[erlang-bugs] Crash in SSL

Kenneth Lundin kenneth.lundin@REDACTED
Wed Aug 22 08:57:58 CEST 2012


Hi Daniel,

We have looked into this and found that the certificate from Farmbureaubank
is incorrect with respect to the standard.
The countryname "US" is supposed to be of type printablestring but is
encoded as utf8string in one instance of countryname out of two in this
certificate.

The crasch is a bug in that a proper error indicating wrong tag in input
data shoul have been returned instead.

The explanation to why this certificate is accepted by other ssl
implementations is that they don't check or don,t care about the stringtype
for countryname.

When searching on the net for similar problems I found that e.g Netscape
also seems to crasch on the same input.

We are thinking of adding a more forgiving when decoding of parts of the
data in a certificate in order to be compatible with openssl and other
implementations.

We strongly suspect that the certificate in question is created with
openssl and that it depends on certain settings regarding stringtypes in
openssl.cnf.
When time allows we will verify that.

/Kenneth, Erlang/OTP Ericsson
Den 9 aug 2012 00:43 skrev "Daniel Luna" <daniel@REDACTED>:

> We are experiencing a crash in ssl when trying to establish
> connections to websites with seemingly valid ssl certificates.  Going
> to the following domains in a normal web browser will give a green
> light.  Trying to connect to them using ssl:connect gives a crash.
> This crash occurs even with verify_none turned on.
>
> Some example domains are www.farmbureaubank.com and login.secureserver.net
>
> ssl:connect is working in general which is shown by the google.comexample.
>
> Cheers,
>
> Daniel
>
> 1> ssl:connect("google.com", 443,  [], infinity).
> {ok,{sslsocket,new_ssl,<0.8447.0>}}
> 2> ssl:connect("login.secureserver.net", 443,  [{verify,
> verify_none}], infinity).
> ** exception exit: {{{badmatch,
>                          {error,
>                              {asn1,
>                                  {{case_clause,19},
>                                   [{'OTP-PUB-KEY',
>
>  check_and_convert_restricted_string,5,
>                                        [{file,"OTP-PUB-KEY.erl"},
>                                         {line,14122}]},
>                                    {'OTP-PUB-KEY',decode,2,
>
>  [{file,"OTP-PUB-KEY.erl"},{line,493}]},
>                                    {pubkey_cert_records,transform,2,
>                                        [{file,"pubkey_cert_records.erl"},
>                                         {line,60}]},
>                                    {lists,map,2,
>                                        [{file,"lists.erl"},{line,1173}]},
>                                    {pubkey_cert_records,transform,2,
>                                        [{file,"pubkey_cert_records.erl"},
>                                         {line,72}]},
>                                    {pubkey_cert_records,decode_tbs,1,
>                                        [{file,"pubkey_cert_records.erl"},
>                                         {line,190}]},
>                                    {pubkey_cert_records,decode_cert,1,
>                                        [{file,"pubkey_cert_records.erl"},
>                                         {line,40}]},
>                                    {public_key,pkix_decode_cert,2,
>                                        [{file,"public_key.erl"},
>                                         {line,211}]}]}}}},
>                      [{public_key,pkix_decode_cert,2,
>                           [{file,"public_key.erl"},{line,215}]},
>                       {public_key,path_validation,2,
>                           [{file,"public_key.erl"},{line,605}]},
>                       {ssl_handshake,certify,7,
>                           [{file,"ssl_handshake.erl"},{line,218}]},
>                       {ssl_connection,certify,2,
>                           [{file,"ssl_connection.erl"},{line,514}]},
>                       {ssl_connection,next_state,4,
>                           [{file,"ssl_connection.erl"},{line,1929}]},
>
> {gen_fsm,handle_msg,7,[{file,"gen_fsm.erl"},{line,494}]},
>                       {proc_lib,init_p_do_apply,3,
>                           [{file,"proc_lib.erl"},{line,227}]}]},
>                     {gen_fsm,sync_send_all_state_event,
>                         [<0.8453.0>,start,infinity]}}
>      in function  gen_fsm:sync_send_all_state_event/3 (gen_fsm.erl, line
> 240)
>      in call from ssl_connection:sync_send_all_state_event/3
> (ssl_connection.erl, line 1195)
>      in call from ssl_connection:handshake/2 (ssl_connection.erl, line 167)
>      in call from ssl_connection:start_fsm/8 (ssl_connection.erl, line
> 1037)
>      in call from ssl_connection:connect/7 (ssl_connection.erl, line 139)
> 18:40:19.798 [error] gen_fsm <0.8453.0> in state certify terminated
> with reason: no match of right hand value
>
> {error,{asn1,{{case_clause,19},[{'OTP-PUB-KEY',check_and_convert_restricted_string,5,[{file,"OTP-PUB-KEY.erl"},{line,14122}]},{'OTP-PUB-KEY',decode,2,[{file,"OTP-PUB-KEY.erl"},{line,493}]},{pubkey_cert_records,transform,2,[{file,"pubkey_cert_records.erl"},{line,60}]},{lists,map,2,[{file,"lists.erl"},{line,1173}]},{pubkey_cert_records,transform,2,[{file,"pubkey_cert_records.erl"},{line,72}]},{pubkey_cert_records,decode_tbs,1,[{file,"pubkey_cert_records.erl"},{line,190}]},{pubkey_cert_records,...},...]}}}
> in public_key:pkix_decode_cert/2 line 215
> 18:40:19.931 [error] CRASH REPORT Process <0.8453.0> with 0 neighbours
> exited with reason: no match of right hand value
>
> {error,{asn1,{{case_clause,19},[{'OTP-PUB-KEY',check_and_convert_restricted_string,5,[{file,"OTP-PUB-KEY.erl"},{line,14122}]},{'OTP-PUB-KEY',decode,2,[{file,"OTP-PUB-KEY.erl"},{line,493}]},{pubkey_cert_records,transform,2,[{file,"pubkey_cert_records.erl"},{line,60}]},{lists,map,2,[{file,"lists.erl"},{line,1173}]},{pubkey_cert_records,transform,2,[{file,"pubkey_cert_records.erl"},{line,72}]},{pubkey_cert_records,decode_tbs,1,[{file,"pubkey_cert_records.erl"},{line,190}]},{pubkey_cert_records,...},...]}}}
> in public_key:pkix_decode_cert/2 line 215 in gen_fsm:terminate/7 line
> 611
> 18:40:19.970 [error] Supervisor ssl_connection_sup had child undefined
> started with {ssl_connection,start_link,undefined} at <0.8453.0> exit
> with reason no match of right hand value
>
> {error,{asn1,{{case_clause,19},[{'OTP-PUB-KEY',check_and_convert_restricted_string,5,[{file,"OTP-PUB-KEY.erl"},{line,14122}]},{'OTP-PUB-KEY',decode,2,[{file,"OTP-PUB-KEY.erl"},{line,493}]},{pubkey_cert_records,transform,2,[{file,"pubkey_cert_records.erl"},{line,60}]},{lists,map,2,[{file,"lists.erl"},{line,1173}]},{pubkey_cert_records,transform,2,[{file,"pubkey_cert_records.erl"},{line,72}]},{pubkey_cert_records,decode_tbs,1,[{file,"pubkey_cert_records.erl"},{line,190}]},{pubkey_cert_records,...},...]}}}
> in public_key:pkix_decode_cert/2 line 215 in context child_terminated
> _______________________________________________
> erlang-bugs mailing list
> erlang-bugs@REDACTED
> http://erlang.org/mailman/listinfo/erlang-bugs
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-bugs/attachments/20120822/5295ccdc/attachment.htm>


More information about the erlang-bugs mailing list