Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

tls_dyn_connection_sup progress logging includes megabytes of certificate data #8715

Closed
eproxus opened this issue Aug 13, 2024 · 2 comments
Closed

tls_dyn_connection_sup progress logging includes megabytes of certificate data #8715

eproxus opened this issue Aug 13, 2024 · 2 comments
Assignees
@IngelaAndin
Labels
bug Issue is reported as a bug enhancement not a bug Issue is determined as not a bug by OTP Planned Focus issue added in sprint planning team:PS Assigned to OTP team PS

Comments

@eproxus
Copy link
Contributor

eproxus commented Aug 13, 2024

Describe the bug
When progress logging is enabled and TLS is used, there is a supervisor tls_dyn_connection_sup started that logs all arguments used to started it.

When passing a custom certificate list to TLS start options, these are included as-is in the cacerts option to this supervisor which results in megabytes and tens of thousands of lines of logs every time this process is started (often resulting in making it impossible to see any lines before this in the terminal since most terminals have a default line limit well below this).

To Reproduce
Start an SSL connection with options like [{cacerts, public_key:cacerts_get()}] (or use e.g. tls_certificate_check).

Expected behavior
Logs are useful and readable.

Affected versions
27.0.1 (and earlier)

Additional context

Example:

2024-08-13T09:33:27.614089+02:00 info:
    supervisor: {<0.1523.0>,tls_dyn_connection_sup}
    started: [{pid,<0.1525.0>},
              {id,receiver},
              {mfargs,
                  {ssl_gen_statem,start_link,
                      [client,<0.1524.0>,"idp.kivra.net",443,#Port<0.71>,
                       {#{psk_identity => undefined,log_level => notice,
                          eccs =>
                              {elliptic_curves,
                                  [{1,3,101,110},
                                   {1,3,101,111},
                                   {1,3,132,0,35},
                                   {1,3,36,3,3,2,8,1,1,13},
                                   {1,3,132,0,34},
                                   {1,3,36,3,3,2,8,1,1,11},
                                   {1,2,840,10045,3,1,7},
                                   {1,3,36,3,3,2,8,1,1,7}]},
                          verify_fun =>
                              {fun ssl_verify_hostname:verify_fun/3,
                               [{check_hostname,"idp.kivra.net"}]},
                          verify => verify_peer,secure_renegotiate => true,
                          early_data => undefined,protocol => tls,
                          supported_groups =>
                              {supported_groups,
                                  [x25519,x448,secp521r1,secp384r1,secp256r1,
                                   brainpoolP512r1tls13,brainpoolP384r1tls13,
                                   brainpoolP256r1tls13]},
                          fallback => false,depth => 100,
                          use_ticket => undefined,crl_check => false,
                          srp_identity => undefined,
                          alpn_advertised_protocols => undefined,
                          signature_algs_cert =>
                              [default,eddsa_ed25519,eddsa_ed448,
                               ecdsa_secp521r1_sha512,ecdsa_secp384r1_sha384,
                               ecdsa_secp256r1_sha256,
                               ecdsa_brainpoolP512r1tls13_sha512,
                               ecdsa_brainpoolP384r1tls13_sha384,
                               ecdsa_brainpoolP256r1tls13_sha256,
                               rsa_pss_pss_sha512,rsa_pss_pss_sha384,
                               rsa_pss_pss_sha256,rsa_pss_rsae_sha512,
                               rsa_pss_rsae_sha384,rsa_pss_rsae_sha256,
                               rsa_pkcs1_sha512,rsa_pkcs1_sha384,
                               rsa_pkcs1_sha256,
                               {sha512,ecdsa},
                               {sha384,ecdsa},
                               {sha256,ecdsa},
                               rsa_pkcs1_sha1],
                          signature_algs =>
                              [eddsa_ed25519,eddsa_ed448,
                               ecdsa_secp521r1_sha512,ecdsa_secp384r1_sha384,
                               ecdsa_secp256r1_sha256,
                               ecdsa_brainpoolP512r1tls13_sha512,
                               ecdsa_brainpoolP384r1tls13_sha384,
                               ecdsa_brainpoolP256r1tls13_sha256,
                               rsa_pss_pss_sha512,rsa_pss_pss_sha384,
                               rsa_pss_pss_sha256,rsa_pss_rsae_sha512,
                               rsa_pss_rsae_sha384,rsa_pss_rsae_sha256,
                               rsa_pkcs1_sha512,rsa_pkcs1_sha384,
                               rsa_pkcs1_sha256,
                               {sha512,ecdsa},
                               {sha384,ecdsa},
                               {sha256,ecdsa}],
                          cert_policy_opts => [],certs_keys => [],
                          handshake => full,
                          versions => [{3,4},{3,3}],
                          key_update_at => 388736063997,
                          crl_cache => {ssl_crl_cache,{internal,[]}},
                          reuse_sessions => true,max_handshake_size => 131072,
                          max_fragment_length => undefined,
                          renegotiate_at => 268435456,
                          customize_hostname_check =>
                              [{match_fun,#Fun<public_key.6.75820660>}],
                          cacerts =>
                              [<<48,130,5,100,48,130,3,76,160,3,2,1,2,2,16,83,
                                 213,207,230,25,147,11,251,43,5,18,216,194,42,
                                 162,164,48,13,6,9,42,134,72,134,247,13,1,1,12,
                                 5,0,48,76,49,46,48,44,6,3,85,4,3,12,37,65,116,
                                 111,115,32,84,114,117,115,116,101,100,82,111,
                                 111,116,32,82,111,111,116,32,67,65,32,82,83,
                                 65,32,84,76,83,32,50,48,50,49,49,13,48,11,6,3,
                                 85,4,10,12,4,65,116,111,115,49,11,48,9,6,3,85,
                                 4,6,19,2,68,69,48,30,23,13,50,49,48,52,50,50,
                                 48,57,50,49,49,48,90,23,13,52,49,48,52,49,55,
                                 48,57,50,49,48,57,90,48,76,49,46,48,44,6,3,85,
                                 4,3,12,37,65,116,111,115,32,84,114,117,115,
                                 116,101,100,82,111,111,116,32,82,111,111,116,
                                 32,67,65,32,82,83,65,32,84,76,83,32,50,48,50,
                                 49,49,13,48,11,6,3,85,4,10,12,4,65,116,111,
                                 115,49,11,48,9,6,3,85,4,6,19,2,68,69,48,130,2,
                                 34,48,13,6,9,42,134,72,134,247,13,1,1,1,5,0,3,
                               ...
                        % 11 000 (!) more lines
@eproxus eproxus added the bug Issue is reported as a bug label Aug 13, 2024
@IngelaAndin IngelaAndin added the team:PS Assigned to OTP team PS label Aug 14, 2024
@IngelaAndin
Copy link
Contributor

Well, yes it is annoying. You can of course filter them out if you really want progress reporting on in the first place (I view it as legacy debug feature). But for a long term solution I think that progress reporting should only be done for static parts of application supervisor trees.

@IngelaAndin IngelaAndin added enhancement not a bug Issue is determined as not a bug by OTP labels Aug 14, 2024
@IngelaAndin IngelaAndin self-assigned this Aug 14, 2024
@IngelaAndin IngelaAndin added the Planned Focus issue added in sprint planning label Aug 14, 2024
@IngelaAndin IngelaAndin removed their assignment Aug 14, 2024
@IngelaAndin IngelaAndin mentioned this issue Aug 22, 2024
Merged
@IngelaAndin IngelaAndin self-assigned this Aug 23, 2024
IngelaAndin added a commit that referenced this issue Sep 2, 2024
@IngelaAndin
Merge pull request #8741 from IngelaAndin/ingela/stdlib/sup-progress/G…
d3a9459 
…H-8715/OTP-19202

stdlib: Do not progress report dynamically started supervisors
@IngelaAndin
Copy link
Contributor

#8741 merged

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@IngelaAndin IngelaAndin

Labels
bug Issue is reported as a bug enhancement not a bug Issue is determined as not a bug by OTP Planned Focus issue added in sprint planning team:PS Assigned to OTP team PS
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@eproxus @IngelaAndin