[erlang-patches] new version elliptic curve support

Andreas Schultz <>
Wed Mar 13 19:32:01 CET 2013


Hi,

Found the cause, the EC patch adds server hello handshake extensions, but
sends them unconditionally when it should only send them if the client
requested them.

I'll change that, but it'll take a few days as I'm very busy....

Andreas

----- Original Message -----
> Hi!
> 
> Just a small clarification.  Test cases  erlang_server_openssl_client,
> erlang_server_openssl_client_client_cert ,
> erlang_server_openssl_client_dsa_cert,
> erlang_server_open and ssl_client_reuse_session  fail for some TLS
> versions on some versions of openssl.
> 
> Test case log looks like following when it fails for SSLv3  runs fine on
> TLSv1  (v1.1 and 1.2 skipped not supported)  OpenSSL 0.9.8k  (happens on
> two machines with this opensslversion)
> 
> --------------------------
> openssl 8564:error:14092073:SSL routines:SSL3_GET_SERVER_HELLO:bad
> packet length:s3_clnt.c:879:
> 
> CONNECTED(00000003)
> **** User 2013-03-13 09:58:56.238 ****
> ssl_to_openssl_SUITE:basic_erlang_server_openssl_client failed on line
> 249 Reason: {test_case_failed,{{expected,{<0.10511.0>,ok}},
> {got,{'EXIT',#Port<0.11293>,normal}}}}
> 
> 
> 
> 
> === Ended at 2013-03-13 09:58:56
> === location [{ssl_to_openssl_SUITE,basic_erlang_server_openssl_client,249
> <http://otp.ericsson.se:8000/product/internal/test/test_results/pu_R16B01/2013_03_12/otp_r16b01_elendur_linux-gnu_i686_suse10_s2_kp_a10_cover/ct_run.test_server@elendur.2013-03-13_09.22.35/test.ssl_test.logs/run.2013-03-13_09.22.45/ssl_to_openssl_suite.src.html#249>},
>               {test_server,ts_tc,1348},
>               {test_server,run_test_case_eval1,965},
>               {test_server,run_test_case_eval,914}]
> === reason = {test_case_failed,{{expected,{<0.10511.0>,ok}},
>                                     {got,{'EXIT',#Port<0.11293>,normal}}}}
> 
> 
> 
> openssl 58039:error:14092073:SSL routines:SSL3_GET_SERVER_HELLO:bad packet
> length:s3_clnt.c:743:
> 
> 
> openssl CONNECTED(00000003)
> 
> ------------------------------------
> 
> On another machin with OpenSSL 0.9.7l  test cases fails both for TLS versions
> SSLv3 and TLSv1  (v1.1 and 1.2 skipped not supported)
> with a similar fault.
> 
> 
> ------------------------------------
> **** User 2013-03-12 16:28:24.533 ****
> ssl_to_openssl_SUITE:erlang_server_openssl_client_client_cert failed on
> line 699 Reason: {test_case_failed,{{expected,{<0.8699.0>,ok}},
> {got,{'EXIT',#Port<0.10224>,normal}}}}
> 
> 
> 
> 
> === Ended at 2013-03-12 16:28:24
> === location
> [{ssl_to_openssl_SUITE,erlang_server_openssl_client_client_cert,699
> <http://otp.ericsson.se:8000/product/internal/test/daily/test_results/pu_R16B01/2013_03_11/otp_r16b01_dwalin_darwin9.8.0_i386_s2_kp_a10/ct_run.test_server%40dwalin.2013-03-12_16.14.56/test.ssl_test.logs/run.2013-03-12_16.15.01/ssl_to_openssl_suite.src.html#699>},
>               {test_server,ts_tc,1348},
>               {test_server,run_test_case_eval1,965},
>               {test_server,run_test_case_eval,914}]
> === reason = {test_case_failed,{{expected,{<0.8699.0>,ok}},
>                                     {got,{'EXIT',#Port<0.10224>,normal}}}}
> 
> 
> 
> ------------------------------------
> 
> ciphers_rsa_signed_certs  fils  on openssl  0.9.8o  tescase log:
> 
> ------------------------------------
> openssl Using default temp DH parameters
> 
> 
> **** User 2013-03-12 04:06:31.877 **** =ERROR REPORT====
> 12-Mar-2013::05:06:31 === SSL: hello: ssl_connection.erl:2313:Fatal
> error: handshake failure
> 
> **** User 2013-03-12 04:08:40.869 **** =ERROR REPORT====
> 12-Mar-2013::05:08:40 === Testcase process <0.11587.0> not responding to
> timetrap timeout:
> {timetrap_timeout,120000,[{ssl_to_openssl_SUITE,ciphers_rsa_signed_certs}]}.
> Killing testcase...
> 
> **** User 2013-03-12 04:08:40.869 **** Error detected:
> testcase_aborted_or_killed
> 
> ------------------------------------
> 
> Regards Ingela Erlang/OTP team - Ericsson AB
> 
> Fredrik wrote:
> > On 03/08/2013 02:06 PM, Andreas Schultz wrote:
> >> Hi,
> >>
> >> I have tested with various openssl versions and the earliest to
> >> pass the crypto test is 0.9.8o. I have adjusted the ifdef's
> >> in crypto to take that and then NO_ECDH and NO_ECDSA defines
> >> into account. I've also discovered a bug where an EC cipher was
> >> chosen when the certificate was actually not compatible with
> >> it.
> >>
> >> Update version is here:
> >>
> >> git fetch git://github.com/RoadRunnr/otp.git tls-psk-srp-suites-ECC
> >>
> >> https://github.com/RoadRunnr/otp/compare/master...tls-psk-srp-suites-ECC
> >> https://github.com/RoadRunnr/otp/compare/master...tls-psk-srp-suites-ECC.patch
> >>
> >>
> >>
> >> In case anybody is interested, I also have an very early version of
> >> AES-GCM cipher support (not for -pu inclusion yet):
> >>
> >> https://github.com/RoadRunnr/otp/compare/tls-psk-srp-suites-ECC-GCM
> >>
> >> Andreas
> >>
> >> ----- Original Message -----
> >>> Hello again,
> >>>
> >>> Since we want Erlang/OTP to be runnable on OS X Leopard we have to make
> >>> an exception to the OpenSSL supported version and make it work here. So
> >>> somekind of workaround needs to be done. I'm not sure if this
> >>> problem is
> >>> for all 0.9.7, or if it is Apple which have decided to do things a
> >>> specific way. So maybe the best way would be to check if the header
> >>> files exist in configure and then ifdef based on that. Alternatively if
> >>> you can determine that this is the way it works in 0.9.7, then you
> >>> should just be able to ifdef on the openssl version define.
> >>>
> >>> Lukas
> >>>
> >>> On 05/03/13 19:25, Lukas Larsson wrote:
> >>>> hmm, now that you mention it, it's 0.9.7l which is unsupported by us.
> >>>> I'll get back to you if we need to work around this, or if we can just
> >>>> leave it.
> >>>>
> >>>> Lukas
> >>>>
> >>>> On 05/03/13 19:12, Andreas Schultz wrote:
> >>>>> Hi,
> >>>>>
> >>>>> ----- Original Message -----
> >>>>>> Hello!
> >>>>>>
> >>>>>> I just noticed that this patch seems to break the OS X Leopard
> >>>>>> build.
> >>>>>>
> >>>>>> ./otp_build autoconf
> >>>>>> ./otp_build configure --enable-smp-support --enable-darwin-universal
> >>>>>> make
> >>>>>> ...
> >>>>>> Lots of text
> >>>>>> ...
> >>>>> [...]
> >>>>>
> >>>>>> It would seem like OPENSSL_NO_EC is not defined on OS X Leopard,
> >>>>>> even if
> >>>>>> the feature is not supported. The feature is supported on Snow
> >>>>>> Leopard
> >>>>>> and Lion.
> >>>>>>
> >>>>>> I don't really know how this is meant to work, but maybe a configure
> >>>>>> test for osx leopard could work?
> >>>>> A test for the openssl version possibly combined with a platform
> >>>>> check
> >>>>> might be sufficient. I checked openssl 0.9.7 and they did support EC
> >>>>> and the OPENSSL_NO_EC define. Could you find out what openssl version
> >>>>> leopard has?
> >>>>>
> >>>>>> As a side note, strangely openssl/ec.h exists, but not ecdh and
> >>>>>> ecdsa.... maybe that's why it is not defined? Let me know if you
> >>>>>> need
> >>>>>> any more info.
> >>>>> I'll extend the check for NO_ECDH and NO_ECDSA, that should take
> >>>>> care of
> >>>>> such a situation.
> >>>>>
> >>>>> Andreas
> >>>>>
> >>>>>> Lukas
> >>>>>>
> >>>>>> On 28/02/13 09:43, Fredrik wrote:
> >>>>>>> On 02/27/2013 07:33 PM, Andreas Schultz wrote:
> >>>>>>>> Hi,
> >>>>>>>>
> >>>>>>>> I have fixed the ssl_to_openssl_SUITE failure. The test suite
> >>>>>>>> tried to
> >>>>>>>> use an EC cipher on an openssl version that has no support for
> >>>>>>>> that
> >>>>>>>> cipher.
> >>>>>>>>
> >>>>>>>> I have also tried to reproduced the failing crypto ec test on
> >>>>>>>> Ubuntu
> >>>>>>>> natty 32bit and 64bit with halfword and m32-build, but it does
> >>>>>>>> pass
> >>>>>>>> the test on all those variants.
> >>>>>>>>
> >>>>>>>> Is there anything special or non-standard in your test setup
> >>>>>>>> (e.g. configuration switches, manually installed libraries,
> >>>>>>>> ...)???
> >>>>>>>>
> >>>>>>>> New version with fixed ssl_to_openssl_SUITE here:
> >>>>>>>>
> >>>>>>>> git fetch git://github.com/RoadRunnr/otp.git
> >>>>>>>> tls-psk-srp-suites-ECC
> >>>>>>>>
> >>>>>>>> https://github.com/RoadRunnr/otp/compare/master...tls-psk-srp-suites-ECC
> >>>>>>>>
> >>>>>>>>
> >>>>>>>> https://github.com/RoadRunnr/otp/compare/master...tls-psk-srp-suites-ECC.patch
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>> Andreas
> >>>>>>>>
> >>>>>>>> ----- Original Message -----
> >>>>>>>>> Hi!
> >>>>>>>>>
> >>>>>>>>> Andreas Schultz wrote:
> >>>>>>>>>> ----- Original Message -----
> >>>>>>>>>>> Hi!
> >>>>>>>>>>>
> >>>>>>>>>>> I took a look at the failing test cases  and found that whit
> >>>>>>>>>>> openssl
> >>>>>>>>>>> 0.9.8k,  openssl
> >>>>>>>>>>>
> >>>>>>>>>>> will crash with errors like the following:
> >>>>>>>>>>>
> >>>>>>>>>>> openssl 25966:error:14092073:SSL
> >>>>>>>>>>> routines:SSL3_GET_SERVER_HELLO:bad packet
> >>>>>>>>>>> length:s3_clnt.c:879:
> >>>>>>>>>>> CONNECTED(00000003)
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>> **** User 2013-02-25 11:01:47.291 ****
> >>>>>>>>>>> ssl_to_openssl_SUITE:basic_erlang_server_openssl_client
> >>>>>>>>>>> failed on
> >>>>>>>>>>> line
> >>>>>>>>>>> 249 Reason: {test_case_failed,{{expected,{<0.11346.0>,ok}},
> >>>>>>>>>>> {got,{'EXIT',#Port<0.11738>,normal}}}}
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>> That is why the the test case gets
> >>>>>>>>>>> {EXIT',#Port<0.11738>,normal}
> >>>>>>>>>>>
> >>>>>>>>>>> for the test cases erlang_server_openssl_client,
> >>>>>>>>>>> erlang_server_openssl_client_client_cert,
> >>>>>>>>>>> erlang_server_openssl_client_dsa_cert,
> >>>>>>>>>>> erlang_server_openssl_client_reuse_session
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>> and with openssl openssl 0.9.8k and 0.9.8.o  there is a
> >>>>>>>>>>> hanshake
> >>>>>>>>>>> failure
> >>>>>>>>>>> in the ciphers_rsa_signed_certs test case
> >>>>>>>>>>> <http://otp.ericsson.se:8000/product/internal/test/test_results/pu_R16B/2013_02_25/otp_r16b_elbereth_linux-gnu_x86_64_64_s4_a6_meamax/ct_run.test_server@elbereth.2013-02-26_04.53.56/test.ssl_test.logs/run.2013-02-26_04.53.59/ssl_to_openssl_suite.src.html#ciphers_rsa_signed_certs-1>
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>> Got that too. Will investigate.
> >>>>>>>>>>
> >>>>>>>>>> Yet this still doesn't explain why the i386 build is showing
> >>>>>>>>>> a failure in the crypto EC tests (this also cause a lot of
> >>>>>>>>>> the ssl failures later on).
> >>>>>>>>> Yes it could be good to investigate that first.
> >>>>>>>>> Looking at the crypto testruns it fails on openssl 0.9.8k.
> >>>>>>>>>
> >>>>>>>>> Regards Ingela Erlang/OTP team - Ericsson AB
> >>>>>>>>>
> >>>>>>>>> [...]
> >>>>>>>>>
> >>>>>>> Hello,
> >>>>>>> Re-fetched. Let's see how the testing go now!
> >>>>>>> There should be no special configurations as far as I know..
> >>>>>>>
> >>>> _______________________________________________
> >>>> erlang-patches mailing list
> >>>> 
> >>>> http://erlang.org/mailman/listinfo/erlang-patches
> >>>>
> >>>
> > Hello again,
> > This seems suspicious that these two openssl versions
> > 0.9.8a
> > 0.9.7l
> > is failing some testcases that other versions are not. We are thinking
> > that it could be a bug in openssl but we are not sure. Could you match
> > your tests upon your branch on these openssl versions and see if you
> > can reproduce them.
> > The failing testcases are:
> >
> > ciphers_rsa_signed_certs
> > erlang_server_openssl_client
> > erlang_server_openssl_client_client_cert
> > erlang_server_openssl_client_dsa_cert
> > erlang_server_openssl_client_reuse_session
> >
> > in the ssl_to_openssl_SUITE suite.
> >
> 
> 

-- 
-- 
Dipl. Inform.
Andreas Schultz

email: 
phone: +49-391-819099-224
mobil: +49-170-2226073

------------------ managed broadband access ------------------

Travelping GmbH               phone:           +49-391-8190990
Roentgenstr. 13               fax:           +49-391-819099299
D-39108 Magdeburg             email:       
GERMANY                       web:   http://www.travelping.com

Company Registration: HRB21276 Handelsregistergericht Chemnitz
Geschaeftsfuehrer: Holger Winkelmann | VAT ID No.: DE236673780
--------------------------------------------------------------


More information about the erlang-patches mailing list