[erlang-bugs] possible bug in ssl and/or public_key module (R13 and R14)

Fri Sep 17 10:19:43 CEST 2010

Hi!

Humm ...

I get this result running your program:

Erlang R14B (erts-5.8.1) [source] [smp:4:4] [rq:4] [async-threads:0] 
[kernel-poll:false]

Eshell V5.8.1  (abort with ^G)
1> c(ssl_test).
{ok,ssl_test}
2> ssl_test:test().

=ERROR REPORT==== 17-Sep-2010::09:22:46 ===
SSL: certify_certificate: ./ssl_handshake.erl:570:Fatal error: 
certificate expired
** exception error: no match of right hand side value 
{error,"certificate expired"}
     in function  ssl_test:test/0

Did you run your test on a github version of a R14B to be? I do not see 
how you could get
a completely different error.

If I do

 FunAndState = {fun(_,{bad_cert, unknown_ca}, UserState) -> {valid, 
UserState}; (_,{bad_cert, cert_expired}, UserState) -> {valid, 
UserState}; (_,{bad_cert, _} = Reason, _) -> {fail, Reason}; 
(_,{extension, _}, UserState) -> {unknown, UserState}; (_, valid, 
UserState) -> {valid, UserState} end, []}.

 ssl:connect(couchdb.staging.one.ubuntu.com, 443, [{verify, 
verify_peer}, {verify_fun, FunAndState}]).

 I get a connection. (I.e I accept that the certificate has expired)

However  ssl:connect(couchdb.staging.one.ubuntu.com, 443,  [{verify, 0}, 
{ssl_imp, old}]).

will give a connection so it seems {verify, 0} is  more forgiving than 
{verify, verify_none} that only allows the path error unkonwn_ca
at the moment, maybe we have to rethink that for backwards compatibility 
reasons.

Regards Ingela Erlang/OTP team - Ericsson AB

Filipe David Manana wrote:
> When connecting to particular server, though an ssl socket, I always get the
> error:
>
> Erlang R14B (erts-5.8.1) [source] [smp:2:2] [rq:2] [async-threads:0] [hipe]
> [kernel-poll:false]
>
> Eshell V5.8.1  (abort with ^G)
> 1> c(test_ssl).
> {ok,test_ssl}
> 2> test_ssl:test().
>
> =ERROR REPORT==== 17-Sep-2010::02:07:25 ===
> SSL: certify_certificate: ./ssl_handshake.erl:502:Fatal error: handshake
> failure
> ** exception error: no match of right hand side value {error,esslconnect}
>      in function  test_ssl:test/0
> 3>
>
> However, if I pick up another server, like www.cia.gov:443 or
> www.facebook.com:443 for example, it succeeds (with exactly the same ssl
> options passed to ssl:connect/3).
> Also tested with R13B03 and R13B04 and got the same results (only modified
> value of option verify from verify_none to 0).
>
> The code to test this eventual bug is:
>
> -module(test_ssl).
> -compile(export_all).
>
> -define(HOST, "couchdb.staging.one.ubuntu.com").
> % -define(HOST, "www.cia.gov").
>
> test() ->
>     Body = iolist_to_binary([
>         "GET / HTTP/1.1\r\n",
>         "Host: ", ?HOST, "\r\n",
>         "Accept: */*\r\n",
>         "Connection: close\r\n", "\r\n"
>     ]),
>     application:start(crypto),
>     application:start(public_key),
>     application:start(ssl),
>     Options = [
>                 {ssl_imp, new},
>                 binary,
>                 {nodelay, true},
>                 {active, false},
>                 {verify, verify_none}
>                 % {verify_fun, fun(_) -> true end},
>     ],
>     {ok, S} = ssl:connect(?HOST, 443, Options),
>     ok = ssl:send(S, Body),
>     loop(S),
>     ssl:close(S).
>
> loop(S) ->
>     ssl:setopts(S, [{active, once}]),
>     receive
>     {ssl, S, Data} ->
>         io:format("received data:  ~p~n", [Data]),
>         loop(S);
>     {ssl_closed, S} ->
>         io:format("socket closed", []);
>     {ssl_error, S, Error} ->
>         io:format("socket error:  ~p", [Error])
>     end.
>
>
> cheers
>
>   