You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@qpid.apache.org by "Ken Dreyer (Jira)" <ji...@apache.org> on 2021/11/15 20:18:00 UTC
[jira] [Updated] (PROTON-2465) SSLDomain raises SSLException with no more information
[ https://issues.apache.org/jira/browse/PROTON-2465?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Ken Dreyer updated PROTON-2465:
-------------------------------
Description:
When methods fail in the {{proton.SSLDomain}} class, it's not possible to get more debugging information to the user about what went wrong.
Sample code:
{noformat}
from proton import SSLDomain
ssl = SSLDomain(SSLDomain.MODE_CLIENT)
ssl.set_credentials('/home/user/user.crt', '/home/user/user.key', None)
{noformat}
If "{{{}user.crt{}}}" or "{{{}user.key{}}}" are unreadable (ie bad filesystem permissions, or SELinux denials, etc), then {{set_credentials()}} fails with a simple error:
{noformat}
proton._exceptions.SSLException: SSL failure.
{noformat}
There's nothing like ENOENT, EPERM, or anything else from openssl, or any other information.
Looking at {{pn_ssl_domain_set_credentials()}} in [c/src/ssl/openssl.c|https://github.com/apache/qpid-proton/blob/main/c/src/ssl/openssl.c], two ideas occur to me:
# This method already logs helpful messages with {{{}ssl_log_error(){}}}. Is there any way to access those messages with Python?
# This method returns bare ints for errors ({{{}-3{}}}, {{{}-4{}}}, etc). Is there any code to translate those error numbers into other values in Python? Would I have to write that myself? Where?
# It would be really helpful to get the exact error message from the OpenSSL methods, like when {{SSL_CTX_use_PrivateKey_file}} goes wrong, it's hard to tell why.
was:
When methods fail in the {{proton.SSLDomain}} class, it's not possible to get more debugging information to the user about what went wrong.
Sample code:
{noformat}
from proton import SSLDomain
ssl = SSLDomain(SSLDomain.MODE_CLIENT)
ssl.set_credentials('/home/user/user.crt', '/home/user/user.key', None)
{noformat}
If "{{{}user.crt{}}}" or "{{{}user.key{}}}" are unreadable (ie bad filesystem permissions, or SELinux denials, etc), then {{set_credentials()}} fails with a simple error:
{noformat}
proton._exceptions.SSLException: SSL failure.
{noformat}
There's nothing like ENOENT, EPERM, or anything else from openssl, or any other information.
Looking at {{pn_ssl_domain_set_credentials()}} in [c/src/ssl/openssl.c|https://github.com/apache/qpid-proton/blob/main/c/src/ssl/openssl.c], two ideas occur to me:
# This method already logs helpful messages with {{{}ssl_log_error(){}}}. Is there any way to access those messages with Python?
# This method returns bare ints for errors ({{{}-3{}}}, {{{}-4{}}}, etc). Is there any code to translate those error numbers into other values in Python? Would I have to write that myself? Where?
> SSLDomain raises SSLException with no more information
> ------------------------------------------------------
>
> Key: PROTON-2465
> URL: https://issues.apache.org/jira/browse/PROTON-2465
> Project: Qpid Proton
> Issue Type: New Feature
> Reporter: Ken Dreyer
> Priority: Major
>
> When methods fail in the {{proton.SSLDomain}} class, it's not possible to get more debugging information to the user about what went wrong.
> Sample code:
> {noformat}
> from proton import SSLDomain
> ssl = SSLDomain(SSLDomain.MODE_CLIENT)
> ssl.set_credentials('/home/user/user.crt', '/home/user/user.key', None)
> {noformat}
> If "{{{}user.crt{}}}" or "{{{}user.key{}}}" are unreadable (ie bad filesystem permissions, or SELinux denials, etc), then {{set_credentials()}} fails with a simple error:
> {noformat}
> proton._exceptions.SSLException: SSL failure.
> {noformat}
> There's nothing like ENOENT, EPERM, or anything else from openssl, or any other information.
> Looking at {{pn_ssl_domain_set_credentials()}} in [c/src/ssl/openssl.c|https://github.com/apache/qpid-proton/blob/main/c/src/ssl/openssl.c], two ideas occur to me:
> # This method already logs helpful messages with {{{}ssl_log_error(){}}}. Is there any way to access those messages with Python?
> # This method returns bare ints for errors ({{{}-3{}}}, {{{}-4{}}}, etc). Is there any code to translate those error numbers into other values in Python? Would I have to write that myself? Where?
> # It would be really helpful to get the exact error message from the OpenSSL methods, like when {{SSL_CTX_use_PrivateKey_file}} goes wrong, it's hard to tell why.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org