aboutsummaryrefslogtreecommitdiffstats
path: root/lib/ssl/src/tls_handshake.erl
diff options
context:
space:
mode:
authorAlexey Lebedeff <[email protected]>2016-05-19 15:11:37 +0300
committerIngela Anderton Andin <[email protected]>2016-05-31 10:33:31 +0200
commit8c419a6edecc86dc4c682d040c4bb3e3506c7876 (patch)
treec6dd89c9715818f3e153ee96225e121216e3557c /lib/ssl/src/tls_handshake.erl
parent98f13e3c4cf6282e2114deb71805c54596ffdc8a (diff)
downloadotp-8c419a6edecc86dc4c682d040c4bb3e3506c7876.tar.gz
otp-8c419a6edecc86dc4c682d040c4bb3e3506c7876.tar.bz2
otp-8c419a6edecc86dc4c682d040c4bb3e3506c7876.zip
Improve SSL diagnostics
There are a lot of cases where `ssl` application just returns unhelpful `handshake failure` or `internal error`. This patch tries to provide better diagnostics so operator can debug his SSL misconfiguration without doing hardcore erlang debugging. Here is an example escript that incorrectly uses server certificate as a client one: https://gist.github.com/binarin/35c34c2df7556bf04c8a878682ef3d67 With the patch it is properly reported as an error in "extended key usage".
Diffstat (limited to 'lib/ssl/src/tls_handshake.erl')
-rw-r--r--lib/ssl/src/tls_handshake.erl2
1 files changed, 1 insertions, 1 deletions
diff --git a/lib/ssl/src/tls_handshake.erl b/lib/ssl/src/tls_handshake.erl
index f34eebb0e4..871eb970eb 100644
--- a/lib/ssl/src/tls_handshake.erl
+++ b/lib/ssl/src/tls_handshake.erl
@@ -167,7 +167,7 @@ handle_client_hello(Version, #client_hello{session_id = SugesstedId,
SslOpts, Cache, CacheCb, Cert),
case CipherSuite of
no_suite ->
- ?ALERT_REC(?FATAL, ?INSUFFICIENT_SECURITY);
+ ?ALERT_REC(?FATAL, ?INSUFFICIENT_SECURITY, no_suitable_ciphers);
_ ->
{KeyExAlg,_,_,_} = ssl_cipher:suite_definition(CipherSuite),
case ssl_handshake:select_hashsign(ClientHashSigns, Cert, KeyExAlg, SupportedHashSigns, Version) of