Getting errors from SSL isn’t easy. Sometimes, I think that so much encryption has wrapped things up and error reporting are treated as secret information that must be withheld. The root of the problem is that SSL doesn’t really have a way for the two communicating parties to tell each other: “I don’t trust you because you wear glasses.” There are some well known error codes, but, for the most part, you’ll get a connection abort. I want to see what it would take to provide good error handling for network protocol using SSL that handles:
No certificate provided.
Expired/not yet valid certificate provided.
Unfamiliar certificate provided.
In order to do that, we must provide this error handling at a higher level than SSL. Therefore, we need to provide something in a higher layer. In this protocol, the first thing that the server will send to the client on connection will be “OK\r\n" if everything is okay, or some error string that will explain the issue, otherwise. This turned out to be rather involved, actually.