mlxprs icon indicating copy to clipboard operation
mlxprs copied to clipboard

Published 20 hours ago verified publisher icon marklogic

SSL connection misconfigurations give cryptic feedback to user

Open damonfeldman opened this issue 4 years ago • 0 comments

If the configuration sets SSL to true, but the app server is not configured for SSL, the error response is cryptic.

To reproduce, set up a server without SSL (vanilla DHF install is fine) and use settings:

/* mlxprs:settings
{
  "host":     "localhost",
  "port": 8211,
  "contentDb": "sled-mes-FINAL",
  "modulesDb": "sled-mes-MODULES",
  "ssl": true,
  "authType": "digest",
  "user": "admin",
  "pwd": "admin"
}
*/

Response in results buffer is:

{
  "errno": "EPROTO",
  "code": "EPROTO",
  "syscall": "write"
}

the popup error says:

write EPROTO 140497846915416:error:100000f7:SSL routines:OPENSSL_internal:WRONG_VERSION_NUMBER:../../third_party/boringssl/src/ssl/tls_record.cc:242:\n"

ideal behavior would be to report that "an attempt was made to connect using SSL to an http server not configured with SSL" or similar.

For the reverse situation (ssl on server but ssl: false in config) the message

"message": "eval JavaScript on server: challenge request failed for /v1/eval",

is returned.

Better would be: "an attempt was made to connect without SSL to an http server configured to require SSL" or similar.

damonfeldman avatar Aug 04 '20 11:08 damonfeldman