[pdm-devel] applied: [PATCH proxmox] client: handle tls verification errors more gracefully
Lukas Wagner
l.wagner at proxmox.com
Wed Dec 3 11:53:15 CET 2025
On Tue Dec 2, 2025 at 12:22 PM CET, Shannon Sterz wrote:
> this makes it so that errors that previously would simply yield a
> "client error (Connect)" now show a more useful error message, such
> as:
>
> Could not establish a TLS connection. Check whether the fingerprint
> matches or the certificate is valid. OpenSSL Error: error:0A000086:SSL
> routines:tls_post_process_server_certificate:certificate verify
> failed:../ssl/statem/statem_clnt.c:2123:
>
> this should help users figure out what's really happened more easily.
>
> Signed-off-by: Shannon Sterz <s.sterz at proxmox.com>
> ---
> there might also be one or two bugs hiding in how the client handles
> certificate validation. imo setting a fingerprint should override
> certificate validity and not the other way round. as it is somewhat akin
> to pinning a certificate.
>
> also as fabian pointed out in an off list discussion, the use of
> `current_cert` in `verify_fingerprint` may be wrong as it could yield a
> parent certificate if it is already unverifiable by openssl. this one
> would need some more investigation, though.
>
> left both of these as-is, as that seems like some bigger changes for
> right now.
>
Just for the record, this was already applied [1].
[1] https://git.proxmox.com/?p=proxmox.git;a=commitdiff;h=0d96b40f3d13653f44d2e56d887bef2b123c4b92
More information about the pdm-devel
mailing list