mesos-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Alexander Rukletsov (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (MESOS-5320) SSL related error messages can be misguiding or incomplete
Date Thu, 29 Sep 2016 17:06:20 GMT

     [ https://issues.apache.org/jira/browse/MESOS-5320?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Alexander Rukletsov updated MESOS-5320:
---------------------------------------
        Shepherd: Alexander Rukletsov
          Sprint: Mesosphere Sprint 44
    Story Points: 3

> SSL related error messages can be misguiding or incomplete
> ----------------------------------------------------------
>
>                 Key: MESOS-5320
>                 URL: https://issues.apache.org/jira/browse/MESOS-5320
>             Project: Mesos
>          Issue Type: Bug
>    Affects Versions: 1.0.0
>            Reporter: Till Toenshoff
>            Assignee: Till Toenshoff
>              Labels: ssl
>
> I was trying to activate SSL within Mesos but had rendered an invalid certificate, it
was signed with a mismatching key. Once I started the master, the error message I received
was rather confusing to me:
> {noformat}
> W0503 10:15:58.027343  6696 openssl.cpp:363] Failed SSL connections will be downgraded
to a non-SSL socket
> Could not load key file
> {noformat} 
> To me, this error message hinted that the key file was not existing or had rights issues.
However, a quick {{strace}} revealed  that the key-file was properly accessed, no sign of
a file-not-found or alike.
> The problem here is the hardcoded error-message, not taking OpenSSL's human readable
error strings into account.
> The code that misguided me is located at  https://github.com/apache/mesos/blob/master/3rdparty/libprocess/src/openssl.cpp#L471
> We might want to change
> {noformat}
>   // Set private key.
>   if (SSL_CTX_use_PrivateKey_file(
>           ctx,
>           ssl_flags->key_file.get().c_str(),
>           SSL_FILETYPE_PEM) != 1) {
>     EXIT(EXIT_FAILURE) << "Could not load key file";
>   }
> {noformat}
> Towards something like this
> {noformat}
>   // Set private key.
>   if (SSL_CTX_use_PrivateKey_file(
>           ctx,
>           ssl_flags->key_file.get().c_str(),
>           SSL_FILETYPE_PEM) != 1) {
>     EXIT(EXIT_FAILURE) << "Could not use key file: " << ERR_error_string(ERR_get_error(),
NULL);
>   }
> {noformat}
> To receive a much more helpful message like this
> {noformat}
> W0503 13:18:12.551364 11572 openssl.cpp:363] Failed SSL connections will be downgraded
to a non-SSL socket
> Could not use key file: error:0B080074:x509 certificate routines:X509_check_private_key:key
values mismatch
> {noformat}
> A quick scan of the implementation within {{openssl.cpp}} to me suggests that there are
more places that we might want to update with more deterministic error messages. 



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message