Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
Better (any) error message for SSL... #458
... when a linking bot is not compiled with SSL and fails to connect to an SSL-only port.
the hub (with SSL, console +b-d) only sees:
Maybe at the end of all those failed hellos, we add
as the only reason I can think of for that many failed hello's would be no SSL. Or something, but that's a starting point. Probably worth looking at the reverse case (hub no ssl, leaf ssl) too
1. "only reason I can think of for that many failed hello's would be no SSL"
true, but the connecting client could be a bot OR a user.
so we cant display
at least the message must be changed.
2. error mesage (ssl bot port)
the code in tls.c:ssl_info() producing the +b message
but the code in net.c:sockread() seems:
currently its like:
the case happening here is case SSL_ERROR_SYSCALL and its only handled in the general else branch.
we should intercept SSL_ERROR_SYSCALL and display an error message like i now committed with #645.
Also the general error message above could be enhanced to read "SSL read error" instead of "SSL error".
There are more cases, where we could replace error mesage "SSL error" with a more detailled one, like after SSL_write().
The ssl bot of course doesn't know if its a bot or a user telnet, or whatever, that tries to connect. So it can only display some error message like "Could be..."
3. error mesage (non ssl bot)
the non ssl bot connects to an ssl only port. the ssl bot expects the hello and is sending nothing. so the non ssl bot cant receive anything and is quite blind. it cant find out that the end point is an ssl port.
but we can change this. yes!
of course only, if stealth-telnets isn't activated and/or a new config setting allows for it.
the ssl bot could send a TOKEN over the wire, so that the non ssl bot/user could see its an ssl port and react to it.
bonus: a non-ssl bot could not only inform about the ssl port, but could also instantly drop its attempt to connect. maybe even send another TOKEN to the ssl port to tell the ssl bot, what just happened, so it also could report/act to it.
4. the many "TLS: failed in:"
i would like to see such verbose messages to be moved from a normal output channel to debug() output.
(1) and (2) is fixed with #645