feat: the option to expect a certain TLS error for the TCP monitor#6587
feat: the option to expect a certain TLS error for the TCP monitor#6587CommanderStorm merged 8 commits intolouislam:masterfrom
Conversation
|
Hi @louislam @CommanderStorm! 👋 Happy New Year 2026! 🎉🎊 Wishing you and the Uptime Kuma community a wonderful year ahead filled with success and great contributions! I'd really appreciate it if you could take a look when you have a moment. Please let me know if there are any changes needed or if you have any feedback! Thank you for maintaining such an amazing project! 🙏 |
|
how does it differ form the current tcp monitor? |
Hi @CommanderStorm! Great question! 👋 Key Differences from TCP MonitorThe main difference is the expected behavior on failure: TCP Monitor (existing)
TLS Monitor (new)
Use Case: mTLS VerificationFor mTLS endpoints, you want to verify the server correctly rejects connections without a client certificate. With the TCP monitor: With the TLS monitor: Why Not Extend TCP Monitor?
Summary
Let me know if you'd like me to make any changes or if you have other questions! |
|
Since TCP already supports TLS, introducing a separate “TLS monitor” needs a very clear justification. Please explain briefly what cannot be implemented in the existing TCP monitor without breaking its semantics or UX. To be explicit about expectations:
For those, I need human-written answers that demonstrate direct understanding of this codebase. Generic or AI-style responses undermine trust and make maintenance harder. If you want to continue this discussion, please respond concisely and in your own words. |
@CommanderStorm, thanks for the feedback. I'll try to explain my thinking. The main issue is that TCP monitor's logic is "connection works = UP". But for mTLS verification, I actually want the connection to fail in a specific way - that's the success case. Let me give a concrete example: I have an mTLS endpoint that should reject anyone without a client certificate. With TCP monitor, if the server rejects me (which is correct behavior), it shows as DOWN. But that's actually what I want to happen - the server is working correctly by rejecting me. So I need something that says "if the server returns a certificate_required TLS alert, that means it's properly configured and should be UP." That's basically the opposite of what TCP does. I looked at adding this to TCP, but it felt wrong. TCP is straightforward - "can I reach this port?" Adding "but sometimes failure is success" logic would make it confusing for existing users. Plus I'd need to add TLS alert parsing code that doesn't really belong there. I'm open to other approaches though. If you think there's a cleaner way to handle this within TCP (maybe a checkbox like "expect TLS rejection"?), I'm happy to try that instead. Just let me know what you'd prefer. |
|
I think adding it to TLS makes sense since there we already have some code for TLS. In general, I don't want two extremely close monitors due to bugs and things. |
|
A checkbox in the UI sounds resonable for this |
|
@CommanderStorm Thanks for the feedback! I've refactored the PR to integrate the TLS alert checking directly into the TCP monitor instead of creating a separate monitor type. Now there's just a dropdown in the TCP monitor settings called "Expected TLS Alert" - if you pick something like This keeps everything in one place and avoids the duplicate monitor type issue you mentioned. Let me know if this approach works better or if you'd like any changes. |
CommanderStorm
left a comment
CommanderStorm
left a comment
There was a problem hiding this comment.
Nice work!
Code looks very solid and mergable to me, but I would like a short sanitiy-check from @shanto on this one, if possible 😉
|
@CommanderStorm Please have a look at the updates and let me know your feedback. |
CommanderStorm
left a comment
CommanderStorm
left a comment
There was a problem hiding this comment.
LGTM from the code perspecitve, as said.
I would really like to have testcases for this. Does not have to be a long testcase, just verifying basic functionality (similarly how the existing testcase works).
Also, could you comment on the TLS_ALERT_CODES question that I had (this is not a quesion if this should be changed, more of a why you chose to do it like this)
Add a new TLS monitor type that allows monitoring mTLS endpoints to verify they properly reject connections without client certificates. Features: - New TLS monitor type with hostname and port configuration - Expected TLS Alert dropdown to specify which TLS alert to expect - Support for certificate_required (116) alert for mTLS verification - Optional certificate expiry monitoring when connection succeeds - Ignore TLS errors option Closes louislam#5837
Per CommanderStorm's feedback, instead of creating a separate TLS monitor type, add the TLS alert checking functionality directly to the existing TCP monitor. Changes: - Add TLS_ALERT_CODES, parseTlsAlertNumber(), getTlsAlertName() to tcp.js - Add checkTlsAlert() method to TCPMonitorType for mTLS verification - Add 'Expected TLS Alert' dropdown to TCP monitor UI - Remove separate TLS monitor type (tls.js) This allows users to verify mTLS endpoints reject connections without client certificates by expecting specific TLS alerts like 'certificate_required'. Closes louislam#5837
- Use i18n-t for description with code tag and RFC 8446 spec link - Add comment that TLS alert names are from spec (not translatable) - Refactor TCP monitor into smaller functions: - checkTcp() for standard TCP connectivity check - performStartTls() for STARTTLS handshake - checkTlsCertificate() for TLS certificate validation - attemptTlsConnection() for TLS connection with alert capture - Improve error messages with more context
Error messages could be translated, but TLS alert names (e.g., certificate_required) are from RFC 8446 spec and should remain in English for consistency.
- Test rejection when expecting TLS alert but connection succeeds - Test UP status when expected TLS alert is received - Test rejection when different TLS alert is received than expected
…ernal servers - Replace client.badssl.com tests with unit tests for parseTlsAlertNumber and getTlsAlertName - Export helper functions for testing - Keep one integration test for connection success scenario
External services like smtp.gmail.com and xmpp.earth can be unreliable in CI environments. Added retry logic (up to 3 attempts) to prevent false test failures due to network issues.
MkDev11
force-pushed
the
tls-monitor-type
branch
from
4006d85 to
d88a9e8
Compare
|
@CommanderStorm please review the update and let me know your feedback |
CommanderStorm
left a comment
CommanderStorm
left a comment
There was a problem hiding this comment.
LGTM, thank you ❤️
CommanderStorm
changed the title
|
Looks like we are missing a positive test case. Also, while what has been done (added) doesn't harm, I have a feeling that the same result could be achieved with less code and UI changes because we will almost always care about the certificate_required and nothing else. Other cases are synonymous to DOWN. |
3 participants
feat: add TLS monitor type for mTLS endpoint monitoring
Summary
Adds a new TLS monitor type that allows monitoring mTLS endpoints to verify they properly reject connections without client certificates.
Closes #5837
Features
certificate_required(116) alert for mTLS verificationUse Case
Users can now:
certificate_required)Files Changed
server/monitor-types/tls.jsserver/uptime-kuma-server.jsserver/server.jsserver/model/monitor.jssrc/pages/EditMonitor.vuesrc/lang/en.jsondb/knex_migrations/2026-01-05-0000-add-tls-monitor.jsScreenshots
To be added after testing
Checklist
npm run lint)npm test)en.jsononlyTesting Instructions
npm cito install dependenciesnpm run devto start dev serverContribution by Gittensor, see my contribution statistics at https://gittensor.io/miners/details?githubId=94194147