diff --git a/doc/xml/release.xml b/doc/xml/release.xml
index b66ae8ef7..3a87db2ee 100644
--- a/doc/xml/release.xml
+++ b/doc/xml/release.xml
@@ -64,6 +64,15 @@
Proactively close file descriptors after forking async process.
+
+
+
+
+
+
+
+ Improve TLS error reporting.
+
diff --git a/src/common/io/tls/session.c b/src/common/io/tls/session.c
index 68e383393..cc001a910 100644
--- a/src/common/io/tls/session.c
+++ b/src/common/io/tls/session.c
@@ -86,11 +86,12 @@ Returns:
***********************************************************************************************************************************/
// Helper to process error conditions
static int
-tlsSessionResultProcess(TlsSession *this, int errorTls, int errorSys, bool closeOk)
+tlsSessionResultProcess(TlsSession *this, int errorTls, long unsigned int errorTlsDetail, int errorSys, bool closeOk)
{
FUNCTION_LOG_BEGIN(logLevelTrace);
FUNCTION_LOG_PARAM(TLS_SESSION, this);
FUNCTION_LOG_PARAM(INT, errorTls);
+ FUNCTION_LOG_PARAM(UINT64, errorTlsDetail);
FUNCTION_LOG_PARAM(INT, errorSys);
FUNCTION_LOG_PARAM(BOOL, closeOk);
FUNCTION_LOG_END();
@@ -134,7 +135,14 @@ tlsSessionResultProcess(TlsSession *this, int errorTls, int errorSys, bool close
// Any other error that we cannot handle
default:
- THROW_FMT(ServiceError, "TLS error [%d]", errorTls);
+ {
+ // Get detailed error message when available
+ const char *errorTlsDetailMessage = ERR_reason_error_string(errorTlsDetail);
+
+ THROW_FMT(
+ ServiceError, "TLS error [%d:%lu] %s", errorTls, errorTlsDetail,
+ errorTlsDetailMessage == NULL ? "no details available" : errorTlsDetailMessage);
+ }
}
FUNCTION_LOG_RETURN(INT, result);
@@ -157,9 +165,10 @@ tlsSessionResult(TlsSession *this, int result, bool closeOk)
{
// Get TLS error and store errno in case of syscall error
int errorTls = SSL_get_error(this->session, result);
+ long unsigned int errorTlsDetail = ERR_get_error();
int errorSys = errno;
- result = tlsSessionResultProcess(this, errorTls, errorSys, closeOk);
+ result = tlsSessionResultProcess(this, errorTls, errorTlsDetail, errorSys, closeOk);
}
FUNCTION_LOG_RETURN(INT, result);
diff --git a/test/src/module/common/ioTlsTest.c b/test/src/module/common/ioTlsTest.c
index 939a9da3c..addf3d913 100644
--- a/test/src/module/common/ioTlsTest.c
+++ b/test/src/module/common/ioTlsTest.c
@@ -414,9 +414,15 @@ testRun(void)
// -----------------------------------------------------------------------------------------------------------------
TEST_TITLE("uncovered errors");
- TEST_RESULT_INT(tlsSessionResultProcess(session, SSL_ERROR_WANT_WRITE, 0, false), 0, "write ready");
- TEST_ERROR(tlsSessionResultProcess(session, SSL_ERROR_WANT_X509_LOOKUP, 0, false), ServiceError, "TLS error [4]");
- TEST_ERROR(tlsSessionResultProcess(session, SSL_ERROR_ZERO_RETURN, 0, false), ProtocolError, "unexpected TLS eof");
+ TEST_RESULT_INT(tlsSessionResultProcess(session, SSL_ERROR_WANT_WRITE, 0, 0, false), 0, "write ready");
+ TEST_ERROR(
+ tlsSessionResultProcess(session, SSL_ERROR_WANT_X509_LOOKUP, 336031996, 0, false), ServiceError,
+ "TLS error [4:336031996] unknown protocol");
+ TEST_ERROR(
+ tlsSessionResultProcess(session, SSL_ERROR_WANT_X509_LOOKUP, 0, 0, false), ServiceError,
+ "TLS error [4:0] no details available");
+ TEST_ERROR(
+ tlsSessionResultProcess(session, SSL_ERROR_ZERO_RETURN, 0, 0, false), ProtocolError, "unexpected TLS eof");
// -----------------------------------------------------------------------------------------------------------------
TEST_TITLE("first protocol exchange");