Merge pull request #15 from internetee/log-handshake-errors

Log handshake errors
2025-08-14 11:43:45 +02:00 · 2019-07-29 11:30:51 +03:00 · 2019-07-29 11:30:51 +03:00 · 036c63b3c6
commit 036c63b3c6
parent fa9f9e00e4 0231aae270
13 changed files with 182 additions and 31 deletions
--- a/1
+++ b/1
@ -31,6 +31,7 @@ RUN apt-get update && apt-get install -y \
  libc-dev \
  perl=* \
  procps=* \
+  inotify-tools=* \
  libssl1.0.0=* \
  perl-base=* \
  && apt-get clean \
--- a/README.md
+++ b/README.md
@ -139,7 +139,8 @@ tests, there is a small Roda application located in `apps/epp_proxy/priv/test_ba
 It has been written with Ruby 2.6.3.

 There is also a number of generated ssl certificates that are used only for testing. Those are
-valid until 2029 and they are located in `apps/epp_proxy/priv/test_ca`.
+valid until 2029 and they are located in `apps/epp_proxy/priv/test_ca`. The password for test CA
+is `password`.

 You need to start the backend application before running the test suite. To start it as a deamon,
 from the root folder of the project, execute:
--- a/apps/epp_proxy/priv/test_ca/certs/client.crt.pem
+++ b/apps/epp_proxy/priv/test_ca/certs/client.crt.pem
@ -0,0 +1,35 @@
+-----BEGIN CERTIFICATE-----
+MIIGGjCCBAKgAwIBAgICEAgwDQYJKoZIhvcNAQELBQAwgZUxCzAJBgNVBAYTAkVF
+MREwDwYDVQQIDAhIYXJqdW1hYTEQMA4GA1UEBwwHVGFsbGlubjEjMCEGA1UECgwa
+RWVzdGkgSW50ZXJuZXRpIFNpaHRhc3V0dXMxGjAYBgNVBAMMEWVwcF9wcm94eSB0
+ZXN0IGNhMSAwHgYJKoZIhvcNAQkBFhFoZWxsb0BpbnRlcm5ldC5lZTAeFw0xOTA3
+MjkwNzUxNTdaFw0yOTA3MjYwNzUxNTdaMH4xCzAJBgNVBAYTAkVFMREwDwYDVQQI
+DAhIYXJqdW1hYTEjMCEGA1UECgwaRWVzdGkgSW50ZXJuZXRpIFNpaHRhc3V0dXMx
+FTATBgNVBAMMDHJldm9rZWQgY2VydDEgMB4GCSqGSIb3DQEJARYRaGVsbG9AaW50
+ZXJuZXQuZWUwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDaFYIwYpsK
+1lCpebo8lR+hBfPg5K1OM7UkE6yNV54UYH1xPUk2iZLxoCnCYZdrfFtzwEfnU+ot
+rv6x+QzNh139bTupaUhetlbHBc/YO4Dp7MEF30wjjLGOacNmlsQi9RhGbegxqoJq
+PB0mEq1ZSPQqsmBs8QxYoL3FhNVJrXvPBCXF2hmf0z+0LbScXRZ8CV5e7PAji5Oe
+LomIPGe9CmVMWRH0JNvLETAEJG0iUPys/zXyBxz9rx9iPAmFhLy4srtvIFQG3tMc
+Xu2r8Vyap7BpaEs4CV36fmWHMQ5xVQgLOAhCKbD7uY2v+gKY6w6dQh1Vm1b9qD1N
+Vk8isJ5WnT5Z4EFvaMq5gGGj1TaTBi4QOie6KVP8iavOKYYkdOoa60XLTtEa5s9b
+cWPS1Bcnl43WR/pPonVvLY3N0VuCjXDwp60GHBGNsVpPa/bUF5wr6BsT7VScFsPM
+QG3Gmc4Kc+jxKj3ysz5yVvIL1v9MzN5tdoHX5MNglP0jtNn7sTBZc8sJg5DGALds
+7d64W1qTRrR41Cu78IUS7iRJRCXU4NLbyzV+BhEyDhiF8TGm+IGVXE+EAHQMXKjt
+Ruzjasf5071bf/eOe50kgVrYDc/JZ2/lJJ/S4cdolz+5PcbExTzdwAeSA/oXKSm6
+2ahveDRn8n6xNHSltjnAWo//9o6WCKHAEQIDAQABo4GJMIGGMAkGA1UdEwQCMAAw
+CwYDVR0PBAQDAgXgMCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBD
+ZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUBbVpSL7xVkMpbVxGydzX3snO820wHwYDVR0j
+BBgwFoAU/XfmSnO9pTxls7nPtRWVWQhkaBAwDQYJKoZIhvcNAQELBQADggIBAIrJ
+NfPxjQBCE8sCNYRHj9wbtKb2oBFbz1w1irqi+C7kGhn+sfukmhgPA6L7T84DICon
+nUhl35IX6DuKCqA+G1kGSG7WKfxK8xLxWt5oK5wH63qrrTcezYTmRnFlyIeIyIOm
+Edi6HjVwl3x30aMc5DaC4eOjXJ3JReg5OubQOpBUYCswh8JTR5JCj+ircHiMfbxn
+DO40D431madj/qATR/vZt8UYy53hTSQrIed4EeSD5G3OtnDWfvGwoTdwfnDiDZuO
+auHpUiV0EP1E2P4N06TQWWEEA1cslKNhC9SbTLXlinM9d7QF2wJJ6fiOuUSganYg
+ov9nt6hCTaVC12YTyIO3ZaRIy2KVTtUz0k0ECoiUrF03xqgZrPvixSVokBZnA3uQ
+eBAt2Woi1H9ZR7dhnxG6Fbaf/upiQ3U/kHtW24YG3lmkyhAu5OKpQpqJWXabfnbl
+QRt3HKcGdD1ytUsRpuMJ6Chtai9d5plPOkhcVgWPuawXBSHh4QHaEnEdqgpt3l3j
+WwS2UUiewAbaLCv53LBL+6RRjlcKUInJp/zVRrpdq8hxX48sHCpSIwOckG1wANN2
+68q1LzIWSaKG4LDE4E79FpWT8lnI6ccl0Xo0sbFvOaqMkIFJNXw60HWpUAbjIBTF
+9iuftwIPUbl3aiHR0IQns8Rwk9YUu1lzWe5yn2Nj
+-----END CERTIFICATE-----
--- a/apps/epp_proxy/priv/test_ca/certs/webclient.crt.pem
+++ b/apps/epp_proxy/priv/test_ca/certs/webclient.crt.pem
--- a/apps/epp_proxy/priv/test_ca/crl/crl.pem
+++ b/apps/epp_proxy/priv/test_ca/crl/crl.pem
@ -1,21 +1,22 @@
 -----BEGIN X509 CRL-----
-MIIDfTCCAWUCAQEwDQYJKoZIhvcNAQELBQAwgZUxCzAJBgNVBAYTAkVFMREwDwYD
+MIIDkjCCAXoCAQEwDQYJKoZIhvcNAQELBQAwgZUxCzAJBgNVBAYTAkVFMREwDwYD
 VQQIDAhIYXJqdW1hYTEQMA4GA1UEBwwHVGFsbGlubjEjMCEGA1UECgwaRWVzdGkg
 SW50ZXJuZXRpIFNpaHRhc3V0dXMxGjAYBgNVBAMMEWVwcF9wcm94eSB0ZXN0IGNh
-MSAwHgYJKoZIhvcNAQkBFhFoZWxsb0BpbnRlcm5ldC5lZRcNMTkwNzExMTMxMTM0
-WhcNMjkwNzA4MTMxMTM0WjBpMBMCAhACFw0xOTA1MjkwNjM5MTJaMBMCAhADFw0x
+MSAwHgYJKoZIhvcNAQkBFhFoZWxsb0BpbnRlcm5ldC5lZRcNMTkwNzI5MDc1NTA5
+WhcNMjkwNzI2MDc1NTA5WjB+MBMCAhACFw0xOTA1MjkwNjM5MTJaMBMCAhADFw0x
 OTA1MjkwODQxMDJaMBMCAhAEFw0xOTA1MzExMTI0NTJaMBMCAhAFFw0xOTA1MzEx
-MTQyMjJaMBMCAhAGFw0xOTA1MzExMjQzNDlaoDAwLjAfBgNVHSMEGDAWgBT9d+ZK
-c72lPGWzuc+1FZVZCGRoEDALBgNVHRQEBAICEAgwDQYJKoZIhvcNAQELBQADggIB
-ACv4opvBcQoCEkiKhVlr5bSq0vAVaTu1FloKTay0xsgDGSqQDnPR/B7ELSyoYo2A
-iBuSrQREyvXOtZhlQyTHwCDnAjpgGDGdRbRJAhhbWA9/MC4oqyJLjOFxLspX2S7E
-Fq4F/DbUZaW8niGGCcAUf8QnilaJLEhUT7qIJW2DpyFLd/1qLK81PBO8VW4fbKQI
-z2LsrA3NijW+W192LMvHLKnE47ifW1PLM0dJimkVNrkS42ACuwnCOLfLJsIg9aRe
-QsI1CY+L1F2tROedUFo6noffnm+SyMapna4SEXlQTaA1kfLtLOGVhXpBAgcewIsY
-DQQCTn4oEAhZroZMPYJXYXC/pNSMUEBifXR2akO7eE5kLBgf11ZfhuEUqperviiJ
-yLNzoakh3eMazIo5Qr8ZinMWP8HHZJI8GmOvJtVKAvOFmXkVm++Cnl/Ovp8skrTD
-AibySMZSTgoAc+ynZYI5q6HZxJWXN/PQ/++hFyOW9aG1DTLGpV6rO+O4zNldmUIO
-DTu+dUmKNamp1a6GcaY5xLSQTfV8InetxwF+gazvcmtEnqagH64EseSz4RZQLtRc
-kAZLho1rPE35Ok/2eswMvQ9hOkQ7tX9dO35HYoHoVKUzdiBaPP3PCDeCC/Ei5C2n
-Z1rfbtOFwF/36qyz7o+YqHaWHVc9W/koRjtrmXA1soJ2
+MTQyMjJaMBMCAhAGFw0xOTA1MzExMjQzNDlaMBMCAhAHFw0xOTA3MjkwNzU0MzRa
+oDAwLjAfBgNVHSMEGDAWgBT9d+ZKc72lPGWzuc+1FZVZCGRoEDALBgNVHRQEBAIC
+EAkwDQYJKoZIhvcNAQELBQADggIBAEk9pyZjqyYUdnA0Sv7RyevRUQGKbbf3EXdv
+JLDyvI9rpoyuWPkMT6vPsYght0cf/wO7oaEK/uustvFEYQiJss60jI0XuczWypk9
+paKu3LhIy6Drm3locY2k0ESrgP9IwNzS5Xr0FiaWRIozbkcawte8M4Nqe8BO5prk
+/5sLjv3eFnD7E445tZhu3vmXkD50FT3PLHVBEz4yS6Fx6nTiv+9QUu8NGf+bc6+o
+YKPMy6Lh/wGC7p6sZJCOCjfzLAcqWfB2EW6XU8WeQcQCZ0au7zvZjQownCS9CeJV
+KVsC4QiUt97FxR2gcEN2GJesywIF11X9o8s1K/Hz3+rrtU1ymoMLeumaRW24z35A
+zVsdNwRfSPmt1qHlyaJaFhKG6jw5/nws+/wGFycIjWK0DSORiGCYdKD0cCjKJbNO
+2QJnJlNOaCUUj8ULyiFOtZvdadc4JVW42NI/F+AFy/bnBK0uH6CenK5XwX3kEMme
+KD8b5reUcVRhQdVJdAABFJlihIg05yENI7hlH1CKfy4vmlBKl+M2mW9cmNO8O6uS
+KMH8/wLuLga9gYziNT1RmVNFbnpF0hc6CFtSnlVXXTlU/TrxheH8ykrHQhKEkQj+
+3krObDFDCUMKmaGu2nxRYZwLXzUe3wVl1SAxw0eEGyON/N83sLYlcrwWTVzRG3Z7
+RqRHPn+h
 -----END X509 CRL-----
--- a/apps/epp_proxy/priv/test_ca/csrs/client.csr.pem
+++ b/apps/epp_proxy/priv/test_ca/csrs/client.csr.pem
@ -0,0 +1,28 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIIE1jCCAr4CAQAwgZAxCzAJBgNVBAYTAkVFMREwDwYDVQQIDAhIYXJqdW1hYTEQ
+MA4GA1UEBwwHVGFsbGlubjEjMCEGA1UECgwaRWVzdGkgSW50ZXJuZXRpIFNpaHRh
+c3V0dXMxFTATBgNVBAMMDHJldm9rZWQgY2VydDEgMB4GCSqGSIb3DQEJARYRaGVs
+bG9AaW50ZXJuZXQuZWUwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDa
+FYIwYpsK1lCpebo8lR+hBfPg5K1OM7UkE6yNV54UYH1xPUk2iZLxoCnCYZdrfFtz
+wEfnU+otrv6x+QzNh139bTupaUhetlbHBc/YO4Dp7MEF30wjjLGOacNmlsQi9RhG
+begxqoJqPB0mEq1ZSPQqsmBs8QxYoL3FhNVJrXvPBCXF2hmf0z+0LbScXRZ8CV5e
+7PAji5OeLomIPGe9CmVMWRH0JNvLETAEJG0iUPys/zXyBxz9rx9iPAmFhLy4srtv
+IFQG3tMcXu2r8Vyap7BpaEs4CV36fmWHMQ5xVQgLOAhCKbD7uY2v+gKY6w6dQh1V
+m1b9qD1NVk8isJ5WnT5Z4EFvaMq5gGGj1TaTBi4QOie6KVP8iavOKYYkdOoa60XL
+TtEa5s9bcWPS1Bcnl43WR/pPonVvLY3N0VuCjXDwp60GHBGNsVpPa/bUF5wr6BsT
+7VScFsPMQG3Gmc4Kc+jxKj3ysz5yVvIL1v9MzN5tdoHX5MNglP0jtNn7sTBZc8sJ
+g5DGALds7d64W1qTRrR41Cu78IUS7iRJRCXU4NLbyzV+BhEyDhiF8TGm+IGVXE+E
+AHQMXKjtRuzjasf5071bf/eOe50kgVrYDc/JZ2/lJJ/S4cdolz+5PcbExTzdwAeS
+A/oXKSm62ahveDRn8n6xNHSltjnAWo//9o6WCKHAEQIDAQABoAAwDQYJKoZIhvcN
+AQELBQADggIBAM+rpYhoVrsgkItnaLoE5ZFqOsaW+nGyy7IVe8KeTi+sfDo/OOMH
+KoZebwFkKa+5MpR7iGdGhwMsEvQBNwAAElLfVAW2NZQmC8DGwLyRA1yPTWNNvYi9
+oGaLPAvIROnSdd5WImV749zxv9W23pjozYSyFWVRxjhZd6Wj3XLRJFkAtikZZW02
+jnzLGLamILIuGj51d/ukR+uN4hVxnMKKhRpiRJFsjGJj3aai2ptJmvRhp1vrclJg
+Bix1JsLzKbuvPP00EuZXUZ9bRDUW8bpNhvuWUhtS5iFME6mTyqL7PveivLX7Sxuy
+VQ58FNeU68BIrdCSavxHtmgB/vjyMcfcEm7K9C7YPGSedK5evzKbVpkNk2SP5Cl4
+0pLDeLjYRGnf6sDjGK1FVJYAX9AG+8ZiCtSkWfMY/5ClcK5SCeO5QY1Ad3bY1Ez8
+l3IdzKwZK4zq9NZN20r0ZzSZ8kzEqeKotKXIPDjKBDHFk3wu4tkHZf9pyu9PkQjZ
+RpoVmhNFVQ2BRdZANudrMiWgUhxUpQgmRQPnpGbDmdWdvqEoHsTPkHrxgNdb+PxP
+D3NWN28hj9MRve+lSStnN/GXb9DPKyA6vmUHcd9p8EnnmLTy9sqy/smE3zYwDmz2
+QSGz4UhMOAD6/6/9mCLf1qiRpD2JAcYOz7LcVTrqpo3UtHAW/XD9XNPp
+-----END CERTIFICATE REQUEST-----
--- a/apps/epp_proxy/priv/test_ca/csrs/webclient.csr.pem
+++ b/apps/epp_proxy/priv/test_ca/csrs/webclient.csr.pem
--- a/apps/epp_proxy/priv/test_ca/generate_certificates.sh
+++ b/apps/epp_proxy/priv/test_ca/generate_certificates.sh
@ -1,9 +1,15 @@
 # !/bin/sh
 # Use localhost as common name.
-openssl genrsa -out private/webclient.key.pem 4096
-openssl req -sha256 -config openssl.cnf -new -days 3650 -key private/webclient.key.pem -out csrs/webclient.csr.pem
-openssl ca -config openssl.cnf -keyfile private/ca.key.pem -cert certs/ca.crt.pem -extensions usr_cert -notext -md sha256 -in csrs/webclient.csr.pem -days 3650 -out certs/webclient.crt.pem
-openssl ca -keyfile private/ca.key.pem -cert certs/ca.crt.pem -gencrl -out crl/crl.pem
+openssl genrsa -out private/client.key.pem 4096
+openssl req -sha256 -config openssl.cnf -new -days 3650 -key private/client.key.pem -out csrs/client.csr.pem
+openssl ca -config openssl.cnf -keyfile private/ca.key.pem -cert certs/ca.crt.pem -extensions usr_cert -notext -md sha256 -in csrs/client.csr.pem -days 3650 -out certs/client.crt.pem
+
+openssl genrsa -out private/revoked.key.pem 4096
+openssl req -sha256 -config openssl.cnf -new -days 3650 -key private/revoked.key.pem -out csrs/revoked.csr.pem
+openssl ca -config openssl.cnf -keyfile private/ca.key.pem -cert certs/ca.crt.pem -extensions usr_cert -notext -md sha256 -in csrs/revoked.csr.pem -days 3650 -out certs/revoked.crt.pem
+openssl ca -config openssl.cnf -keyfile private/ca.key.pem -cert certs/ca.crt.pem -revoke certs/revoked.crt.pem
+
 openssl ca -config openssl.cnf -keyfile private/ca.key.pem -cert certs/ca.crt.pem -crldays 3650 -gencrl -out crl/crl.pem
+
 openssl req -config openssl.cnf -new -sha256 -nodes -out server.csr -newkey rsa:2048 -keyout private/apache.key -config server.csr.cnf
 openssl x509 -req -in server.csr -CA certs/ca.crt.pem  -CAkey private/ca.key.pem -CAcreateserial -out certs/apache.crt -days 3650 -sha256 -extfile v3.ext
--- a/apps/epp_proxy/priv/test_ca/private/client.key.pem
+++ b/apps/epp_proxy/priv/test_ca/private/client.key.pem
@ -0,0 +1,51 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIJKQIBAAKCAgEA2hWCMGKbCtZQqXm6PJUfoQXz4OStTjO1JBOsjVeeFGB9cT1J
+NomS8aApwmGXa3xbc8BH51PqLa7+sfkMzYdd/W07qWlIXrZWxwXP2DuA6ezBBd9M
+I4yxjmnDZpbEIvUYRm3oMaqCajwdJhKtWUj0KrJgbPEMWKC9xYTVSa17zwQlxdoZ
+n9M/tC20nF0WfAleXuzwI4uTni6JiDxnvQplTFkR9CTbyxEwBCRtIlD8rP818gcc
+/a8fYjwJhYS8uLK7byBUBt7THF7tq/FcmqewaWhLOAld+n5lhzEOcVUICzgIQimw
+7mNr/oCmOsOnUIdVZtW/ag9TVZPIrCeVp0+WeBBb2jKuYBho9U2kwYuEDonuilT
+/ImrzimGJHTqGutFy07RGubPW3Fj0tQXJ5eN1kf6T6J1by2NzdFbgo1w8KetBhwR
+jbFaT2v21BecK+gbE+1UnBbDzEBtxpnOCnPo8So98rM+clbyC9b/TMzebXaB1+TD
+YJT9I7TZ+7EwWXPLCYOQxgC3bO3euFtak0a0eNQru/CFEu4kSUQl1ODS28s1fgYR
+Mg4YhfExpviBlVxPhAB0DFyo7Ubs42rH+dO9W3/3jnudJIFa2A3PyWdv5SSf0uHH
+aJc/uT3GxMU83cAHkgP6Fykputmob3g0Z/J+sTR0pbY5wFqP//aOlgihwBECAwEA
+AQKCAgBPJsNLoF45PrOj7wRC/LSwEqMDGrwzx9yUrXdRDV3Yc3TT5rRt0Ny+Sa0e
+WaFFZ6shhcYTFYfG8N6L5aJZ7imU01J2GDol9fPk5B0dk+sj+8PKx9KwjF3dHFHJ
+KCsjrOUUmstNS19uA0dpDBpSb4H/BSKuJ4adnCmESMPIq+hlqFG1T4VBVsCmOnh0
+z+xbNGNF/KTjocMABE/yXEoieGVvolw7yizjtOdCeZ4KeG5cs3v2zdId2LOBSd0C
+0rxUJLqWiJs2qyTgBSwp3b4Ie5gxiaLTQcMUKU/cE1f0ljIHMFz+9na/xgbAufK7
+YYS6WsaezXRzN96X9R1fr86oDQYVmREnBU5ouUWDMop17M3TRH70mAdaczb2zML3
+cg+uQXjuw45hyD322RySZgz4+nnLcSFJBHzfbfFBnGtwiAfVqc68n5+wVLzJvwji
+zV6MCs7FfvR1+ex/MY9woggkQTHfDX2311N83uD11K6pO5FbRQUSHgNo+/tEYwAq
+niY6fsXPxOPC8udEIbCEOFOGd/xMF9ihvbMWbSVB/ZZFIedrzbk8SPG/rUx+k5wP
+rCte69i/b2yQyfDs9ULYletevHb+CuhIyAvIIkhb1zfM4rmoa6MdHmhJAKb3lzLO
+lAyYmnepFbVek6vqpn+6oJzHCejCAhUoSr1oytBlNUDdvjacYQKCAQEA83t3d+EH
+jgqEZiH9DvZnhrgiX5qtTPieVyl6bpbw8XM4ULmy3fy3ZdFEN/zGJlRYMVA0P4I8
+4GJaULYtDlaPuH1xqhuFrF/gv1aOGChq4M33nNtdjVgWvWKJK6rkPXCYwD8QRK/H
+vz3DQUqn7XEqLEknFWt6SeIseSajrXWLF0F+hy6HmW+eRONHf5HT8EMx3zqMgoE1
+eNyCeJ8Xkja+T7t1xcYKW5zUeDs9nYXPiuk9Mq2zQzqfiIJKnow4HThrd2WKcKKC
+60C7YTGEvEHbUTAzz9C4BaVjEXu7bCfb5ryVfnJH8LHpQ1PgEIVBdJ7OjfXDnAf2
+FqoMiHFAximvPQKCAQEA5UvExUQJTLNrB7K/mn0/2Q9G8zQgpns+EwxD2s9nhpXD
+RLmbPIH5URV1Hf5HchlKp5uY7KB0SgUIjAV6I2FDv/oFNk+pu/PXI2rOcZuPgX3M
+KD5MTw+Gm5NtoYgDemcJUMgAk9ilh7v7YKP8ASwNxikHkQ3oEKPXSW1/mJxiSzpH
+8tpmSFisBAFtBJlMEzt8FGH7a8+DpvbOyxfP4aocF6cgqKtSwgtKJm2EwSyaEMYB
+1cK6wQeY0mpcmtrdSeJaEWnq5deFhEYWOKTaliTQMFgWC6RBGdCp7RGyE0jVQi7F
+iAXFsfkNjVmmSF8PAA/CKOIW0Z1QV/10zP9F5ofhZQKCAQEAuT41TZJ6Ufn0c1Pm
+mSyk5R1QoZYnxYjdxwi6qkrSc5CqxtgRmsy7p45ILaR2CRFgq9wOdEcdE8YgWonP
+y7nVzJI8GSSpVdT4Q/qRTxXpArIRclh/W5sqadn+7Kcu0QPKY3FXajqmaPyPgixP
+iNnxMRJS1vwXZQDbvyzDmKP2N7JPln+zEOyX6GdWrVsAeSpWVjTQVDYDvble1nCL
+2WUm87h2yQp8NOkjyXmgzijRFymOsvDukvaWC6C9LtUVmD2lnYg2hK1Pl7Z/GVo4
+V5ZvSty2fqSYbUtADTwrAwVsS6cswbAmxZxGEUBOF6OagiSUl/LkaOCxvNqRgHlR
+w7JRLQKCAQEA15S6R0HlgHC783vyu1yBGCJN8cET5ZK/1QbWETapPhc2hToAow4M
+i1iiSXXWVIdE8nrPd8KQMzuyQnuvzu3W1ftKxTp2+hiTMGBuAtBgRz4wIbIY6shN
+JZ6iF5oasw2G66VvLZImZ4ytFrp25980gBf5Xj717hctBYNm0ORPYi1EkicWvXRp
+Hkb86bL7nKVzznIlAcMUI3mvCbG0qJXYXcCrawnRAFG/AIw9oaW+oICaHxE7ptru
+qv6HXKzkG2AukGrGCBzvEmMW52DPhxTLjHh1GbLv5kaSTSszAwCaSORSocXTjrX7
+MOeV+Dsvjj5CrU+MZr4CWQgatdZYMRuWJQKCAQB7BGo5ajhebHd9UD1+X+plXBWb
+LxMhvK9f4Z/Q7PUDcQwesyF4/iyLFxdihixPspBpY4YuRAXzXtFrGtzKxfTdBz8O
+pBk++GI8OBA0+qviIYkqg3Yojb05nupAL+by8HHMc2kQwbiZQ0oH1AKZgGcAxe9i
+dI+nSMDWM088bwTDmmUHVE4hdEiYvRza3OefDH4/EQhNhJHvWqgGsaHL0nhmfPVa
+O4ovmZoRqLsCdxuUao2Q2klIFQicKWsnl2J96rIlzgjZGzHUgqkAKnnrYGTdu7oG
+tiQRzzDF0C24sbH2mrX6Q+sjN7KKW1fCIQEufMCbT8nF/gv7SD7Do/H0SFp1
+-----END RSA PRIVATE KEY-----
--- a/apps/epp_proxy/priv/test_ca/private/webclient.key.pem
+++ b/apps/epp_proxy/priv/test_ca/private/webclient.key.pem
--- a/apps/epp_proxy/src/epp_http_client.erl
+++ b/apps/epp_proxy/src/epp_http_client.erl
@ -82,10 +82,12 @@ request_from_map(#{command := Command,
 %% Return form data or an empty list.
 request_body(?helloCommand, _, _) -> "";
 request_body(_Command, RawFrame, nomatch) ->
-    {multipart, [{<<"raw_frame">>, RawFrame}, {<<"frame">>, RawFrame}]};
+    {multipart,
+     [{<<"raw_frame">>, RawFrame}, {<<"frame">>, RawFrame}]};
 request_body(_Command, RawFrame, ClTRID) ->
    {multipart,
-     [{<<"raw_frame">>, RawFrame}, {<<"frame">>, RawFrame}, {<<"clTRID">>, ClTRID}]}.
+     [{<<"raw_frame">>, RawFrame}, {<<"frame">>, RawFrame},
+      {<<"clTRID">>, ClTRID}]}.

 %% Return a list of properties that each represent a query part in a query string.
 %% [{"user", "eis"}]} becomes later https://example.com?user=eis
--- a/apps/epp_proxy/src/epp_tls_worker.erl
+++ b/apps/epp_proxy/src/epp_tls_worker.erl
@ -43,9 +43,14 @@ start_link(Socket) ->
 %% If certificate is revoked, this will fail right away here.
 %% mod_epp does exactly the same thing.
 handle_cast(serve, State = #state{socket = Socket}) ->
-    {ok, SecureSocket} = ssl:handshake(Socket),
-    NewState = state_from_socket(SecureSocket, State),
-    {noreply, NewState};
+    {ok, {PeerIp, _PeerPort}} = ssl:peername(Socket),
+    case ssl:handshake(Socket) of
+      {ok, SecureSocket} ->
+	  NewState = state_from_socket(SecureSocket, State),
+	  {noreply, NewState};
+      {error, Error} ->
+	  log_on_invalid_handshake(PeerIp, Error)
+    end;
 %% Step two: Using the state of the connection, get the hello route
 %% from http server.  Send the response from HTTP server back to EPP
 %% client.  When this succeeds, send "process_command" to self and
@ -160,6 +165,13 @@ log_on_timeout(State) ->
    lager:info("Client timed out: [~p]~n", [State]),
    exit(normal).

+log_on_invalid_handshake(Ip, Error) ->
+    ReadableIp = epp_util:readable_ip(Ip),
+    lager:info("Failed SSL handshake. IP: ~s, Error: "
+	       "[~p]~n",
+	       [ReadableIp, Error]),
+    exit(normal).
+
 %% Extract state info from socket. Fail if you must.
 state_from_socket(Socket, State) ->
    {ok, PeerCert} = ssl:peercert(Socket),
--- a/apps/epp_proxy/test/tls_client_SUITE.erl
+++ b/apps/epp_proxy/test/tls_client_SUITE.erl
@ -11,7 +11,8 @@
         valid_command_test_case/1,
         long_message_test_case/1,
         invalid_command_test_case/1,
-         error_test_case/1]).
+         error_test_case/1,
+         revoked_cert_test_case/1]).

 all() ->
    [frame_size_test_case,
@ -20,17 +21,22 @@ all() ->
     valid_command_test_case,
     long_message_test_case,
     invalid_command_test_case,
-     error_test_case].
+     error_test_case,
+     revoked_cert_test_case].

 init_per_suite(Config) ->
    application:ensure_all_started(epp_proxy),
    application:ensure_all_started(hackney),
    CWD = code:priv_dir(epp_proxy),
    Options = [binary,
-               {certfile, filename:join(CWD, "test_ca/certs/webclient.crt.pem")},
-	       {keyfile, filename:join(CWD, "test_ca/private/webclient.key.pem")},
+               {certfile, filename:join(CWD, "test_ca/certs/client.crt.pem")},
+	       {keyfile, filename:join(CWD, "test_ca/private/client.key.pem")},
               {active, false}],
-    [{ssl_options, Options} | Config].
+    RevokedOptions = [binary,
+               {certfile, filename:join(CWD, "test_ca/certs/revoked.crt.pem")},
+	       {keyfile, filename:join(CWD, "test_ca/private/revoked.key.pem")},
+               {active, false}],
+    [{ssl_options, Options}, {revoked_options, RevokedOptions} | Config].

 end_per_suite(Config) ->
    application:stop(epp_proxy),
@ -170,6 +176,14 @@ error_test_case(Config) ->
               "Command syntax error."),
    ok.

+revoked_cert_test_case(Config) ->
+    Options = proplists:get_value(revoked_options, Config),
+    {error, Error} = ssl:connect("localhost", 1443, Options, 2000),
+    {tls_alert,
+     {certificate_revoked,
+      "received CLIENT ALERT: Fatal - Certificate Revoked"}} = Error,
+    ok.
+
 %% Helper functions:
 length_of_data(Data) ->
    EPPEnvelope = binary:part(Data, {0, 4}),