tornado icon indicating copy to clipboard operation
tornado copied to clipboard

Published 20 hours ago verified publisher icon tornadoweb

httpserver: client can spam logs with certificate errors

Open ChouJoe opened this issue 3 years ago • 2 comments

i am using https with tornado like this: server = httpserver.HTTPServer(application , ssl_options={ "certfile": os.path.join(app_dir, "cert.pem"), "keyfile": os.path.join(app_dir, "key.pem"), } )

however, tornado throw the warning below: WARNING:tornado.general:SSL Error on 22 ('192.168.1.100', 56992): [SSL: SSLV3_ALERT_CERTIFICATE_UNKNOWN] sslv3 alert certificate unknown (_ssl.c:590) WARNING:tornado.general:SSL Error on 23 ('192.168.1.100', 56994): [SSL: SSLV3_ALERT_CERTIFICATE_UNKNOWN] sslv3 alert certificate unknown (_ssl.c:590) WARNING:tornado.general:SSL Error on 19 ('192.168.1.100', 56989): [SSL: SSLV3_ALERT_CERTIFICATE_UNKNOWN] sslv3 alert certificate unknown (_ssl.c:590) WARNING:tornado.general:SSL Error on 21 ('192.168.1.100', 57007): [SSL: SSLV3_ALERT_CERTIFICATE_UNKNOWN] sslv3 alert certificate unknown (_ssl.c:590) WARNING:tornado.general:SSL Error on 22 ('192.168.1.100', 57008): [SSL: SSLV3_ALERT_CERTIFICATE_UNKNOWN] sslv3 alert certificate unknown (_ssl.c:590) WARNING:tornado.general:SSL Error on 24 ('192.168.1.100', 57010): [SSL: SSLV3_ALERT_CERTIFICATE_UNKNOWN] sslv3 alert certificate unknown (_ssl.c:590) WARNING:tornado.general:SSL Error on 23 ('192.168.1.100', 57009): [SSL: SSLV3_ALERT_CERTIFICATE_UNKNOWN] sslv3 alert certificate unknown (_ssl.c:590) WARNING:tornado.general:SSL Error on 21 ('192.168.1.100', 57019): [SSL: SSLV3_ALERT_CERTIFICATE_UNKNOWN] sslv3 alert certificate unknown (_ssl.c:590) WARNING:tornado.general:SSL Error on 19 ('192.168.1.100', 57017): [SSL: SSLV3_ALERT_CERTIFICATE_UNKNOWN] sslv3 alert certificate unknown (_ssl.c:590) WARNING:tornado.general:SSL Error on 22 ('192.168.1.100', 57022): [SSL: SSLV3_ALERT_CERTIFICATE_UNKNOWN] sslv3 alert certificate unknown (_ssl.c:590) WARNING:tornado.general:SSL Error on 25 ('192.168.1.100', 57039): [SSL: SSLV3_ALERT_CERTIFICATE_UNKNOWN] sslv3 alert certificate unknown (_ssl.c:590) WARNING:tornado.general:SSL Error on 21 ('192.168.1.100', 57032): [SSL: SSLV3_ALERT_CERTIFICATE_UNKNOWN] sslv3 alert certificate unknown (_ssl.c:590) WARNING:tornado.general:SSL Error on 21 ('192.168.1.100', 57048): [SSL: SSLV3_ALERT_CERTIFICATE_UNKNOWN] sslv3 alert certificate unknown (_ssl.c:590) what does the warning mean? and how can i fix it?

ChouJoe avatar Oct 15 '20 03:10 ChouJoe

You should probably ask general how-to questions on the google groups mailing list or on StackOverflow.

This error means that the client closed the connection to your server because it did not trust your server's certificate (which you probably generated locally). You'll need to use a "ignore certificate problems" option on the client while testing (for example the curl flag --insecure), and for real use you'll need a real SSL/TLS certificate (for example from Let's Encrypt).

ploxiln avatar Oct 15 '20 04:10 ploxiln

Hmm, it's annoying if a misconfigured client can spam the logs with warnings like this (especially if that misconfiguration could be intentional). I wonder if we can/should recognize ssl "alerts" and suppress logs for some or all of them.

Of course it's important that the "certificate unknown" error be surfaced somewhere, but presumably it's also exposed on the client side where it's much more actionable.

bdarnell avatar Oct 26 '20 00:10 bdarnell