1
0
mirror of https://github.com/pgbackrest/pgbackrest.git synced 2024-12-14 10:13:05 +02:00

Improve TLS error reporting.

Before 9f2d647 TLS errors included additional details in at least some cases. After 9f2d647 a connection to an HTTP server threw `TLS error [1]` instead of `unable to negotiate TLS connection: [336031996] unknown protocol`.

Bring back the detailed messages to make debugging TLS errors easier. Since the error routine is now generic the `unable to negotiate TLS connection context` is not available so the error looks like `TLS error [1:336031996] unknown protocol`.
This commit is contained in:
David Steele 2020-08-04 15:15:24 -04:00 committed by GitHub
parent 94d3a01f73
commit 847e61ce21
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 30 additions and 6 deletions

View File

@ -64,6 +64,15 @@
<p>Proactively close file descriptors after forking async process.</p> <p>Proactively close file descriptors after forking async process.</p>
</release-item> </release-item>
<release-item>
<release-item-contributor-list>
<release-item-reviewer id="cynthia.shang"/>
<release-item-reviewer id="stephen.frost"/>
</release-item-contributor-list>
<p>Improve TLS error reporting.</p>
</release-item>
</release-improvement-list> </release-improvement-list>
</release-core-list> </release-core-list>

View File

@ -86,11 +86,12 @@ Returns:
***********************************************************************************************************************************/ ***********************************************************************************************************************************/
// Helper to process error conditions // Helper to process error conditions
static int static int
tlsSessionResultProcess(TlsSession *this, int errorTls, int errorSys, bool closeOk) tlsSessionResultProcess(TlsSession *this, int errorTls, long unsigned int errorTlsDetail, int errorSys, bool closeOk)
{ {
FUNCTION_LOG_BEGIN(logLevelTrace); FUNCTION_LOG_BEGIN(logLevelTrace);
FUNCTION_LOG_PARAM(TLS_SESSION, this); FUNCTION_LOG_PARAM(TLS_SESSION, this);
FUNCTION_LOG_PARAM(INT, errorTls); FUNCTION_LOG_PARAM(INT, errorTls);
FUNCTION_LOG_PARAM(UINT64, errorTlsDetail);
FUNCTION_LOG_PARAM(INT, errorSys); FUNCTION_LOG_PARAM(INT, errorSys);
FUNCTION_LOG_PARAM(BOOL, closeOk); FUNCTION_LOG_PARAM(BOOL, closeOk);
FUNCTION_LOG_END(); FUNCTION_LOG_END();
@ -134,7 +135,14 @@ tlsSessionResultProcess(TlsSession *this, int errorTls, int errorSys, bool close
// Any other error that we cannot handle // Any other error that we cannot handle
default: default:
THROW_FMT(ServiceError, "TLS error [%d]", errorTls); {
// Get detailed error message when available
const char *errorTlsDetailMessage = ERR_reason_error_string(errorTlsDetail);
THROW_FMT(
ServiceError, "TLS error [%d:%lu] %s", errorTls, errorTlsDetail,
errorTlsDetailMessage == NULL ? "no details available" : errorTlsDetailMessage);
}
} }
FUNCTION_LOG_RETURN(INT, result); FUNCTION_LOG_RETURN(INT, result);
@ -157,9 +165,10 @@ tlsSessionResult(TlsSession *this, int result, bool closeOk)
{ {
// Get TLS error and store errno in case of syscall error // Get TLS error and store errno in case of syscall error
int errorTls = SSL_get_error(this->session, result); int errorTls = SSL_get_error(this->session, result);
long unsigned int errorTlsDetail = ERR_get_error();
int errorSys = errno; int errorSys = errno;
result = tlsSessionResultProcess(this, errorTls, errorSys, closeOk); result = tlsSessionResultProcess(this, errorTls, errorTlsDetail, errorSys, closeOk);
} }
FUNCTION_LOG_RETURN(INT, result); FUNCTION_LOG_RETURN(INT, result);

View File

@ -414,9 +414,15 @@ testRun(void)
// ----------------------------------------------------------------------------------------------------------------- // -----------------------------------------------------------------------------------------------------------------
TEST_TITLE("uncovered errors"); TEST_TITLE("uncovered errors");
TEST_RESULT_INT(tlsSessionResultProcess(session, SSL_ERROR_WANT_WRITE, 0, false), 0, "write ready"); TEST_RESULT_INT(tlsSessionResultProcess(session, SSL_ERROR_WANT_WRITE, 0, 0, false), 0, "write ready");
TEST_ERROR(tlsSessionResultProcess(session, SSL_ERROR_WANT_X509_LOOKUP, 0, false), ServiceError, "TLS error [4]"); TEST_ERROR(
TEST_ERROR(tlsSessionResultProcess(session, SSL_ERROR_ZERO_RETURN, 0, false), ProtocolError, "unexpected TLS eof"); tlsSessionResultProcess(session, SSL_ERROR_WANT_X509_LOOKUP, 336031996, 0, false), ServiceError,
"TLS error [4:336031996] unknown protocol");
TEST_ERROR(
tlsSessionResultProcess(session, SSL_ERROR_WANT_X509_LOOKUP, 0, 0, false), ServiceError,
"TLS error [4:0] no details available");
TEST_ERROR(
tlsSessionResultProcess(session, SSL_ERROR_ZERO_RETURN, 0, 0, false), ProtocolError, "unexpected TLS eof");
// ----------------------------------------------------------------------------------------------------------------- // -----------------------------------------------------------------------------------------------------------------
TEST_TITLE("first protocol exchange"); TEST_TITLE("first protocol exchange");