[pdm-devel] [PATCH proxmox] client: handle tls verification errors more gracefully

Tue Dec 2 12:22:36 CET 2025

this makes it so that errors that previously would simply yield a
"client error (Connect)" now show a more useful error message, such
as:

Could not establish a TLS connection. Check whether the fingerprint
matches or the certificate is valid. OpenSSL Error: error:0A000086:SSL
routines:tls_post_process_server_certificate:certificate verify
failed:../ssl/statem/statem_clnt.c:2123:

this should help users figure out what's really happened more easily.

Signed-off-by: Shannon Sterz <s.sterz at proxmox.com>
---
there might also be one or two bugs hiding in how the client handles
certificate validation. imo setting a fingerprint should override
certificate validity and not the other way round. as it is somewhat akin
to pinning a certificate.

also as fabian pointed out in an off list discussion, the use of
`current_cert` in `verify_fingerprint` may be wrong as it could yield a
parent certificate if it is already unverifiable by openssl. this one
would need some more investigation, though.

left both of these as-is, as that seems like some bigger changes for
right now.

 proxmox-client/src/client.rs | 42 ++++++++++++++++++++++++++++--------
 1 file changed, 33 insertions(+), 9 deletions(-)

diff --git a/proxmox-client/src/client.rs b/proxmox-client/src/client.rs
index da2c5c59..81af5681 100644
--- a/proxmox-client/src/client.rs
+++ b/proxmox-client/src/client.rs
@@ -242,10 +242,22 @@ impl Client {
         }
         .map_err(|err| Error::internal("failed to build request", err))?;

-        let response = client
-            .request(request)
-            .await
-            .map_err(|err| Error::Client(err.into()))?;
+        let response = client.request(request).await.map_err(|err| {
+            for err in err.chain() {
+                if let Some(err) = err.downcast_ref::<openssl::error::ErrorStack>() {
+                    return Error::Client(
+                        format!(
+                            "Could not establish a TLS connection. Check \
+                            whether the fingerprint matches or the certificate is valid. \
+                            OpenSSL Error: {err}"
+                        )
+                        .into(),
+                    );
+                }
+            }
+
+            Error::Client(err.into())
+        })?;

         if response.status() == StatusCode::UNAUTHORIZED {
             return Err(Error::Unauthorized);
@@ -352,11 +364,23 @@ impl Client {
             .body(request.body.into())
             .map_err(|err| Error::internal("error building login http request", err))?;

-        let api_response = self
-            .client
-            .request(request)
-            .await
-            .map_err(|err| Error::Client(err.into()))?;
+        let api_response = self.client.request(request).await.map_err(|err| {
+            for err in err.chain() {
+                if let Some(err) = err.downcast_ref::<openssl::error::ErrorStack>() {
+                    return Error::Client(
+                        format!(
+                            "Could not establish a TLS connection. Check \
+                            whether the fingerprint matches or the certificate is valid. \
+                            OpenSSL Error: {err}"
+                        )
+                        .into(),
+                    );
+                }
+            }
+
+            Error::Client(err.into())
+        })?;
+
         if !api_response.status().is_success() {
             return Err(Error::api(api_response.status(), "authentication failed"));
         }
--
2.47.3



