Enhance TLS handshake error message with additional details from previous exception (#385)

luzrain · web-flow · commit 5dedc819ac4a · 2025-03-06T07:00:50.000+01:00
diff --git a/src/Connection/DefaultConnectionFactory.php b/src/Connection/DefaultConnectionFactory.php
@@ -133,10 +133,15 @@ public function create(Request $request, Cancellation $cancellation): Connection
             } catch (StreamException $streamException) {
                 $socket->close();
 
+                $errorMessage = $streamException->getMessage();
+                \preg_match('/error:[0-9a-f]*:[^:]*:[^:]*:(.+)$/i', $errorMessage, $matches);
+                $errorMessage = \trim($matches[1] ?? \explode('():', $errorMessage, 2)[1] ?? $errorMessage);
+
                 throw new SocketException(\sprintf(
-                    "Connection to '%s' @ '%s' closed during TLS handshake",
+                    "Connection to '%s' @ '%s' closed during TLS handshake: %s",
                     $authority,
-                    $socket->getRemoteAddress()->toString()
+                    $socket->getRemoteAddress()->toString(),
+                    $errorMessage,
                 ), 0, $streamException);
             } catch (CancelledException) {
                 $socket->close();
diff --git a/test/ClientBadSslIntegrationTest.php b/test/ClientBadSslIntegrationTest.php
@@ -0,0 +1,47 @@
+<?php declare(strict_types=1);
+
+namespace Amp\Http\Client;
+
+use Amp\PHPUnit\AsyncTestCase;
+
+final class ClientBadSslIntegrationTest extends AsyncTestCase
+{
+    private HttpClient $client;
+
+    protected function setUp(): void
+    {
+        parent::setUp();
+
+        $this->client = (new HttpClientBuilder)->retry(0)->build();
+    }
+
+    public function testSelfSignedCertificate(): void
+    {
+        $request = new Request('https://self-signed.badssl.com/');
+
+        $this->expectException(SocketException::class);
+        $this->expectExceptionMessageMatches("/^Connection to 'self-signed.badssl.com:443' @ '.+' closed during TLS handshake: certificate verify failed$/");
+
+        $this->client->request($request);
+    }
+
+    public function testWrongHostCertificate(): void
+    {
+        $request = new Request('https://wrong.host.badssl.com/');
+
+        $this->expectException(SocketException::class);
+        $this->expectExceptionMessageMatches("/^Connection to 'wrong.host.badssl.com:443' @ '.+' closed during TLS handshake: Peer certificate CN=`\*.badssl.com' did not match expected CN=`wrong.host.badssl.com'$/");
+
+        $this->client->request($request);
+    }
+
+    public function testDhKeyTooSmall(): void
+    {
+        $request = new Request('https://dh512.badssl.com/');
+
+        $this->expectException(SocketException::class);
+        $this->expectExceptionMessageMatches("/^Connection to 'dh512.badssl.com:443' @ '.+' closed during TLS handshake: dh key too small$/");
+
+        $this->client->request($request);
+    }
+}
