Skip to content

Improve TLS/SSL certificate error messages during handshake failures #7891

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
Oct 9, 2025
Merged

Improve TLS/SSL certificate error messages during handshake failures #7891

merged 4 commits into from
Oct 9, 2025

Conversation

@Aaronontheweb
Copy link
Member

Summary

Resolves #7890 by providing human-readable, actionable error messages for TLS/SSL certificate validation failures.

Changes

Added TlsErrorMessageBuilder helper class (DotNettyTransportSettings.cs):

  • Maps SslPolicyErrors to detailed explanations
  • Interprets X509ChainStatusFlags with specific troubleshooting suggestions
  • Provides role-specific guidance (client vs server)
  • Comprehensive coverage of all certificate chain validation issues

Enhanced server-side mutual TLS validation (DotNettyTransport.cs):

  • Upgraded from Warning to Error level for better visibility
  • "No client certificate" scenario now includes detailed troubleshooting steps
  • Certificate validation failures include full chain status diagnostics
  • All errors log certificate details (subject, issuer, thumbprint, validity dates)

Enhanced TLS exception handling (TcpTransport.cs):

  • Added detailed error messages to UserEventTriggered for TlsHandshakeCompletionEvent failures
  • Enhanced ExceptionCaught to detect and report AuthenticationException and CryptographicException
  • Client-side and server-side failures now have specific troubleshooting guidance

Updated test expectations:

  • Clarified why certificate password errors cannot be improved (thrown by .NET Framework)
  • Updated test comments to reflect enhanced error message behavior

Test Results

All existing TLS tests pass:

  • ✓ DotNettyTlsHandshakeFailureSpec (2 tests)
  • ✓ DotNettyMutualTlsSpec (6 tests)
  • ✓ DotNettySslSupportSpec (9 tests)

Example Enhanced Error Output

Before:

[WARNING] Mutual TLS: Client certificate validation failed with errors: RemoteCertificateChainErrors

After:

[ERROR] Mutual TLS authentication failed: Client certificate validation error.
TLS/SSL certificate validation failed:
  - Certificate chain validation errors
    - UntrustedRoot: A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.
      Suggestion: Certificate chain terminates in an untrusted root. Install root CA certificate in Trusted Root Certification Authorities store.
    - PartialChain: A certificate chain could not be built to a trusted root authority.
      Suggestion: Certificate chain is incomplete. Install all intermediate CA certificates from your certificate provider.

Certificate Details:
  Subject: CN=akka-test-cert
  Issuer: CN=akka-test-cert
  Thumbprint: ABC123...
  Valid From: 2024-01-01 00:00:00
  Valid To: 2037-01-01 00:00:00
  Has Private Key: True

Benefits

  • Faster troubleshooting of production TLS issues
  • Reduced support burden from unclear certificate errors
  • Better developer experience during certificate configuration
  • Easier migration to mutual TLS with clear guidance on requirements

@Aaronontheweb
Improve TLS/SSL certificate error messages during handshake failures (a…
11398bf 
…kkadotnet#7890)

Added TlsErrorMessageBuilder helper class to provide human-readable error messages for TLS certificate validation failures. Enhanced error messages now include:

- Detailed SSL policy error interpretations
- X509 chain status diagnostics with actionable suggestions
- Certificate details (subject, issuer, thumbprint, validity dates)
- Role-specific troubleshooting guidance (client vs server)

Updated certificate validation callback in mutual TLS to use enhanced error messages.
Added TLS exception handling in TcpHandlers to detect and report AuthenticationException and CryptographicException with detailed diagnostics.

All existing TLS tests continue to pass.
@Aaronontheweb
Enhance TLS error logging across all handshake scenarios
f7c84d2 
Upgraded mutual TLS validation errors from Warning to Error level for better visibility. Enhanced error messages now cover all TLS failure scenarios:

Server-side mutual TLS validation:
- No client certificate provided: detailed error with troubleshooting steps
- Client certificate validation failures: comprehensive chain validation diagnostics

Client-side and general handshake failures:
- Added enhanced error diagnostics to UserEventTriggered for TlsHandshakeCompletionEvent
- Improved client-side troubleshooting guidance including certificate trust chain requirements
- Both client and server TLS exceptions now include role-specific troubleshooting

All error messages provide actionable suggestions and certificate details to aid in diagnosis.
@Aaronontheweb Aaronontheweb added this to the 1.6.0 milestone Oct 8, 2025
@Aaronontheweb Aaronontheweb mentioned this pull request Oct 9, 2025
Closed
5 tasks
@Aaronontheweb Aaronontheweb enabled auto-merge (squash) October 9, 2025 18:30
@Aaronontheweb Aaronontheweb disabled auto-merge October 9, 2025 19:38
@Aaronontheweb Aaronontheweb merged commit 251bcd9 into akkadotnet:dev Oct 9, 2025
9 of 11 checks passed
@Aaronontheweb Aaronontheweb deleted the feature/enhance-tls-error-messages branch October 9, 2025 19:38
Aaronontheweb added a commit to Aaronontheweb/akka.net that referenced this pull request Oct 9, 2025
@Aaronontheweb
Improve TLS/SSL certificate error messages during handshake failures (a…
109aa3d 
…kkadotnet#7891)

* Improve TLS/SSL certificate error messages during handshake failures (akkadotnet#7890)

Added TlsErrorMessageBuilder helper class to provide human-readable error messages for TLS certificate validation failures. Enhanced error messages now include:

- Detailed SSL policy error interpretations
- X509 chain status diagnostics with actionable suggestions
- Certificate details (subject, issuer, thumbprint, validity dates)
- Role-specific troubleshooting guidance (client vs server)

Updated certificate validation callback in mutual TLS to use enhanced error messages.
Added TLS exception handling in TcpHandlers to detect and report AuthenticationException and CryptographicException with detailed diagnostics.

All existing TLS tests continue to pass.

* Enhance TLS error logging across all handshake scenarios

Upgraded mutual TLS validation errors from Warning to Error level for better visibility. Enhanced error messages now cover all TLS failure scenarios:

Server-side mutual TLS validation:
- No client certificate provided: detailed error with troubleshooting steps
- Client certificate validation failures: comprehensive chain validation diagnostics

Client-side and general handshake failures:
- Added enhanced error diagnostics to UserEventTriggered for TlsHandshakeCompletionEvent
- Improved client-side troubleshooting guidance including certificate trust chain requirements
- Both client and server TLS exceptions now include role-specific troubleshooting

All error messages provide actionable suggestions and certificate details to aid in diagnosis.
@Aaronontheweb Aaronontheweb mentioned this pull request Oct 9, 2025
Merged
Aaronontheweb added a commit that referenced this pull request Oct 10, 2025
@Aaronontheweb
Improve TLS/SSL certificate error messages during handshake failures (#…
8644c59 
…7891)

* Improve TLS/SSL certificate error messages during handshake failures (#7890)

Added TlsErrorMessageBuilder helper class to provide human-readable error messages for TLS certificate validation failures. Enhanced error messages now include:

- Detailed SSL policy error interpretations
- X509 chain status diagnostics with actionable suggestions
- Certificate details (subject, issuer, thumbprint, validity dates)
- Role-specific troubleshooting guidance (client vs server)

Updated certificate validation callback in mutual TLS to use enhanced error messages.
Added TLS exception handling in TcpHandlers to detect and report AuthenticationException and CryptographicException with detailed diagnostics.

All existing TLS tests continue to pass.

* Enhance TLS error logging across all handshake scenarios

Upgraded mutual TLS validation errors from Warning to Error level for better visibility. Enhanced error messages now cover all TLS failure scenarios:

Server-side mutual TLS validation:
- No client certificate provided: detailed error with troubleshooting steps
- Client certificate validation failures: comprehensive chain validation diagnostics

Client-side and general handshake failures:
- Added enhanced error diagnostics to UserEventTriggered for TlsHandshakeCompletionEvent
- Improved client-side troubleshooting guidance including certificate trust chain requirements
- Both client and server TLS exceptions now include role-specific troubleshooting

All error messages provide actionable suggestions and certificate details to aid in diagnosis.
@Aaronontheweb Aaronontheweb mentioned this pull request Oct 10, 2025
Merged
This was referenced Oct 10, 2025
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
This was referenced Oct 15, 2025
Merged
Merged
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
@Aaronontheweb Aaronontheweb mentioned this pull request Oct 21, 2025
Closed
8 tasks
This was referenced Oct 27, 2025
Open
Open
Open
Open
Open
Open
Open
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dotnetty logging security

Projects

None yet

Milestone

1.6.0

Development

Successfully merging this pull request may close these issues.

Improve TLS/SSL certificate error messages during handshake failures

1 participant

@Aaronontheweb