granian icon indicating copy to clipboard operation
granian copied to clipboard
verified publisher icon emmett-framework

Suppress errors on self-signed cert `TCP handshake failed`

Open XChikuX opened this issue 1 month ago • 6 comments

My HAProxy server at (10.9.9.3) load balances between several servers. I also terminate SSL from cloudflare here while my internal https requests are still served via a self-signed cert.

[INFO] TCP handshake failed with error: TlsAcceptError { error: Os { code: 104, kind: ConnectionReset, message: "Connection reset by peer" }, peer_addr: 10.9.9.3:54800 }

Is there a way to suppress these errors without affecting the rest of the app?

XChikuX avatar Oct 27 '25 12:10 XChikuX

I guess you can change the log level to be less verbose just for granian logger.

gi0baro avatar Oct 28 '25 15:10 gi0baro

@gi0baro Granian is not too verbose outside of this one though. I'd like to keep the rest of the info logs

XChikuX avatar Oct 28 '25 16:10 XChikuX

I guess we could change those logs to be only in debug level, but I need to think more about it. People might rely on those log lines.

gi0baro avatar Oct 28 '25 16:10 gi0baro

Changing to debug would help!

It's unlikely anyone is exposing a granian endpoint directly.

It is likely via a cloud provider that auto-provisions SSL certs for the end user. In that scenario the user will always be behind a proxy such as the setup I have going on. Likely without turning on SSL at all.

Insecure -> Cloud Proxy -> Internet.

There is in fact no security issue on the server side from using a self-signed cert (assuming the pk hasn't been blatantly posted online and uses a modern encryption signing standard). It is more of a benefit for the client connecting to the server to know it is part of a trusted PKI group. The real security issue being, a compromised cert has not been withdrawn via a CRL (certificate revocation list) and continues to function as if everything is fine. And as you'd know no-one can catch this, including granian

For reference purposes, uvicorn does not throw any logs for self-signed vs legitimate cert.

So I don't see the issue from my end. If you can think of one, do let me know.

XChikuX avatar Oct 29 '25 22:10 XChikuX

@XChikuX I think you're misunderstanding that logline. The message is not about certificates, but the upstream aborting the connection.

gi0baro avatar Oct 31 '25 10:10 gi0baro

Oh I see. However, my upstream seems to work fine.

Are you sure the error isn't misplaced? I'll have to see if each request is partially getting dropped.

However when I tested without haproxy on my Dev machine, I didn't see any drops. Just the tsl warning for self-signed.

XChikuX avatar Oct 31 '25 11:10 XChikuX