR(
+                    tlsSessionResultProcess(session, SSL_ERROR_ZERO_RETURN, 0, 0, false), ProtocolError, "unexpected TLS eof");

                // -----------------------------------------------------------------------------------------------------------------
                TEST_TITLE("first protocol exchange");