Better surface TLS errors with hints

geldata · Feb 27, 2025 · 80db7c4 · 80db7c4
1 parent 7d446c6
commit 80db7c4
Show file tree

Hide file tree

Showing 3 changed files with 25 additions and 11 deletions.
diff --git a/gel-stream/Cargo.toml b/gel-stream/Cargo.toml
@@ -1,7 +1,7 @@
 [package]
 name = "gel-stream"
 license = "MIT/Apache-2.0"
-version = "0.1.2"
+version = "0.1.3"
 authors = ["MagicStack Inc. <hello@magic.io>"]
 edition = "2021"
 description = "A library for streaming data between clients and servers."

diff --git a/gel-tokio/Cargo.toml b/gel-tokio/Cargo.toml
@@ -17,7 +17,7 @@ gel-protocol = { path = "../gel-protocol", version = "0.8", features = [
 ] }
 gel-errors = { path = "../gel-errors", version = "0.5" }
 gel-derive = { path = "../gel-derive", version = "0.7", optional = true }
-gel-stream = { path = "../gel-stream", version = "0.1.2", features = ["client", "tokio", "rustls", "hickory", "keepalive"] }
+gel-stream = { path = "../gel-stream", version = "0.1.3", features = ["client", "tokio", "rustls", "hickory", "keepalive"] }
 gel-auth = { path = "../gel-auth", version = "0.1.3" }
 tokio = { workspace = true, features = ["net", "time", "sync", "macros"] }
 bytes = "1.5.0"

diff --git a/gel-tokio/src/raw/connection.rs b/gel-tokio/src/raw/connection.rs
@@ -287,15 +287,29 @@ async fn connect2(
 
     // Allow plaintext reconnection if and only if ClientSecurity is InsecureDevMode and
     // the server replied with something that looks like TLS handshake failure.
-    if let Err(ConnectionError::SslError(e)) = &res {
-        if e.common_error() == Some(CommonError::InvalidTlsProtocolData) && cfg.0.client_security == ClientSecurity::InsecureDevMode {
-            target.try_remove_tls();
-            warn!("TLS handshake failed, trying again without TLS");
-            *warned = true;
-
-            let mut connector = Connector::new(target.clone()).map_err(ClientConnectionError::with_source)?;
-            connector.set_keepalive(cfg.0.tcp_keepalive);
-            res = connector.connect().await;
+    if let Err(ConnectionError::SslError(e)) = res {
+        match e.common_error() {
+            Some(CommonError::InvalidTlsProtocolData) => {
+                if cfg.0.client_security == ClientSecurity::InsecureDevMode {
+                    target.try_remove_tls();
+                    warn!("TLS handshake failed, trying again without TLS");
+                    *warned = true;
+                    let mut connector = Connector::new(target.clone()).map_err(ClientConnectionError::with_source)?;
+                    connector.set_keepalive(cfg.0.tcp_keepalive);
+                    res = connector.connect().await;
+                } else {
+                    res = Err(ConnectionError::SslError(e));
+                }
+            }
+            Some(CommonError::InvalidCertificateForName) => {
+                return Err(ClientConnectionError::with_source(e).context(format!("The server's certificate does not match the requested host name ({:?}). Use `--tls-security no-host-verification` to bypass this check.", target.host().unwrap_or_default())));
+            }
+            Some(e) => {
+                return Err(ClientConnectionError::with_source(e).context(format!("TLS handshake failed while connecting to ({:?}) ({e:?}). Check client and server TLS options and try again.", target)));
+            }
+            None => {
+                res = Err(ConnectionError::SslError(e));
+            }
         }
     }