diff options
| author | Alexey Lebedeff <[email protected]> | 2016-05-19 15:11:37 +0300 |
|---|---|---|
| committer | Ingela Anderton Andin <[email protected]> | 2016-05-31 10:33:31 +0200 |
| commit | 8c419a6edecc86dc4c682d040c4bb3e3506c7876 (patch) | |
| tree | c6dd89c9715818f3e153ee96225e121216e3557c /lib/ssl/test | |
| parent | 98f13e3c4cf6282e2114deb71805c54596ffdc8a (diff) | |
| download | otp-8c419a6edecc86dc4c682d040c4bb3e3506c7876.tar.gz otp-8c419a6edecc86dc4c682d040c4bb3e3506c7876.tar.bz2 otp-8c419a6edecc86dc4c682d040c4bb3e3506c7876.zip | |
Improve SSL diagnostics
There are a lot of cases where `ssl` application just returns unhelpful
`handshake failure` or `internal error`. This patch tries to provide
better diagnostics so operator can debug his SSL misconfiguration
without doing hardcore erlang debugging.
Here is an example escript that incorrectly uses server certificate as a
client one:
https://gist.github.com/binarin/35c34c2df7556bf04c8a878682ef3d67
With the patch it is properly reported as an error in "extended key
usage".
Diffstat (limited to 'lib/ssl/test')
| -rw-r--r-- | lib/ssl/test/ssl_basic_SUITE.erl | 29 |
1 files changed, 29 insertions, 0 deletions
diff --git a/lib/ssl/test/ssl_basic_SUITE.erl b/lib/ssl/test/ssl_basic_SUITE.erl index aa45d55406..686cdc569d 100644 --- a/lib/ssl/test/ssl_basic_SUITE.erl +++ b/lib/ssl/test/ssl_basic_SUITE.erl @@ -96,6 +96,8 @@ basic_tests() -> [app, appup, alerts, + alert_details, + alert_details_not_too_big, version_option, connect_twice, connect_dist, @@ -477,6 +479,33 @@ alerts(Config) when is_list(Config) -> end end, Alerts). %%-------------------------------------------------------------------- +alert_details() -> + [{doc, "Test that ssl_alert:alert_txt/1 result contains extendend error description"}]. +alert_details(Config) when is_list(Config) -> + Unique = make_ref(), + UniqueStr = lists:flatten(io_lib:format("~w", [Unique])), + Alert = ?ALERT_REC(?WARNING, ?CLOSE_NOTIFY, Unique), + case string:str(ssl_alert:alert_txt(Alert), UniqueStr) of + 0 -> + ct:fail(error_details_missing); + _ -> + ok + end. + +%%-------------------------------------------------------------------- +alert_details_not_too_big() -> + [{doc, "Test that ssl_alert:alert_txt/1 limits printed depth of extended error description"}]. +alert_details_not_too_big(Config) when is_list(Config) -> + Reason = lists:duplicate(10, lists:duplicate(10, lists:duplicate(10, {some, data}))), + Alert = ?ALERT_REC(?WARNING, ?CLOSE_NOTIFY, Reason), + case length(ssl_alert:alert_txt(Alert)) < 1000 of + true -> + ok; + false -> + ct:fail(ssl_alert_text_too_big) + end. + +%%-------------------------------------------------------------------- new_options_in_accept() -> [{doc,"Test that you can set ssl options in ssl_accept/3 and not only in tcp upgrade"}]. new_options_in_accept(Config) when is_list(Config) -> |