Create a decoder for incoming TLS Error Report data in the new data pipeline



Telemetry Server
2 years ago
a year ago


(Reporter: mgoodwin, Assigned: mgoodwin)



Firefox Tracking Flags

(firefox47 affected)




2 years ago
TLS Error reports are small JSON documents containing the following information:

"build":"20160105164030", // the build ID of the client
"channel":"release", // the release channel the client is on
"errorCode":-8054, // the error that cause the TLS failure
"failedCertChain":[], // if there's a cert chain, this will contain base64 encoded certs
"hostname":"", // The hostname the client attempted to connect to
"port":"", // If the connection was to a non-standard port, what was it?
"product":"Firefox", // Which product is this?
"timestamp":1455192160, // At what time does the client think it sent the report
"userAgent":"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0", // The UA string
"version":1 // what version of the report schema is this?

There are two things we'd want to do to this data at collection time:
1) Record the difference between what time the client thinks it is and the server time (many TLS errors are as a result of clock issues on the client)
2) Unpack useful information from the certificate chain. In particular:
 - From the root; what is the subject, public key hash
 - From the end-entity; what is the subject, what are the SANs. Do any of the subject / SANs match the hostname.

Comment 1

2 years ago
I have code. How do I get this deployed?
Flags: needinfo?(whd)

Comment 2

2 years ago
(In reply to Mark Goodwin [:mgoodwin] from comment #1)
> I have code. How do I get this deployed?

Please either attach it to this bug or send a pull request to the data-pipeline repo at

You'll want to put the new decoder into the 'heka/sandbox/decoders' directory.


2 years ago
Flags: needinfo?(whd)

Comment 3

2 years ago
Changes were made to Lua-openssl to allow for the host checks. See

The PR for the data-pipeline additions is here:

Comment 4

a year ago
PR was merged
Last Resolved: a year ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.