New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Broken TLS 1.3 handshake error handling #356
Comments
Did you verify this? I always get a |
I tested with an intentionally wrong client-presented x.509 cert that was not trusted by the server CA. Your error seems to be different: |
In TLS 1.3 the client is the last one to speak in the handshake, so if it causes an error to occur on the server, it will be returned on the client by the first Read, not by Handshake. For example, that will be the case if the server rejects the client certificate. Bug: eclipse#356 Signed-off-by: Armin Galliker <mc_ghc@yahoo.de>
Signed-off-by: Andrii Kokhanovskyi a.kokhanovskyi@gmail.com
Signed-off-by: Andrew Kokhanovskyi a.kokhanovskyi@gmail.com
Propagate MQTT connect error (fixes #356)
When a broker rejects the client cert, the expected token error from
Client.Connect()
isNetwork Error : remote error: tls: bad certificate
. The actual error with TLS 1.3 isNetwork Error : %!s(<nil>)
. TLS 1.3 is the default with go 1.13; opt-out will be removed in go 1.14.Why this happens:
(see go 1.12 release notes)
According to the above:
tls.DialWithDialer()
yields no error (seenet.go:76
)openConnection()
also returns anil
error (client.go:255
)client.connect()
fails with return codepackets.ErrNetworkError
(client.go:281
)token.setError()
sets inaccurate error (client.go:324
):err
is stillnil
, which leads to anfmt
error (%!s(<nil>)
).I think, this can be fixed by properly inspecting the error returned by
packets.ReadPacket()
(client.go:478
). In case of a rejected client cert, this is anet.OpError
remote error withalertBadCertificate
. I'm not well-versed in the overall library design, though, so maybe there are better ideas.The text was updated successfully, but these errors were encountered: