Steve Fenter <steven.fenter58@xxxxxxxxx> writes: >I've done a fair amount of TLS handshake troubleshooting, and it's usually >long and painful because the error codes are so vague. >[...] >The vague error messages are leading directly to more downtime, and this >should be balanced with the other security needs. This was the reason for the sole new feature that was added to SCEP, an optional text-form error message to explain why you didn't get a certificate. Prior to that it was pure guesswork, there was just a generic error code saying "you didn't get your cert", which made things almost impossible to debug if you didn't have someone you could phone at the CA who could tell you why you didn't get your cert. As you mention, debugging TLS is unnecessarily painful if there's a problem, you typically just get a handshake-failed alert which is essentially no information at all. Having a debug-mode capability to send back a long-form error message would be extremely useful, maybe an extension to say "send back a long-form alert with more than just 'BOOLEAN succeeded = FALSE' in it". Peter.
