[erlang-questions] ssl timing issue in R15B?

Lukas P <>
Tue Mar 27 13:51:20 CEST 2012


Many thanks for your help, Ingela!  It works now reliably.

Best regards, Lukas

Dne 26. března 2012 15:16 Ingela Andin <> napsal(a):
> Hi!
>
> The problem is that your server and client needs to agree to upgrade
> to SSL/TLS and your client may not start the handshake until the
> server is ready to receive it. If you have a erlang-server this will
> be when you have set your tcp-socket in passive mode.
> When your server has set its socket in passive mode, you can ack to
> the client that it is ready to start and then call ssl:ssl_accept with
> the socket.
> Otherwhise a quick clients  handshake may arrive to the inet driver
> and be processed with socket options that the ssl-application has no
> controll over. This may, depending on timing, result in that the
> ssl-connection process recives data on an unexpected format. It could
> also lead to that the some other process receives the handshake data
> and if you are lucky it may work as expected ;)
>
>
> Regards Ingela Erlang/OTP team - Ericsson AB
>
>
> 2012/3/26 Lukas P <>:
>> Dne 23. března 2012 18:16 Attila Rajmund Nohl
>> <> napsal(a):
>>> 2012/3/23 Lukas P <>:
>>>> Hello.
>>>>
>>>> I think that I have been hit by a SSL timing issue in R15B. My
>>>> functional test (= SSL/TCP client) crahes my server unless the test
>>>> contains a sleep.
>>>>
>>>> The tested server implements a TCP based, line oriented protocol.
>>>> Switch to SSL can be started with a "STARTTLS\r\n" command.
>>>>
>>>> The functional test starts a TCP connection and upgrades it to SSL:
>>>>
>>>> upgrade_connection_to_ssl(Socket) ->
>>>>    SendResult = gen_tcp:send(Socket, "STARTTLS\r\n"),
>>>>    %timer:sleep(10), % workaround for a SSL timing bug
>>>>    SslConnectResult = case SendResult of
>>>>        ok ->
>>>>            ssl:connect(Socket, [{active, false}, {packet, line}, list], 2000);
>>>>        {error, Reason1} ->
>>>>            {error, Reason1}
>>>>    end,
>>>>    ...
>>>>
>>>> After the server receives "STARTTLS\r\n", it performs ssl:ssl_accept
>>>> on the socket:
>>>>
>>>>    inet:setopts(Socket, [{active, false}]),
>>>
>>> Don't you need a {reuseaddr, true} option here? The default is false.
>>
>> Unfortunately not, the tcp socket is already connected.
>>
>> When you look at the walkback, you can see that there is definitely a
>> bug in ssl_record:get_tls_records_aux/2 (erlang:size/1 must not be
>> used on a list).
>>
>> Lukas
>> _______________________________________________
>> erlang-questions mailing list
>> 
>> http://erlang.org/mailman/listinfo/erlang-questions



More information about the erlang-questions mailing list