Bug 4129 - unbound-control error message with wrong cert permissions is too cryptic
unbound-control error message with wrong cert permissions is too cryptic
Status: RESOLVED FIXED
Product: unbound
Classification: Unclassified
Component: server
1.7.3
x86_64 Linux
: P5 enhancement
Assigned To: unbound team
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2018-07-18 15:41 CEST by Petr Menšík
Modified: 2018-07-19 08:23 CEST (History)
3 users (show)

See Also:


Attachments
patch with more simple errors on path errors (1.71 KB, patch)
2018-07-18 15:41 CEST, Petr Menšík
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Petr Menšík 2018-07-18 15:41:53 CEST
Created attachment 514 [details]
patch with more simple errors on path errors

Hi!

When certificates specified by {control,server}-{cert,key}-file are missing or have wrong permissions very cryptic error message is produced. I understand it contains all details from OpenSSL, but I think more simple message should be produced for common IO errors.

Example with wrong permissions of cert file:
error: Error setting up SSL_CTX client key and cert
139914932740992:error:0200100D:system library:fopen:Permission denied:crypto/bio/bss_file.c:292:fopen('/tmp/unbound_control.pem','r')
139914932740992:error:20074002:BIO routines:file_ctrl:system lib:crypto/bio/bss_file.c:294:
139914932740992:error:140DC002:SSL routines:use_certificate_chain_file:system lib:ssl/ssl_rsa.c:609:

I think this error message is not well understood by ordinary users. I have prepared patch to simplify error output. In my version, it would produce just two lines.
error: Error setting up SSL_CTX client cert
/tmp/unbound_control.pem: Permission denied

I think this way it is much more clear where is it broken.
Comment 1 Wouter Wijngaards 2018-07-19 08:23:03 CEST
Hi Petr,

Thank you very much for the patch, that error printout looks much more readable.  I have integrated it into the code repository.

Best regards, Wouter