[erlang-questions] dh_anon SSL connection failed

Ingela Andin ingela.andin@REDACTED
Mon Jan 16 15:19:47 CET 2012 

Hi Alexander!

2012/1/16, Alexander Hudich <alttagil@REDACTED>:
> Spent all night trying to establish SSL connection from my Erlang program to
> Nagios NRPE service.
>
> This is kind of excerpt from check_nrpe code which connects just fine:
>
> SSL_library_init();
>
> SSLeay_add_ssl_algorithms();
>
> meth=SSLv23_client_method();
>
> SSL_load_error_strings();
>
> ctx=SSL_CTX_new(meth));
>
> SSL_CTX_set_options(ctx,SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3);
>
> result=my_tcp_connect(server_name,server_port,&sd);
>
> /* do SSL handshake */
>
> if(result==STATE_OK && use_ssl==TRUE){
>
>   if((ssl=SSL_new(ctx))!=NULL){
>
>     SSL_CTX_set_cipher_list(ctx,"ADH");
>
>     SSL_set_fd(ssl,sd);
>
>     rc=SSL_connect(ssl));
>
>   }
>
> }
>

What cipher suite and SSL/TLS-protocol version will this code end up using?


>
> But I couldn't establish connection in any way. I always got an error:
>
> Erlang R16B (erts-5.10) [source] [64-bit] [smp:1:1] [async-threads:0] [hipe]
> [kernel-poll:false]
>
> Eshell V5.10
>
>
>
> 5> SockOpts.
>
> [{active,false},
>
> {ssl_imp,old},

This is not a relevant option after R15B ( it will always be new even
if you write old).

>
> {verify,verify_none},
>
> {ciphers,[{dh_anon,rc4_128,md5},
>
>            {dh_anon,des_cbc,sha},
>
>            {dh_anon,'3des_ede_cbc',sha},
>
>            {dh_anon,aes_128_cbc,sha},
>
>            {dh_anon,aes_256_cbc,sha}]}]
>
> 6> ssl:connect( Ip, 5666, SockOpts, infinity).
>
>
>
> =ERROR REPORT==== 16-Jan-2012::12:49:23 ===
>
> SSL: hello: ssl_handshake.erl:885:Fatal error: handshake failure
>
> {error,esslconnect}
>
> Code in ssl_handshake.erl at line 885 is
>
> dec_hs( _, _ ) ->
>
>     throw( ?ALERT_REC( ... ) )
>
>
>
> What do you think is it possible to make this type of connection in Erlang?
> What else can I try or is it a bug?

Our test cases for anonymous suites works just fine. Have you tried running
the test case anonymous_cipher_suites in  ssl_basic_SUITE?
Servers will normally not support anonymous cipher suites and we
include them only
for test purposes and they may only be used if explicitly supplied.

Regards Ingela Erlang/OTP team - Ericsson AB

More information about the erlang-questions mailing list