We're getting quite a couple of handshake failed errors from the controller lately.
I assume, this is because of unsolicited requests on controller port 8441.
Is there a way to get more information of the request that was tried, e.g. an IP address?
{"_context":"tls:0.0.0.0:8441","error":"remote error: tls: error decrypting message","file":"github.com/openziti/transport/v2@v2.0.109/tls/listener.go:216","func":"github.com/openziti/transport/v2/tls.(*sharedListener).processConn","level":"error","msg":"handshake failed","time":"2023-11-05T13:37:17.078Z"}
If you look for "tls" in the logs, you will generally see other particular error messages that do include the ip information of the inbound request, like
"msg":"error receiving hello from [tls:181.115.171.87:58952]
It does appear that specific message of the handshake failed doesn't include the context of the connecting address. Looking at some other examples, I see
"error":"tls: first record does not look like a TLS handshake"
Immediately after, so it may be a very basic connection, not even trying TLS and therefore lacking context, but you can open a Github issue, and if the context is there and not logged, it can be added.
1 Like
To build on what Mike wrote, you'll also see this error pop out when using the ziti CLI since it usually will use username/password for auth and not, not certificate-based auth.
Another option you can take, would be to turn your control plane dark by separating it from the public and making it accessible exclusively via ziti itself. There's a Ziti TV on that https://www.youtube.com/watch?v=FI4byEDg344 and we actually discussed that a while back here Making ZAC dark - #23 by TheLumberjack as well.
1 Like