search

erlang / otp

Erlang/OTP
http://erlang.org
Apache License 2.0
11.3k stars 2.94k forks source link

tls_dyn_connection_sup progress logging includes megabytes of certificate data #8715

Closed eproxus closed 1 week ago

eproxus commented 1 month ago

Describe the bug When progress logging is enabled and TLS is used, there is a supervisor tls_dyn_connection_sup started that logs all arguments used to started it.

When passing a custom certificate list to TLS start options, these are included as-is in the cacerts option to this supervisor which results in megabytes and tens of thousands of lines of logs every time this process is started (often resulting in making it impossible to see any lines before this in the terminal since most terminals have a default line limit well below this).

To Reproduce Start an SSL connection with options like [{cacerts, public_key:cacerts_get()}] (or use e.g. tls_certificate_check).

Expected behavior Logs are useful and readable.

Affected versions 27.0.1 (and earlier)

Additional context

Example:

2024-08-13T09:33:27.614089+02:00 info:
    supervisor: {<0.1523.0>,tls_dyn_connection_sup}
    started: [{pid,<0.1525.0>},
              {id,receiver},
              {mfargs,
                  {ssl_gen_statem,start_link,
                      [client,<0.1524.0>,"idp.kivra.net",443,#Port<0.71>,
                       {#{psk_identity => undefined,log_level => notice,
                          eccs =>
                              {elliptic_curves,
                                  [{1,3,101,110},
                                   {1,3,101,111},
                                   {1,3,132,0,35},
                                   {1,3,36,3,3,2,8,1,1,13},
                                   {1,3,132,0,34},
                                   {1,3,36,3,3,2,8,1,1,11},
                                   {1,2,840,10045,3,1,7},
                                   {1,3,36,3,3,2,8,1,1,7}]},
                          verify_fun =>
                              {fun ssl_verify_hostname:verify_fun/3,
                               [{check_hostname,"idp.kivra.net"}]},
                          verify => verify_peer,secure_renegotiate => true,
                          early_data => undefined,protocol => tls,
                          supported_groups =>
                              {supported_groups,
                                  [x25519,x448,secp521r1,secp384r1,secp256r1,
                                   brainpoolP512r1tls13,brainpoolP384r1tls13,
                                   brainpoolP256r1tls13]},
                          fallback => false,depth => 100,
                          use_ticket => undefined,crl_check => false,
                          srp_identity => undefined,
                          alpn_advertised_protocols => undefined,
                          signature_algs_cert =>
                              [default,eddsa_ed25519,eddsa_ed448,
                               ecdsa_secp521r1_sha512,ecdsa_secp384r1_sha384,
                               ecdsa_secp256r1_sha256,
                               ecdsa_brainpoolP512r1tls13_sha512,
                               ecdsa_brainpoolP384r1tls13_sha384,
                               ecdsa_brainpoolP256r1tls13_sha256,
                               rsa_pss_pss_sha512,rsa_pss_pss_sha384,
                               rsa_pss_pss_sha256,rsa_pss_rsae_sha512,
                               rsa_pss_rsae_sha384,rsa_pss_rsae_sha256,
                               rsa_pkcs1_sha512,rsa_pkcs1_sha384,
                               rsa_pkcs1_sha256,
                               {sha512,ecdsa},
                               {sha384,ecdsa},
                               {sha256,ecdsa},
                               rsa_pkcs1_sha1],
                          signature_algs =>
                              [eddsa_ed25519,eddsa_ed448,
                               ecdsa_secp521r1_sha512,ecdsa_secp384r1_sha384,
                               ecdsa_secp256r1_sha256,
                               ecdsa_brainpoolP512r1tls13_sha512,
                               ecdsa_brainpoolP384r1tls13_sha384,
                               ecdsa_brainpoolP256r1tls13_sha256,
                               rsa_pss_pss_sha512,rsa_pss_pss_sha384,
                               rsa_pss_pss_sha256,rsa_pss_rsae_sha512,
                               rsa_pss_rsae_sha384,rsa_pss_rsae_sha256,
                               rsa_pkcs1_sha512,rsa_pkcs1_sha384,
                               rsa_pkcs1_sha256,
                               {sha512,ecdsa},
                               {sha384,ecdsa},
                               {sha256,ecdsa}],
                          cert_policy_opts => [],certs_keys => [],
                          handshake => full,
                          versions => [{3,4},{3,3}],
                          key_update_at => 388736063997,
                          crl_cache => {ssl_crl_cache,{internal,[]}},
                          reuse_sessions => true,max_handshake_size => 131072,
                          max_fragment_length => undefined,
                          renegotiate_at => 268435456,
                          customize_hostname_check =>
                              [{match_fun,#Fun<public_key.6.75820660>}],
                          cacerts =>
                              [<<48,130,5,100,48,130,3,76,160,3,2,1,2,2,16,83,
                                 213,207,230,25,147,11,251,43,5,18,216,194,42,
                                 162,164,48,13,6,9,42,134,72,134,247,13,1,1,12,
                                 5,0,48,76,49,46,48,44,6,3,85,4,3,12,37,65,116,
                                 111,115,32,84,114,117,115,116,101,100,82,111,
                                 111,116,32,82,111,111,116,32,67,65,32,82,83,
                                 65,32,84,76,83,32,50,48,50,49,49,13,48,11,6,3,
                                 85,4,10,12,4,65,116,111,115,49,11,48,9,6,3,85,
                                 4,6,19,2,68,69,48,30,23,13,50,49,48,52,50,50,
                                 48,57,50,49,49,48,90,23,13,52,49,48,52,49,55,
                                 48,57,50,49,48,57,90,48,76,49,46,48,44,6,3,85,
                                 4,3,12,37,65,116,111,115,32,84,114,117,115,
                                 116,101,100,82,111,111,116,32,82,111,111,116,
                                 32,67,65,32,82,83,65,32,84,76,83,32,50,48,50,
                                 49,49,13,48,11,6,3,85,4,10,12,4,65,116,111,
                                 115,49,11,48,9,6,3,85,4,6,19,2,68,69,48,130,2,
                                 34,48,13,6,9,42,134,72,134,247,13,1,1,1,5,0,3,
                               ...
                        % 11 000 (!) more lines
IngelaAndin commented 1 month ago

Well, yes it is annoying. You can of course filter them out if you really want progress reporting on in the first place (I view it as legacy debug feature). But for a long term solution I think that progress reporting should only be done for static parts of application supervisor trees.

IngelaAndin commented 1 week ago

8741 merged