From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) by lore.proxmox.com (Postfix) with ESMTPS id B30991FF142 for ; Fri, 22 May 2026 16:30:48 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id C6155DE23; Fri, 22 May 2026 16:30:47 +0200 (CEST) From: Shannon Sterz To: pbs-devel@lists.proxmox.com Subject: [PATCH proxmox] client: clarify error message on mismatching fingerprint further Date: Fri, 22 May 2026 16:30:41 +0200 Message-ID: <20260522143042.451415-1-s.sterz@proxmox.com> X-Mailer: git-send-email 2.47.3 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Bm-Milter-Handled: 55990f41-d878-4baa-be0a-ee34c49e34d2 X-Bm-Transport-Timestamp: 1779460224446 X-SPAM-LEVEL: Spam detection results: 0 AWL 0.112 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Message-ID-Hash: 5B65KUSO4PSHAPKYQTTMCXBLKDFHGXOL X-Message-ID-Hash: 5B65KUSO4PSHAPKYQTTMCXBLKDFHGXOL X-MailFrom: s.sterz@proxmox.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop; banned-address; emergency; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.10 Precedence: list List-Id: Proxmox Backup Server development discussion List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: Signed-off-by: Shannon Sterz --- Notes: ideally we could add more context to the error message exposed to the user in the ui, such as the bad fingerprint. sadly it isn't accessible at that point anymore so my best attempt at solving this is to re-direct users to the syslog where such context can be logged. however, that also makes the error message there very verbose for something that will get logged every two seconds or so. since a fix for the rotation case is already in on my to-do list, im not sure if this is the best approach. however, im also uncertain what else we can do in the short term. proxmox-client/src/client.rs | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/proxmox-client/src/client.rs b/proxmox-client/src/client.rs index 0f014cd5..9cee8ddd 100644 --- a/proxmox-client/src/client.rs +++ b/proxmox-client/src/client.rs @@ -556,6 +556,12 @@ fn verify_fingerprint(chain: &x509::X509StoreContextRef, expected_fingerprint: & if expected_fingerprint != fp.as_ref() { log::error!("bad fingerprint: {}", fp_string(&fp)); log::error!("expected fingerprint: {}", fp_string(expected_fingerprint)); + log::error!( + r#"If this fingerprint has worked before, it is possible that it changed on the remote +side. This can happen, for example, if the remote rotates it's certificate regularly. +If you are sure no machine-in-the-middle attack (MitM) occured, it is safe to set the +above 'bad fingerpint' as the new fingerprint for the remote."# + ); return false; } @@ -588,9 +594,9 @@ fn classify_client_error(err: anyhow::Error) -> Error { if let Some(ssl_err) = cause.downcast_ref::() { return Error::Connect( format!( - "Could not establish a TLS connection. Check \ - whether the fingerprint matches or the certificate is valid. \ - OpenSSL Error: {ssl_err}" + "Could not establish a TLS connection. Check whether the fingerprint matches or \ + the certificate on the remote is valid. The system log might also contain more \ + information. OpenSSL Error: {ssl_err}" ) .into(), ); -- 2.47.3