You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@qpid.apache.org by "Ken Dreyer (Jira)" <ji...@apache.org> on 2021/11/15 20:05:00 UTC

[jira] [Commented] (PROTON-2465) SSLDomain raises SSLException with no more information

    [ https://issues.apache.org/jira/browse/PROTON-2465?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17444076#comment-17444076 ] 

Ken Dreyer commented on PROTON-2465:
------------------------------------

Here's a workaround that subclasses SSLDomain in order to get the integer code:
{noformat}
from proton import SSLDomain
from proton._exceptions import SSLException


class VerboseSSL(SSLDomain):
    def _check(self, err):
        if err < 0:
            raise SSLException("SSL failure: %s" % err)
        else:
            return err


CERT = '/home/user/user.crt'
KEY = '/home/user/user.key'

ssl = VerboseSSL(SSLDomain.MODE_CLIENT)
ssl.set_credentials(CERT, KEY, None)
{noformat}
Then I can read the source code to see how I could get a "{{-4}}" error number (for example).

> SSLDomain raises SSLException with no more information
> ------------------------------------------------------
>
>                 Key: PROTON-2465
>                 URL: https://issues.apache.org/jira/browse/PROTON-2465
>             Project: Qpid Proton
>          Issue Type: New Feature
>            Reporter: Ken Dreyer
>            Priority: Major
>
> When methods fail in the {{proton.SSLDomain}} class, it's not possible to get more debugging information to the user about what went wrong.
> Sample code:
> {noformat}
> from proton import SSLDomain
> ssl = SSLDomain(SSLDomain.MODE_CLIENT)
> ssl.set_credentials('/home/user/user.crt', '/home/user/user.key', None)
> {noformat}
> If "{{{}user.crt{}}}" or "{{{}user.key{}}}" are unreadable (ie bad filesystem permissions, or SELinux denials, etc), then {{set_credentials()}} fails with a simple error:
> {noformat}
> proton._exceptions.SSLException: SSL failure.
> {noformat}
> There's nothing like ENOENT, EPERM, or anything else from openssl, or any other information.
> Looking at {{pn_ssl_domain_set_credentials()}} in [c/src/ssl/openssl.c|https://github.com/apache/qpid-proton/blob/main/c/src/ssl/openssl.c], two ideas occur to me:
>  # This method already logs helpful messages with {{{}ssl_log_error(){}}}. Is there any way to access those messages with Python?
>  # This method returns bare ints for errors ({{{}-3{}}}, {{{}-4{}}}, etc). Is there any code to translate those error numbers into other values in Python? Would I have to write that myself? Where?



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org