envoyproxy/envoy

Custom transport socket failure reasons

Open

#9.255 geöffnet am 6. Dez. 2019

Auf GitHub ansehen
 (1 Kommentar) (0 Reaktionen) (0 zugewiesene Personen)C++ (5.373 Forks)batch import
area/tlsenhancementhelp wanted

Repository-Metriken

Stars
 (27.997 Stars)
PR-Merge-Metriken
 (Durchschn. Merge 8T) (378 gemergte PRs in 30 T)

Beschreibung

The error messages returned by BoringSSL are often fairly vague, making it hard to debug TLS issues. For specific deployments it would likely be possible for operators to be able to better describe the failure.

For example, if given access to the TLS context (CA/local cert used), the peer cert and the BoringSSL failure string, a few lines of code might be sufficient to provide a better error message, e.g. something like "staging peer cert cannot be used with production CA".

I imagine this could be implemented as a list of error details providers that could be configured as part of the tls context, allowing for statically registered implementations.

cc @lizan

Contributor Guide