Informix

 View Only

Connection Manager + TLS: A Major Annoyance

  • 1.  Connection Manager + TLS: A Major Annoyance

    Posted 21 days ago

    Periodically, we'll have clients attempt to connect to our connection manager, but be rejected (or disconnect themselves abruptly). Those rejections will come with error messages like these:

    ```
    18:34:26 listener accept new fd failed:network error = -28014 cannot accept/error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate (OpenSSL:336151570)
    19:16:05 listener accept new fd failed:network error = -28014 cannot accept/SSL error: SSL_ERROR_SSL/error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol (OpenSSL:336027900)
    18:29:12 listener accept new fd failed:network error = -28014 cannot accept/error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown (OpenSSL:336151574)
    03:03:44 listener accept new fd failed:network error = -28014 cannot accept/error:140943F2:SSL routines:ssl3_read_bytes:sslv3 alert unexpected message (OpenSSL:336151538)
    ```

    These messages are an improvement over the old GSK_ERROR_[whatever] variety in terms of being _relatively_ clear about what the problem is, but how hard would it be for the log to include the originating IP as part of the message, so that I've got some idea of whom to go talk to? I know the CM has that info, because when LOG=1, it tells me the from/to redirection IPs.

    As it is, in a world full of k8s pods and "self-healing" microservices, tracking these things down is almost impossible!

    [Tagging @Scott Pickett because he knows people.]

    Thanks in advance,

    - TJG



    ------------------------------
    TOM GIRSCH
    ------------------------------