[erlang-questions] dh_anon SSL connection failed

[Alexander Hudich]

Hi, Ingela!

>> This is kind of excerpt from check_nrpe code which connects just fine:
>>
>>SSL_library_init();
>>SSLeay_add_ssl_algorithms();
>>meth=SSLv23_client_method();
>>SSL_load_error_strings();
>>ctx=SSL_CTX_new(meth));
>>SSL_CTX_set_options(ctx,SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3);
>>result=my_tcp_connect(server_name,server_port,&sd);
>>
>> /* do SSL handshake */
>>
>> if(result==STATE_OK && use_ssl==TRUE){
>>  if((ssl=SSL_new(ctx))!=NULL){
>>    SSL_CTX_set_cipher_list(ctx,"ADH");
>>    SSL_set_fd(ssl,sd);
>>    rc=SSL_connect(ssl));
>>  }
>>}

> What cipher suite and SSL/TLS-protocol version will this code end up
using?


I have not very much experience in development with using SSL connections. 
So I don't know if I've done it's right I added this line after SSL_connect
to get current 
information about established SSL connection in check_nrpe:

printf( "CIPHER %s %s\n", SSL_CIPHER_get_name( SSL_get_current_cipher(ssl)
), SSL_CIPHER_get_version( SSL_get_current_cipher(ssl) ) );

And it gives:

CIPHER ADH-AES256-SHA TLSv1/SSLv3

Also I tried to change SSLv23_client_method() call to SSLv3_client_method().
And that gave very interesting result:

CHECK_NRPE: Error - Could not complete SSL handshake.
SSL_connect=0
36071:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake
failure:s3_pkt.c:1102:SSL alert number 40

That looks pretty similar to what I get with a result that erlang
ssl:connect  call returns.




>> Erlang R16B (erts-5.10) [source] [64-bit] [smp:1:1] [async-threads:0] 
>> [hipe] [kernel-poll:false]
>> 5> SockOpts.
>> [{active,false},
>> {ssl_imp,old},


>This is not a relevant option after R15B ( it will always be new even if
you write old).

Yes I know that, it was just an act of despair :)



>> {verify,verify_none},
>> {ciphers,[{dh_anon,rc4_128,md5},
>>            {dh_anon,des_cbc,sha},
>>            {dh_anon,'3des_ede_cbc',sha},
>>            {dh_anon,aes_128_cbc,sha},
>>            {dh_anon,aes_256_cbc,sha}]}]
>>
>> 6> ssl:connect( Ip, 5666, SockOpts, infinity).
>>
>> =ERROR REPORT==== 16-Jan-2012::12:49:23 ===
>> SSL: hello: ssl_handshake.erl:885:Fatal error: handshake failure
>> {error,esslconnect}
>> What do you think is it possible to make this type of connection in
Erlang?
>> What else can I try or is it a bug?

> Our test cases for anonymous suites works just fine. Have you tried
running the test case anonymous_cipher_suites in  ssl_basic_SUITE?

How can I do that?



> Servers will normally not support anonymous cipher suites and we include
them only for test purposes and they may only be used if explicitly
supplied.

I thought that I explicitly pointed to use that anonymous ciphers by
supplying them in connection options. Or there is something else I should
do?


>Regards Ingela Erlang/OTP team - Ericsson AB