Open esnible opened 3 years ago
The TLS version should be configurable, see this flag https://github.com/observatorium/api/blob/main/main.go#L830.
I'm also thinking, for the purposes of running tests, we might want to adjust the tests for users to choose if to run Observatorium on HTTPS or plain HTTP.
Observatorium-API requires TLS 1.3 which is not default on MacOS. In addition, the error message on Mac is a bit confusing:
First, I ran
make test-interactive
. (Note that this test prints many lines of stuff, then the important bit with the ports, then endless lines of server logs. The docs should highlight that the user of this test needs to hunt through the output looking for.)I wanted to test the Observatorium API.
(It might be worthwhile to put
https://
on the endpoints output above).After three hours of hair-pulling, and
openssl s_client
debugging, the problem became obvious:Observatorium-Api requires TLS 1.3, and MacOS curl doesn't output anything useful.
Following the instructions on https://learnings.bolmaster2.com/posts/curl-openssl-tlsv1.3-on-macos.html I was able to get a openssl-based
curl
and verify Observatorium-api is fine:My suggestion is either configure Observatorium-API to tolerate TLS 1.2 or include a section for Mac users explaining that
SSL routines:CONNECT_CR_SRVR_HELLO:tlsv1 alert protocol version
means that a 3rd-party openssl-basedcurl
is needed.My Chrome could have handled this. I went to https://127.0.0.1:63330/ in Chrome and was prompted for a cert. If I had clicked 'cancel' I would have seen everything was fine but I was uncertain which cert to supply so I didn't try.