nsd icon indicating copy to clipboard operation
nsd copied to clipboard
verified publisher icon NLnetLabs

Update log levels for Mutual TLS

Open k0ekk0ek opened this issue 1 year ago • 1 comments

Currently errors related to certificates for Mutual TLS are logged via DEBUG. Which means they are not available in release builds. Use a method, like normal log at level 5 or so to allow for more convenient debugging. See #362 for more details.

k0ekk0ek avatar Aug 02 '24 08:08 k0ekk0ek

Notes:

Some common certificate errors I believe we should log in normal logging (5 or something else) with an clear message explaining the exact problem to the operator:

  • certificate CN/SAN mismatch with tls-auth auth-domain-name
  • certificate expired
  • tls-cert-bundle does not verify certificate given by client (server side)
  • tls-cert-bundle does not verify certificate given by server (client side)
  • possible connection errors on tls-auth-port
  • maybe better output when client requests tls XFR on non tls-auth-port
  • certificate/key open file errors or permissions problem/warning checks
  • other certificate errors?

Maybe some of them are already covered, I just wanted to document all possible (common) scenarios.

bilias avatar Aug 02 '24 11:08 bilias