[erlang-bugs] Crash in SSL

Daniel Luna daniel@REDACTED
Wed Aug 22 16:33:03 CEST 2012


Hi Kenneth,

Long time, no see.

So to me it looks like this is a combination of issues.  It would make
me very happy if the OTP team could state the intention to fix these
issues in the near future.

1. The Erlang ssl module verifies the validity of the certificate even
when {verify, verify_none} has been set.  This could most easily be
fixed by a change to the documentation about what it means to use the
verify_none verification.

2. The ssl module *crashes* on bad data instead of returning {error,
Error} or {ok, Conn} (note that this crash happens for {verify,
verify_none} which should give us a connection back even if the
certificate is bad)

3. A gen_fsm dies in the background (with the main issue of clobbering
our error logs, and hiding real errors behind all the noise)

4. The Erlang ssl module is in disagreement with Chrome and Firefox
(and probably other browsers) about what is a valid certificate

1, 2, and 3 are definitely bugs.  I personally think 4 is a bug too,
but am willing to listen to arguments stating otherwise.

(As a side note I don't see how the utf8-encoded string "US" is in any
way bitwise different from the ASCII-encoded string "US" and I don't
manage to find out if there is a type tag somewhere)

Cheers,

Daniel


On 22 August 2012 02:57, Kenneth Lundin <kenneth.lundin@REDACTED> wrote:
> Hi Daniel,
>
> We have looked into this and found that the certificate from Farmbureaubank
> is incorrect with respect to the standard.
> The countryname "US" is supposed to be of type printablestring but is
> encoded as utf8string in one instance of countryname out of two in this
> certificate.
>
> The crasch is a bug in that a proper error indicating wrong tag in input
> data shoul have been returned instead.
>
> The explanation to why this certificate is accepted by other ssl
> implementations is that they don't check or don,t care about the stringtype
> for countryname.
>
> When searching on the net for similar problems I found that e.g Netscape
> also seems to crasch on the same input.
>
> We are thinking of adding a more forgiving when decoding of parts of the
> data in a certificate in order to be compatible with openssl and other
> implementations.
>
> We strongly suspect that the certificate in question is created with openssl
> and that it depends on certain settings regarding stringtypes in
> openssl.cnf.
> When time allows we will verify that.
>
> /Kenneth, Erlang/OTP Ericsson
>
> Den 9 aug 2012 00:43 skrev "Daniel Luna" <daniel@REDACTED>:
>>
>> We are experiencing a crash in ssl when trying to establish
>> connections to websites with seemingly valid ssl certificates.  Going
>> to the following domains in a normal web browser will give a green
>> light.  Trying to connect to them using ssl:connect gives a crash.
>> This crash occurs even with verify_none turned on.
>>
>> Some example domains are www.farmbureaubank.com and login.secureserver.net
>>
>> ssl:connect is working in general which is shown by the google.com
>> example.
>>
>> Cheers,
>>
>> Daniel
>>
>> 1> ssl:connect("google.com", 443,  [], infinity).
>> {ok,{sslsocket,new_ssl,<0.8447.0>}}
>> 2> ssl:connect("login.secureserver.net", 443,  [{verify,
>> verify_none}], infinity).
>> ** exception exit: {{{badmatch,
>>                          {error,
>>                              {asn1,
>>                                  {{case_clause,19},
>>                                   [{'OTP-PUB-KEY',
>>
>> check_and_convert_restricted_string,5,
>>                                        [{file,"OTP-PUB-KEY.erl"},
>>                                         {line,14122}]},
>>                                    {'OTP-PUB-KEY',decode,2,
>>
>> [{file,"OTP-PUB-KEY.erl"},{line,493}]},
>>                                    {pubkey_cert_records,transform,2,
>>                                        [{file,"pubkey_cert_records.erl"},
>>                                         {line,60}]},
>>                                    {lists,map,2,
>>                                        [{file,"lists.erl"},{line,1173}]},
>>                                    {pubkey_cert_records,transform,2,
>>                                        [{file,"pubkey_cert_records.erl"},
>>                                         {line,72}]},
>>                                    {pubkey_cert_records,decode_tbs,1,
>>                                        [{file,"pubkey_cert_records.erl"},
>>                                         {line,190}]},
>>                                    {pubkey_cert_records,decode_cert,1,
>>                                        [{file,"pubkey_cert_records.erl"},
>>                                         {line,40}]},
>>                                    {public_key,pkix_decode_cert,2,
>>                                        [{file,"public_key.erl"},
>>                                         {line,211}]}]}}}},
>>                      [{public_key,pkix_decode_cert,2,
>>                           [{file,"public_key.erl"},{line,215}]},
>>                       {public_key,path_validation,2,
>>                           [{file,"public_key.erl"},{line,605}]},
>>                       {ssl_handshake,certify,7,
>>                           [{file,"ssl_handshake.erl"},{line,218}]},
>>                       {ssl_connection,certify,2,
>>                           [{file,"ssl_connection.erl"},{line,514}]},
>>                       {ssl_connection,next_state,4,
>>                           [{file,"ssl_connection.erl"},{line,1929}]},
>>
>> {gen_fsm,handle_msg,7,[{file,"gen_fsm.erl"},{line,494}]},
>>                       {proc_lib,init_p_do_apply,3,
>>                           [{file,"proc_lib.erl"},{line,227}]}]},
>>                     {gen_fsm,sync_send_all_state_event,
>>                         [<0.8453.0>,start,infinity]}}
>>      in function  gen_fsm:sync_send_all_state_event/3 (gen_fsm.erl, line
>> 240)
>>      in call from ssl_connection:sync_send_all_state_event/3
>> (ssl_connection.erl, line 1195)
>>      in call from ssl_connection:handshake/2 (ssl_connection.erl, line
>> 167)
>>      in call from ssl_connection:start_fsm/8 (ssl_connection.erl, line
>> 1037)
>>      in call from ssl_connection:connect/7 (ssl_connection.erl, line 139)
>> 18:40:19.798 [error] gen_fsm <0.8453.0> in state certify terminated
>> with reason: no match of right hand value
>>
>> {error,{asn1,{{case_clause,19},[{'OTP-PUB-KEY',check_and_convert_restricted_string,5,[{file,"OTP-PUB-KEY.erl"},{line,14122}]},{'OTP-PUB-KEY',decode,2,[{file,"OTP-PUB-KEY.erl"},{line,493}]},{pubkey_cert_records,transform,2,[{file,"pubkey_cert_records.erl"},{line,60}]},{lists,map,2,[{file,"lists.erl"},{line,1173}]},{pubkey_cert_records,transform,2,[{file,"pubkey_cert_records.erl"},{line,72}]},{pubkey_cert_records,decode_tbs,1,[{file,"pubkey_cert_records.erl"},{line,190}]},{pubkey_cert_records,...},...]}}}
>> in public_key:pkix_decode_cert/2 line 215
>> 18:40:19.931 [error] CRASH REPORT Process <0.8453.0> with 0 neighbours
>> exited with reason: no match of right hand value
>>
>> {error,{asn1,{{case_clause,19},[{'OTP-PUB-KEY',check_and_convert_restricted_string,5,[{file,"OTP-PUB-KEY.erl"},{line,14122}]},{'OTP-PUB-KEY',decode,2,[{file,"OTP-PUB-KEY.erl"},{line,493}]},{pubkey_cert_records,transform,2,[{file,"pubkey_cert_records.erl"},{line,60}]},{lists,map,2,[{file,"lists.erl"},{line,1173}]},{pubkey_cert_records,transform,2,[{file,"pubkey_cert_records.erl"},{line,72}]},{pubkey_cert_records,decode_tbs,1,[{file,"pubkey_cert_records.erl"},{line,190}]},{pubkey_cert_records,...},...]}}}
>> in public_key:pkix_decode_cert/2 line 215 in gen_fsm:terminate/7 line
>> 611
>> 18:40:19.970 [error] Supervisor ssl_connection_sup had child undefined
>> started with {ssl_connection,start_link,undefined} at <0.8453.0> exit
>> with reason no match of right hand value
>>
>> {error,{asn1,{{case_clause,19},[{'OTP-PUB-KEY',check_and_convert_restricted_string,5,[{file,"OTP-PUB-KEY.erl"},{line,14122}]},{'OTP-PUB-KEY',decode,2,[{file,"OTP-PUB-KEY.erl"},{line,493}]},{pubkey_cert_records,transform,2,[{file,"pubkey_cert_records.erl"},{line,60}]},{lists,map,2,[{file,"lists.erl"},{line,1173}]},{pubkey_cert_records,transform,2,[{file,"pubkey_cert_records.erl"},{line,72}]},{pubkey_cert_records,decode_tbs,1,[{file,"pubkey_cert_records.erl"},{line,190}]},{pubkey_cert_records,...},...]}}}
>> in public_key:pkix_decode_cert/2 line 215 in context child_terminated
>> _______________________________________________
>> erlang-bugs mailing list
>> erlang-bugs@REDACTED
>> http://erlang.org/mailman/listinfo/erlang-bugs
>
>
> _______________________________________________
> erlang-bugs mailing list
> erlang-bugs@REDACTED
> http://erlang.org/mailman/listinfo/erlang-bugs
>



More information about the erlang-bugs mailing list