Verification of `ssl` client / server options could be more user friendly

[lukebakken]

Is your feature request related to a problem? Please describe.

A RabbitMQ user just reported that they ran into the following error while trying to set up a shovel between two systems, using Erlang 26:

Shovel 'shovel.mw.out.sdp.ack.amqps' failed to connect (URI: amqps://xx.x.x.xx:5678/UAT2): {options,incompatible,[{verify,verify_peer},{cacerts,undefined}]}

Note, this shovel is a TLS-encrypted TCP connection between the systems. At its core, it uses ssl:connect to establish the TLS encryption. This user did not specify any TLS parameters so I was surprised to see the [{verify,verify_peer},{cacerts,undefined}] options in the error message.

Then, I tried to reproduce the issue using Erlang 25, and it did not happen. AHA, I thought, I know Erlang 26 does additional option verification, so I then tried a connect from the Erlang 26.2.1 shell, and got the same error:

Erlang/OTP 26 [erts-14.2.1] [source] [64-bit] [smp:16:16] [ds:16:16:10] [async-threads:1] [jit:ns]

Eshell V14.2.1 (press Ctrl+G to abort, type help(). for help)
1> ssl:start(), ssl:connect("google.com", 443, []).
{error,{options,incompatible,
                [{verify,verify_peer},{cacerts,undefined}]}}

This is buried in the documentation here - https://www.erlang.org/doc/man/ssl#type-client_verify_type

So here I am, a relatively experienced Erlang user that got thrown for a loop by an error message. This isn't the first time this has happened with Erlang 26

The especially confusing part of this error is that, by default, the ssl:connect/3 options are incompatible with themselves!

ssl:connect/2 generates the following (😱😱😱):

4> ssl:connect("google.com", 443).
** exception error: no function clause matching proplists:expand([{binary,[{mode,binary}]},{list,[{mode,list}]}],infinity) (proplists.erl, line 502)
     in function  ssl:split_options/2 (ssl.erl, line 2502)
     in call from ssl:handle_options/5 (ssl.erl, line 1659)
     in call from ssl:connect/4 (ssl.erl, line 631)

Describe the solution you'd like

ssl option verification could provide better error messages. In the above case, the error could have specified that the verify_peer option requires that CA certificates be provided somehow.

ssl:connect/2 should not crash when used.

[dgud]

In the above case, the error could have specified that the verify_peer option requires that CA certificates be provided somehow.

I do think that the error message does exactly that with a bit of thinking:
{error,{options,incompatible, [{verify,verify_peer},{cacerts,undefined}]}}
I have reduced the number of different errors you could to get from bad options to a fewer number
than before.

So yes, we have done SSL more secure by default, because people (e.g. rebar3 and probably you above)
thought they where using SSL (or HTTPC) in a safe way when not providing any options i.e. with old the default
{verify, verify_none}.
Which was not the case since you have no idea if SSL is talking to the correct host or not without verifying it.

By default, the ssl:connect/3 options are incompatible with themselves!

Yes, as explained above you will need to supply cacerts to connect/3 or you need to turn off verifying the host.
But you will have to make that choice, SSL cannot do that for you.

We added default cacerts to HTTPC when no cacerts are provided, but SSL can't do that since SSL clients are used to
connect to other things then websites so SSL have no idea if those are the correct cacerts for your application.

Maybe RabbitMQ should provide default default cacerts as HTTPC does, I don't know that is up to you to decide.

ssl:connect/2 generates the following:

That we can improve.

{error,{option,server_only,fail_if_no_peer_cert}}

The old one you linked to gave a pretty good clue of what was wrong,
which you understood directly when you saw it.

I can understand you where confused with erlang distribution handling of the error which might be hard to debug,
but you can't blame the SSL app for that or was it wrong to improve the error checking in the options?

Both of these examples where stated in the release notes.

[lukebakken]

or was it wrong to improve the error checking in the options?

Of course not, and making verify_peer the default is correct, as well. However, the errors reported are not intuitive.

Both of these examples where stated in the release notes.

Number one, nobody reads release notes 😉 ask the RabbitMQ team how we know...

The current error behavior will confuse users, but at least now I know what to do in this particular case. In the future, if I see other cases where users are confused by OTP 26's behavior, I will follow-up. Maybe this case will be the last one.