New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
net/http: TLS handshake errors are not (reasonably) accessible for servers #38877
Comments
This is basically the code I wrote to implement it:
|
cc @FiloSottile |
You can implement & give your own |
@bradfitz Thanks for the suggestion (though not the subtweet). It didn't occur to me to perform the handshake after the Accept(). That code looks something like this:
(I already had my own |
@joeshaw, sorry, that tweet was actually from something last week. I kept delaying posting it so people wouldn't connect dots. But honestly it does come up all the time. This isn't one of the egregious cases that prompted the original tweet, though. For one, this bug report was well written and researched and polite, which is not always the case. |
Haha, ok, sorry for overreacting. I do appreciate the suggestion and agree it's definitely an improvement over abusing |
What version of Go are you using (
go version
)?Does this issue reproduce with the latest release?
Yes.
Description of the issue
The current http server implementation makes it very cumbersome to access TLS handshake errors. I would like to be able to see them in order to add metrics and alerting to my service. (A recent misconfiguration caused all connections to fail, and we were unable to alert on these kinds of errors.)
Today, TLS handshake errors are reported by logging to the
http.Server
ErrorLog
logger, if it is set. (Otherwise it goes to the standard logger.)The line in question:
go/src/net/http/server.go
Line 1798 in 9b18968
And the implementation of
logf
:go/src/net/http/server.go
Lines 3062 to 3080 in 9b18968
ErrorLog
is a*log.Logger
, which is a struct and not an interface. It wraps anio.Writer
. So in order to capture TLS handshake errors, one must write anio.Writer
wrapper that searches for the stringTLS handshake error
. I think (but am not sure) that error messages are not covered by the Go 1 compatibility guarantee, so this method is both ugly and fragile.It would be nice if there were another way to get notified of TLS handshake errors. This could be implemented as an optional callback function on the
http.Server
ortls.Config
structs, or as a channel onhttp.Server
. It may make sense to generalize it to more HTTP server errors, but we could start with handshake errors.Reproducing the issue
An easy way to illustrate this in action is to start up a TLS HTTP server (
http.ListenAndServeTLS
) and then runnc localhost 1234 </dev/null
. On the server you'll get a log line like2020/05/05 11:41:59 http: TLS handshake error from 127.0.0.1:63162: EOF
The text was updated successfully, but these errors were encountered: