On 3/30/18 at 7:35 PM, pgut001@xxxxxxxxxxxxxxxxx (Peter Gutmann) wrote:
As you mention, debugging TLS is unnecessarily painful if there's a problem,
you typically just get a handshake-failed alert which is essentially no
information at all. Having a debug-mode capability to send back a long-form
error message would be extremely useful, maybe an extension to say "send back
a long-form alert with more than just 'BOOLEAN succeeded = FALSE' in it"..
We have always avoided the long form error messages in TLS
because they can be of great help to attackers as well as
debuggers. I think this objection is much weaker if we write the
long form error messages into a log that is kept with other
server logs.
Cheers - Bill
-----------------------------------------------------------------------
Bill Frantz | Ham radio contesting is a | Periwinkle
(408)356-8506 | contact sport. | 16345
Englewood Ave
www.pwpconsult.com | - Ken Widelitz K6LA / VY2TT | Los Gatos,
CA 95032
