mTLS montoring through the tcp probe fails when extracting TLS alerts on TLS1.3 connections #4621

New issue

Open

opened 2026-02-28 04:09:34 -05:00 by deekerman · 2 comments

deekerman commented 2026-02-28 04:09:34 -05:00

Owner

Copy link

Originally created by @tchinchow on GitHub (Jan 19, 2026).

📑 I have found these related issues/pull requests

This is a continuation of #5837 which was closed as "implemented by #6587"

Many thanks for this patch that opened the way.

🛡️ Security Policy

• I have read and agree to Uptime Kuma's Security Policy.

📝 Description

I'm still facing issues on some of my sites when expecting a certificate_requested alert (116) from the server.

The tcp probe pretends like the server accepted the connection when it really did not (and curl confirms that the server is requiring a client certificate).
(see #5837 for details and screenshots)

👟 Reproduction steps

Probe a TLSv1.3 server that requires a client certificate.

Set the Expected TLS Alert field to certificate_requested (116)`.

👀 Expected behavior

The probe should indicate that the server indeed responded with the expected TLS alert (116).

😓 Actual Behavior

The probe pretends like the server accepted the connection and fails to recognize that it actually refused the connection with the expected TLS alert (116).

This is confirmed this with curl. You can run it from inside the docker container to make sure that the network configuration is similar.

🐻 Uptime-Kuma Version

2.1.0-beta2

💻 Operating System and Arch

fedora

🌐 Browser

firefox

🖥️ Deployment Environment

you can do this in the official docker container.

📝 Relevant log output

Originally created by @tchinchow on GitHub (Jan 19, 2026). ### 📑 I have found these related issues/pull requests This is a continuation of #5837 which was closed as "implemented by #6587" _Many thanks for this patch that opened the way._ ### 🛡️ Security Policy - [x] I have read and agree to Uptime Kuma's [Security Policy](https://github.com/louislam/uptime-kuma/security/policy). ### 📝 Description I'm still facing issues on some of my sites when expecting a `certificate_requested` alert (116) from the server. The tcp probe pretends like the server accepted the connection when it really did not _(and `curl` confirms that the server is requiring a client certificate)_. _(see #5837 for details and screenshots)_ ### 👟 Reproduction steps Probe a TLSv1.3 server that requires a client certificate. Set the `Expected TLS Alert` field to certificate_requested (116)`. ### 👀 Expected behavior The probe should indicate that the server indeed responded with the expected TLS alert (116). ### 😓 Actual Behavior The probe pretends like the server accepted the connection and fails to recognize that it actually refused the connection with the expected TLS alert (116). This is confirmed this with `curl`. You can run it from inside the docker container to make sure that the network configuration is similar. ### 🐻 Uptime-Kuma Version 2.1.0-beta2 ### 💻 Operating System and Arch fedora ### 🌐 Browser firefox ### 🖥️ Deployment Environment you can do this in the official docker container. ### 📝 Relevant log output ```bash session ```

deekerman added the

bug

label 2026-02-28 04:09:34 -05:00

deekerman commented 2026-02-28 04:09:39 -05:00

Author

Owner

Copy link

@tchinchow commented on GitHub (Jan 19, 2026):

I think I know what happens but I'm not confident enough with Javascript/node to fix it.

TLSv1.3 seems to enter a secureConnect state/event before reaching the error state/event because ciphering happens much before what is done in TLSv1.2.

The connection eventually reaches the error state but this event happens when the Promise has already been resolved.

In comparison, TLSv1.2 fails during the handshake and the error state is reached first.
This explains why current code works with this version of TLS (at least with fairly recent versions of node).

Documentation of the NodeJS TLS, session event seems better suited than secureConnect for what we want to achieve here.
However in case of TLSv1.2 it lloks like we never get to the session state/event.
I don't know why and this is where Javascript leaves me hanging...

I tried to modify the code _(#6772)_but then most tests fail because the session event does not seem to come for TLSv1.2 servers.

...and then I'm stuck for now.

@tchinchow commented on GitHub (Jan 19, 2026): I think I know what happens but I'm not confident enough with Javascript/node to fix it. TLSv1.3 seems to enter a `secureConnect` state/event before reaching the `error` state/event because ciphering happens much before what is done in TLSv1.2. The connection eventually reaches the `error` state but this event happens when the Promise has already been resolved. In comparison, TLSv1.2 fails during the handshake and the `error` state is reached first. This explains why current code works with this version of TLS _(at least with fairly recent versions of node)_. Documentation of the [NodeJS TLS, session event](https://nodejs.org/api/tls.html#event-session) seems better suited than `secureConnect` for what we want to achieve here. However in case of TLSv1.2 it lloks like we never get to the `session` state/event. I don't know why and this is where Javascript leaves me hanging... I tried to modify the code _(#6772)_but then most tests fail because the `session` event does not seem to come for TLSv1.2 servers. ...and then I'm stuck for now.

deekerman commented 2026-02-28 04:09:40 -05:00

Author

Owner

Copy link

@tchinchow commented on GitHub (Jan 19, 2026):

All I can tell is that the fix seems to work for me with node version 25.3.0.

It clearly fails with node version 20

I don't know about other versions but the automated tests suggests that multiple versions (including old node versions 20) must be supported by uptime kuma on systems such like ubuntu...

I will close the pull requests where I was only trying to figure out how the test system works and what it validates.
I don't know what I'm doing and I don't know how I can try things out on my own without polluting this repo.

@tchinchow commented on GitHub (Jan 19, 2026): All I can tell is that the fix seems to work for me with node version 25.3.0. It clearly fails with node version 20 I don't know about other versions but the automated tests suggests that multiple versions _(including old node versions 20)_ must be supported by uptime kuma on systems such like ubuntu... I will close the pull requests where I was only trying to figure out how the test system works and what it validates. I don't know what I'm doing and I don't know how I can try things out on my own without polluting this repo.

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

npm-update

3.0.X

dev-better-auth

copilot/remove-password-complexity-requirements

2.2.X

copilot/sub-pr-6355

1.23.X

api-via-socketio-client

2.1.3

2.1.2

2.1.1

2.1.0

2.1.0-beta.3

2.1.0-beta.2

2.1.0-beta.1

2.1.0-beta.0

2.0.2

2.0.1

1.23.17

2.0.0

2.0.0-beta.4

2.0.0-beta.3

2.0.0-beta.2

2.0.0-beta.2-temp

2.0.0-beta.1

1.23.16

2.0.0-beta.0

1.23.15

1.23.14

1.23.13

1.23.12

1.23.11

1.23.10

1.23.9

1.23.8

1.23.7

1.23.6

1.23.5

1.23.5-beta.0

1.23.4

1.23.3

1.23.2

1.23.1

1.23.0

1.23.0-beta.1

1.23.0-beta.0

1.22.1

1.22.0

1.22.0-beta.0

1.21.3

1.21.2

1.21.2-beta.0

1.21.1

1.21.0

1.21.0-beta.1

1.21.0-beta.0

1.20.2

1.20.1

1.20.0

1.20.0-beta.0

1.19.6

1.19.5

1.19.4

1.19.3

1.19.2

1.19.1

1.19.0

1.19.0-beta.2

1.19.0-beta.1

1.19.0-beta.0

1.18.5

1.18.4

1.18.3

1.18.2

1.18.1

1.18.0

1.18.0-beta.0

1.17.1

1.17.0

1.17.0-beta.1

1.17.0-beta.0

1.16.1

1.16.0

1.16.0-beta.0

1.15.1

1.15.0

1.15.0-beta.1

1.14.1

1.15.0-beta.0

1.14.0

1.14.0-beta.2

1.13.2

1.14.0-beta.1

1.14.0-beta.0

1.13.1

1.13.0

1.13.0-beta.2

1.13.0-beta.1

1.13.0-beta.0

1.12.1

1.12.0

1.11.4

1.11.3

1.11.2

1.11.1

1.11.0

1.10.2

1.10.1

1.10.0

1.9.2

1.9.1

1.9.0

1.8.0

1.7.3

1.7.2

1.7.1

1.7.0

1.6.3

1.6.2

1.6.1

1.6.0

1.5.3

1.5.2

1.5.1

1.5.0

1.3.2

1.3.1

1.3.0

1.2.0

1.1.0

1.0.10

1.0.9

1.0.8

1.0.7

1.0.6

1.0.5

1.0.4

1.0.3

1.0.2

1.0.1

1.0.0

Labels

Clear labels   

A:accessibility

  

A:api

  

A:cert-expiry

  

A:core

  

A:dashboard

  

A:deployment

  

A:documentation

  

A:domain expiry

  

A:incidents

  

A:maintenance

  

A:metrics

  

A:monitor

  

A:notifications

  

A:reports

  

A:settings

  

A:status-page

  

A:ui/ux

  

A:user-management

  

Stale

  

ai-slop

  

blocked

  

blocked-upstream

  

bug

  

cannot-reproduce

  

dependencies

  

discussion

  

duplicate

  

feature-request

  

feature-request

  

good first issue

  

hacktoberfest

  

help

  

help wanted

  

house keeping

  

invalid

  

invalid-format

  

invalid-format

  

question

  

releaseblocker 🚨

  

security

  

spam

  

type:enhance-existing

  

type:new

  

wontfix

No labels

A:accessibility

A:api

A:cert-expiry

A:core

A:dashboard

A:deployment

A:documentation

A:domain expiry

A:incidents

A:maintenance

A:metrics

A:monitor

A:notifications

A:reports

A:settings

A:status-page

A:ui/ux

A:user-management

Stale

ai-slop

blocked

blocked-upstream

bug

cannot-reproduce

dependencies

discussion

duplicate

feature-request

feature-request

good first issue

hacktoberfest

help

help wanted

house keeping

invalid

invalid-format

invalid-format

question

releaseblocker 🚨

security

spam

type:enhance-existing

type:new

wontfix

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/uptime-kuma#4621

No description provided.