Handshake failed errors & additional information

We're getting quite a couple of handshake failed errors from the controller lately.
I assume, this is because of unsolicited requests on controller port 8441.
Is there a way to get more information of the request that was tried, e.g. an IP address?
{"_context":"tls:","error":"remote error: tls: error decrypting message","file":"github.com/openziti/transport/v2@v2.0.109/tls/listener.go:216","func":"github.com/openziti/transport/v2/tls.(*sharedListener).processConn","level":"error","msg":"handshake failed","time":"2023-11-05T13:37:17.078Z"}

If you look for "tls" in the logs, you will generally see other particular error messages that do include the ip information of the inbound request, like

"msg":"error receiving hello from [tls:]

It does appear that specific message of the handshake failed doesn't include the context of the connecting address. Looking at some other examples, I see

"error":"tls: first record does not look like a TLS handshake"

Immediately after, so it may be a very basic connection, not even trying TLS and therefore lacking context, but you can open a Github issue, and if the context is there and not logged, it can be added.

1 Like

To build on what Mike wrote, you'll also see this error pop out when using the ziti CLI since it usually will use username/password for auth and not, not certificate-based auth.

Another option you can take, would be to turn your control plane dark by separating it from the public and making it accessible exclusively via ziti itself. There's a Ziti TV on that https://www.youtube.com/watch?v=FI4byEDg344 and we actually discussed that a while back here Making ZAC dark - #23 by TheLumberjack as well.

1 Like