From 8c419a6edecc86dc4c682d040c4bb3e3506c7876 Mon Sep 17 00:00:00 2001
From: Alexey Lebedeff <alebedev@mirantis.com>
Date: Thu, 19 May 2016 15:11:37 +0300
Subject: Improve SSL diagnostics

There are a lot of cases where `ssl` application just returns unhelpful
`handshake failure` or `internal error`. This patch tries to provide
better diagnostics so operator can debug his SSL misconfiguration
without doing hardcore erlang debugging.

Here is an example escript that incorrectly uses server certificate as a
client one:
https://gist.github.com/binarin/35c34c2df7556bf04c8a878682ef3d67
With the patch it is properly reported as an error in "extended key
usage".
---
 lib/ssl/src/ssl_alert.hrl | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

(limited to 'lib/ssl/src/ssl_alert.hrl')

diff --git a/lib/ssl/src/ssl_alert.hrl b/lib/ssl/src/ssl_alert.hrl
index 8c4bd08d31..38facb964f 100644
--- a/lib/ssl/src/ssl_alert.hrl
+++ b/lib/ssl/src/ssl_alert.hrl
@@ -109,6 +109,7 @@
 -define(NO_APPLICATION_PROTOCOL, 120).
 
 -define(ALERT_REC(Level,Desc), #alert{level=Level,description=Desc,where={?FILE, ?LINE}}).
+-define(ALERT_REC(Level,Desc,Reason), #alert{level=Level,description=Desc,where={?FILE, ?LINE},reason=Reason}).
 
 -define(MAX_ALERTS, 10).
 
@@ -116,6 +117,7 @@
 -record(alert, {
 	  level,
 	  description,
-	  where = {?FILE, ?LINE}
+          where = {?FILE, ?LINE},
+          reason
 	 }).
 -endif. % -ifdef(ssl_alert).
-- 
cgit v1.2.3