[erlang-questions] dh_anon SSL connection failed

Alexander Hudich <>
Mon Jan 16 22:12:59 CET 2012


Hi, Ingela!

Also there is an output of  
#openssl s_client -connect ipaddress:5666 -state -debug  -no_ssl2 -cipher
ADH

May be it'll help to figure out what happens:

CONNECTED(00000003)
write to 0x128e930 [0x128ea40] (71 bytes => 71 (0x47))
0000 - 16 03 01 00 42 01 00 00-3e 03 01 4f 14 92 1b 26   ....B...>..O...&
0010 - 0e 5c 4e 7f 22 8f 66 b8-37 61 ee d1 58 07 a5 dd   .\N.".f.7a..X...
0020 - 03 09 67 79 c7 7f 78 1c-7a 19 9d 00 00 10 00 3a   ..gy..x.z......:
0030 - 00 34 00 1b 00 1a 00 19-00 18 00 17 00 ff 02 01   .4..............
0040 - 00 00 04 00 23              SSL_connect:SSLv3 read finished A
 <SPACES/NULS>
read from 0x128e930 [0x1293fa0] (7 bytes => 7 (0x7))
0000 - 16 03 01 00 35 02                                 ....5.
0007 - <SPACES/NULS>
read from 0x128e930 [0x1293fa7] (51 bytes => 51 (0x33))
0000 - 00 31 03 01 4f 14 92 1b-59 1b 0b 30 69 e0 31 db   .1..O...Y..0i.1.
0010 - 21 62 e5 0d 1b 64 29 19-a5 ef 63 ed df 66 4c 20   !b...d)...c..fL 
0020 - 79 4c eb 1f 00 00 3a 01-00 09 ff 01 00 01 00 00   yL....:.........
0030 - 23                                                #
0033 - <SPACES/NULS>
read from 0x128e930 [0x1293fa0] (5 bytes => 5 (0x5))
0000 - 16 03 01 00 8b                                    .....
read from 0x128e930 [0x1293fa5] (139 bytes => 139 (0x8B))
0000 - 0c 00 00 87 00 40 f7 84-f4 7b a9 a1 fb 0d 4f e8   {....O.
0010 - 70 bf 60 0e 3a 1e b1 cd-09 f0 0b 26 1a 85 c5 c2   p.`.:......&....
0020 - 23 f5 61 71 00 7e 7a f9-d3 fa 13 a5 bc 8d e1 b9   #.aq.~z.........
0030 - 89 e4 e9 f7 e3 46 db d2-f7 de 8e 68 71 a3 0f d7   .....F.....hq...
0040 - ce e1 b6 aa 5d 43 00 01-02 00 40 77 09 30 29 a7   ....]).
0050 - 80 88 1a 41 8a 1e 3d 59-08 90 e6 0c d1 d2 dc fd   ...A..=Y........
0060 - 7b 52 3f 91 8a d3 92 66-4e 63 d1 b4 5b 7a 24 12   {R?....fNc..[z$.
0070 - d0 74 27 29 0d 73 4d 3a-a5 59 19 90 7d 2f 26 12   .t').sM:.Y..}/&.
0080 - 85 f6 4f ef db 92 11 19-a3 4a da                  ..O......J.
read from 0x128e930 [0x1293fa0] (5 bytes => 5 (0x5))
0000 - 16 03 01 00 04                                    .....
read from 0x128e930 [0x1293fa5] (4 bytes => 4 (0x4))
0000 - 0e                                                .
0004 - <SPACES/NULS>
write to 0x128e930 [0x129e270] (75 bytes => 75 (0x4B))
0000 - 16 03 01 00 46 10 00 00-42 00 40 c3 ab 9b b1 35   
0010 - 1b a6 41 de d3 a8 e1 1e-90 15 3c d5 a6 30 c2 1f   ..A.......<..0..
0020 - b1 1d b9 39 6f a4 ab aa-bf 4b 65 c7 c4 0d bd 96   ...9o....Ke.....
0030 - 58 8e cb c2 fd cd cd c9-c2 0d 42 14 1f db 70 88   X.........B...p.
0040 - 83 a2 2b 30 56 6e b0 76-65 5c de                  ..+0Vn.ve\.
write to 0x128e930 [0x129e270] (6 bytes => 6 (0x6))
0000 - 14 03 01 00 01 01                                 ......
write to 0x128e930 [0x129e270] (53 bytes => 53 (0x35))
0000 - 16 03 01 00 30 95 cc d9-da 4b 46 01 41 78 dd c3   ....0....KF.Ax..
0010 - 72 dd c8 b3 c1 56 35 3f-30 5f cb 22 8b 27 0f fb   r....V5?0_.".'..
0020 - 6b 9b 32 63 74 69 88 2c-7b 06 2d 0e 25 dc 75 8f   k.2cti.,{.-.%.u.
0030 - fd 1e e3 96 73                                    ....s
read from 0x128e930 [0x1293fa0] (5 bytes => 5 (0x5))
0000 - 16 03 01 00 aa                                    .....
read from 0x128e930 [0x1293fa5] (170 bytes => 170 (0xAA))
0000 - 04 00 00 a6 00 00 00 00-00 a0 a5 a7 5e ef 42 76   ............^.Bv
0010 - 46 0b c5 e9 26 a4 d9 18-4f 98 e5 85 f4 20 c3 f0   F...&...O.... ..
0020 - 65 21 2d ee 04 34 e4 4e-77 1e 3f 71 c4 89 83 a9   e!-..4.Nw.?q....
0030 - aa ee fb 99 f0 32 d2 65-92 d6 ad 5d 9f a2 5b 62   .....2.e...]..[b
0040 - 15 43 c5 93 16 c6 85 c4-22 34 41 82 ea 17 17 48   .C......"4A....H
0050 - 91 e7 8d 03 ea bf 2c 89-b6 5c da f8 81 a6 32 e2   ......,..\....2.
0060 - 29 ec b3 5b d1 9b af 3d-29 b8 0f 62 c0 08 84 86   )..[...=)..b....
0070 - d3 84 0c 79 b9 04 e1 67-5e 18 3a fb 12 df 50 a1   ...y...g^.:...P.
0080 - 54 db 1b 1b 9c f2 e4 b6-81 77 ca a0 02 de 45 38   T........w....E8
0090 - 40 c3 f1 77 1a 47 8b 50-d8 69 85 56 06 a7 d7 80   @..w.G.P.i.V....
00a0 - 4a 8c a3 49 cd de dd 12-31 5a                     J..I....1Z
read from 0x128e930 [0x1293fa0] (5 bytes => 5 (0x5))
0000 - 14 03 01 00 01                                    .....
read from 0x128e930 [0x1293fa5] (1 bytes => 1 (0x1))
0000 - 01                                                .
read from 0x128e930 [0x1293fa0] (5 bytes => 5 (0x5))
0000 - 16 03 01 00 30                                    ....0
read from 0x128e930 [0x1293fa5] (48 bytes => 48 (0x30))
0000 - dc a3 d1 b9 13 be f5 ff-c5 92 44 e8 a5 23 44 1c   ..........D..#D.
0010 - 2b 29 87 eb 6a 7a 5b 8a-5c e6 5b 23 7e 03 61 5b   +)..jz[.\.[#~.a[
0020 - 47 e5 17 b3 66 45 89 7f-36 1f d9 8c 11 a3 d5 87   G...fE..6.......
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 445 bytes and written 205 bytes
---
New, TLSv1/SSLv3, Cipher is ADH-AES256-SHA
Secure Renegotiation IS supported
Compression: zlib compression
Expansion: zlib compression
SSL-Session:
    Protocol  : TLSv1
    Cipher    : ADH-AES256-SHA
    Session-ID:
4BAD14D397EC13B0F89F2B5ED3F075F2578BDBD9CBA19D8C030DA7637ED2064E
    Session-ID-ctx: 
    Master-Key:
4223A49C4792971D7C27819D47373B1871F0CF9E0BBC34FAAEBA97A4EBC7F2C365AE82213BD8
4516C0446CE0ECF4B5AA
    Key-Arg   : None
    TLS session ticket:
    0000 - a5 a7 5e ef 42 76 46 0b-c5 e9 26 a4 d9 18 4f 98
..^.BvF...&...O.
    0010 - e5 85 f4 20 c3 f0 65 21-2d ee 04 34 e4 4e 77 1e   ...
..e!-..4.Nw.
    0020 - 3f 71 c4 89 83 a9 aa ee-fb 99 f0 32 d2 65 92 d6
?q.........2.e..
    0030 - ad 5d 9f a2 5b 62 15 43-c5 93 16 c6 85 c4 22 34
.]..[b.C......"4
    0040 - 41 82 ea 17 17 48 91 e7-8d 03 ea bf 2c 89 b6 5c
A....H......,..\
    0050 - da f8 81 a6 32 e2 29 ec-b3 5b d1 9b af 3d 29 b8
....2.)..[...=).
    0060 - 0f 62 c0 08 84 86 d3 84-0c 79 b9 04 e1 67 5e 18
.b.......y...g^.
    0070 - 3a fb 12 df 50 a1 54 db-1b 1b 9c f2 e4 b6 81 77
:...P.T........w
    0080 - ca a0 02 de 45 38 40 c3-f1 77 1a 47 8b 50 d8 69

    0090 - 85 56 06 a7 d7 80 4a 8c-a3 49 cd de dd 12 31 5a
.V....J..I....1Z

    Compression: 1 (zlib compression)
    Start Time: 1326748187
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)


-----Original Message-----

Hi, Ingela!

>> This is kind of excerpt from check_nrpe code which connects just fine:
>>
>>SSL_library_init();
>>SSLeay_add_ssl_algorithms();
>>meth=SSLv23_client_method();
>>SSL_load_error_strings();
>>ctx=SSL_CTX_new(meth));
>>SSL_CTX_set_options(ctx,SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3);
>>result=my_tcp_connect(server_name,server_port,&sd);
>>
>> /* do SSL handshake */
>>
>> if(result==STATE_OK && use_ssl==TRUE){
>>  if((ssl=SSL_new(ctx))!=NULL){
>>    SSL_CTX_set_cipher_list(ctx,"ADH");
>>    SSL_set_fd(ssl,sd);
>>    rc=SSL_connect(ssl));
>>  }
>>}

> What cipher suite and SSL/TLS-protocol version will this code end up
using?


I have not very much experience in development with using SSL connections. 
So I don't know if I've done it's right I added this line after SSL_connect
to get current 
information about established SSL connection in check_nrpe:

printf( "CIPHER %s %s\n", SSL_CIPHER_get_name( SSL_get_current_cipher(ssl)
), SSL_CIPHER_get_version( SSL_get_current_cipher(ssl) ) );

And it gives:

CIPHER ADH-AES256-SHA TLSv1/SSLv3

Also I tried to change SSLv23_client_method() call to SSLv3_client_method().
And that gave very interesting result:

CHECK_NRPE: Error - Could not complete SSL handshake.
SSL_connect=0
36071:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake
failure:s3_pkt.c:1102:SSL alert number 40

That looks pretty similar to what I get with a result that erlang
ssl:connect  call returns.




>> Erlang R16B (erts-5.10) [source] [64-bit] [smp:1:1] [async-threads:0] 
>> [hipe] [kernel-poll:false]
>> 5> SockOpts.
>> [{active,false},
>> {ssl_imp,old},


>This is not a relevant option after R15B ( it will always be new even if
you write old).

Yes I know that, it was just an act of despair :)



>> {verify,verify_none},
>> {ciphers,[{dh_anon,rc4_128,md5},
>>            {dh_anon,des_cbc,sha},
>>            {dh_anon,'3des_ede_cbc',sha},
>>            {dh_anon,aes_128_cbc,sha},
>>            {dh_anon,aes_256_cbc,sha}]}]
>>
>> 6> ssl:connect( Ip, 5666, SockOpts, infinity).
>>
>> =ERROR REPORT==== 16-Jan-2012::12:49:23 ===
>> SSL: hello: ssl_handshake.erl:885:Fatal error: handshake failure
>> {error,esslconnect}
>> What do you think is it possible to make this type of connection in
Erlang?
>> What else can I try or is it a bug?

> Our test cases for anonymous suites works just fine. Have you tried
running the test case anonymous_cipher_suites in  ssl_basic_SUITE?

How can I do that?



> Servers will normally not support anonymous cipher suites and we include
them only for test purposes and they may only be used if explicitly
supplied.

I thought that I explicitly pointed to use that anonymous ciphers by
supplying them in connection options. Or there is something else I should
do?


>Regards Ingela Erlang/OTP team - Ericsson AB





More information about the erlang-questions mailing list