[erlang-questions] dh_anon SSL connection failed

Alexander Hudich <>
Mon Jan 16 19:13:15 CET 2012

Hi, Ingela!

>> This is kind of excerpt from check_nrpe code which connects just fine:
>>SSL_CTX_set_options(ctx,SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3);
>> /* do SSL handshake */
>> if(result==STATE_OK && use_ssl==TRUE){
>>  if((ssl=SSL_new(ctx))!=NULL){
>>    SSL_CTX_set_cipher_list(ctx,"ADH");
>>    SSL_set_fd(ssl,sd);
>>    rc=SSL_connect(ssl));
>>  }

> What cipher suite and SSL/TLS-protocol version will this code end up

I have not very much experience in development with using SSL connections. 
So I don't know if I've done it's right I added this line after SSL_connect
to get current 
information about established SSL connection in check_nrpe:

printf( "CIPHER %s %s\n", SSL_CIPHER_get_name( SSL_get_current_cipher(ssl)
), SSL_CIPHER_get_version( SSL_get_current_cipher(ssl) ) );

And it gives:


Also I tried to change SSLv23_client_method() call to SSLv3_client_method().
And that gave very interesting result:

CHECK_NRPE: Error - Could not complete SSL handshake.
36071:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake
failure:s3_pkt.c:1102:SSL alert number 40

That looks pretty similar to what I get with a result that erlang
ssl:connect  call returns.

>> Erlang R16B (erts-5.10) [source] [64-bit] [smp:1:1] [async-threads:0] 
>> [hipe] [kernel-poll:false]
>> 5> SockOpts.
>> [{active,false},
>> {ssl_imp,old},

>This is not a relevant option after R15B ( it will always be new even if
you write old).

Yes I know that, it was just an act of despair :)

>> {verify,verify_none},
>> {ciphers,[{dh_anon,rc4_128,md5},
>>            {dh_anon,des_cbc,sha},
>>            {dh_anon,'3des_ede_cbc',sha},
>>            {dh_anon,aes_128_cbc,sha},
>>            {dh_anon,aes_256_cbc,sha}]}]
>> 6> ssl:connect( Ip, 5666, SockOpts, infinity).
>> =ERROR REPORT==== 16-Jan-2012::12:49:23 ===
>> SSL: hello: ssl_handshake.erl:885:Fatal error: handshake failure
>> {error,esslconnect}
>> What do you think is it possible to make this type of connection in
>> What else can I try or is it a bug?

> Our test cases for anonymous suites works just fine. Have you tried
running the test case anonymous_cipher_suites in  ssl_basic_SUITE?

How can I do that?

> Servers will normally not support anonymous cipher suites and we include
them only for test purposes and they may only be used if explicitly

I thought that I explicitly pointed to use that anonymous ciphers by
supplying them in connection options. Or there is something else I should

>Regards Ingela Erlang/OTP team - Ericsson AB

More information about the erlang-questions mailing list