tornado
tornado copied to clipboard
httpserver: client can spam logs with certificate errors
i am using https with tornado like this:
server = httpserver.HTTPServer(application , ssl_options={ "certfile": os.path.join(app_dir, "cert.pem"), "keyfile": os.path.join(app_dir, "key.pem"), } )
however, tornado throw the warning below:
WARNING:tornado.general:SSL Error on 22 ('192.168.1.100', 56992): [SSL: SSLV3_ALERT_CERTIFICATE_UNKNOWN] sslv3 alert certificate unknown (_ssl.c:590) WARNING:tornado.general:SSL Error on 23 ('192.168.1.100', 56994): [SSL: SSLV3_ALERT_CERTIFICATE_UNKNOWN] sslv3 alert certificate unknown (_ssl.c:590) WARNING:tornado.general:SSL Error on 19 ('192.168.1.100', 56989): [SSL: SSLV3_ALERT_CERTIFICATE_UNKNOWN] sslv3 alert certificate unknown (_ssl.c:590) WARNING:tornado.general:SSL Error on 21 ('192.168.1.100', 57007): [SSL: SSLV3_ALERT_CERTIFICATE_UNKNOWN] sslv3 alert certificate unknown (_ssl.c:590) WARNING:tornado.general:SSL Error on 22 ('192.168.1.100', 57008): [SSL: SSLV3_ALERT_CERTIFICATE_UNKNOWN] sslv3 alert certificate unknown (_ssl.c:590) WARNING:tornado.general:SSL Error on 24 ('192.168.1.100', 57010): [SSL: SSLV3_ALERT_CERTIFICATE_UNKNOWN] sslv3 alert certificate unknown (_ssl.c:590) WARNING:tornado.general:SSL Error on 23 ('192.168.1.100', 57009): [SSL: SSLV3_ALERT_CERTIFICATE_UNKNOWN] sslv3 alert certificate unknown (_ssl.c:590) WARNING:tornado.general:SSL Error on 21 ('192.168.1.100', 57019): [SSL: SSLV3_ALERT_CERTIFICATE_UNKNOWN] sslv3 alert certificate unknown (_ssl.c:590) WARNING:tornado.general:SSL Error on 19 ('192.168.1.100', 57017): [SSL: SSLV3_ALERT_CERTIFICATE_UNKNOWN] sslv3 alert certificate unknown (_ssl.c:590) WARNING:tornado.general:SSL Error on 22 ('192.168.1.100', 57022): [SSL: SSLV3_ALERT_CERTIFICATE_UNKNOWN] sslv3 alert certificate unknown (_ssl.c:590) WARNING:tornado.general:SSL Error on 25 ('192.168.1.100', 57039): [SSL: SSLV3_ALERT_CERTIFICATE_UNKNOWN] sslv3 alert certificate unknown (_ssl.c:590) WARNING:tornado.general:SSL Error on 21 ('192.168.1.100', 57032): [SSL: SSLV3_ALERT_CERTIFICATE_UNKNOWN] sslv3 alert certificate unknown (_ssl.c:590) WARNING:tornado.general:SSL Error on 21 ('192.168.1.100', 57048): [SSL: SSLV3_ALERT_CERTIFICATE_UNKNOWN] sslv3 alert certificate unknown (_ssl.c:590)
what does the warning mean? and how can i fix it?
You should probably ask general how-to questions on the google groups mailing list or on StackOverflow.
This error means that the client closed the connection to your server because it did not trust your server's certificate (which you probably generated locally). You'll need to use a "ignore certificate problems" option on the client while testing (for example the curl flag --insecure
), and for real use you'll need a real SSL/TLS certificate (for example from Let's Encrypt).
Hmm, it's annoying if a misconfigured client can spam the logs with warnings like this (especially if that misconfiguration could be intentional). I wonder if we can/should recognize ssl "alerts" and suppress logs for some or all of them.
Of course it's important that the "certificate unknown" error be surfaced somewhere, but presumably it's also exposed on the client side where it's much more actionable.