[erlang-questions] SSL crashes while decoding alert.

Ingela Andin ingela.andin@REDACTED
Fri Apr 11 22:18:47 CEST 2014


*Hi!*

*After some private discussions (should have been more suspicious of the
link ;)) I think we found a bug related to warning alerts that just happen
to manifest itself on the alert 112 that was missing from the
SNI-contribution, and that I just added to 17.  So the following patch, if
proven correct, will be included for 17.1  (Makes the last clause of
handle_alert - handle all not previously matched warning alerts.)*

*diff --git a/lib/ssl/src/tls_connection.erl
b/lib/ssl/src/tls_connection.erl*

*index ffa04ee..0946a47 100644*

*--- a/lib/ssl/src/tls_connection.erl*

*+++ b/lib/ssl/src/tls_connection.erl*

@@ -859,7 +859,7 @@ handle_alert(#alert{level = ?WARNING, description =
?NO_RENE

     {Record, State} = next_record(State0),

     next_state(StateName, connection, Record, State);



-handle_alert(#alert{level = ?WARNING, description = ?USER_CANCELED} =
Alert, St

+handle_alert(#alert{level = ?WARNING} = Alert, StateName,


Regards Ingela Erlang/OTP  team - Ericsson AB


2014-04-11 17:18 GMT+02:00 Ingela Andin <ingela.andin@REDACTED>:

>
> Hi!
>
> This is what happens when I do what you say you do.
>
> Erlang/OTP 17 [erts-6.0] [source-fa45816] [64-bit] [smp:8:8]
> [async-threads:10] [hipe] [kernel-poll:false]
>
>
> Eshell V6.0  (abort with ^G)
> 1>  inets:start().
> ok
> 2>  ssl:start().
> ok
> 3> httpc:request("https://somewhere.com").
> {ok,{{"HTTP/1.1",200,"OK"},
>      [{"cache-control","max-age=0, private, must-revalidate"},
>       {"connection","keep-alive"},
>       {"date","Fri, 11 Apr 2014 15:03:08 GMT"},
>       {"etag","\"abf551bf9c340cc2649822f9e27e82ff\""},
>       {"vary","Accept-Encoding"},
>       {"content-length","41024"},
>       {"content-type","text/html; charset=utf-8"},
>       {"last-modified","Thu, 30 Jan 2014 17:12:43 GMT"},
>       {"access-control-allow-methods","POST, GET, OPTIONS"},
>       {"access-control-allow-origin","*"},
>       {"access-control-max-age","1728000"},
>       {"set-cookie",
>        "_session_id=613ae6fdb421a8eb1cbc1d43509c4d53; path=/; expires=Fri,
> 18-Apr-2014 15:03:08 GMT; HttpOnly"},
>       {"status","200 OK"},
>       {"x-rack-cache","miss"},
>       {"x-request-id","9b2a35c1-f4c8-47fa-bcdc-e7f80090fe72"},
>       {"x-runtime","1.182360"},
>       {"x-ua-compatible","IE=Edge,chrome=1"}],
>      [60,33,68,79,67,84,89,80,69,32,104,116,109,108,62,60,104,
>       116,109,108,62,60,104,101|...]}}
>
> Regards Ingela Erlang/OTP team - Ericsson AB
>
>
> 2014-04-11 16:53 GMT+02:00 atul atri <atulatri2004@REDACTED>:
>
> Hi Ingela,
>>
>> I just tested this issue with erlang 17. This issue is not fixed.
>>
>> =============
>> [root@REDACTED otp_src_17.0]# erl
>> Erlang/OTP 17 [erts-6.0] [source] [64-bit] [smp:4:4] [async-threads:10]
>> [hipe] [kernel-poll:false]
>>
>> Eshell V6.0  (abort with ^G)
>> 1> inets:start().
>> ok
>> 2> ssl:start().
>> ok
>> 3> httpc:request("https://somewhere.com").
>>
>> {error,{failed_connect,[{to_address,{"somewhere.com",
>>                                      443}},
>>                         {inet,[inet],
>>
>> {eoptions,{{function_clause,[{tls_connection,handle_alert,
>>
>> [{alert,1,112,{"tls_connection.erl",375}},
>>
>> hello,
>>
>> {state,client,
>>
>> {#Ref<0.0.0.63>,<0.57.0>},
>>
>> gen_tcp,tls_connection,tcp,tcp_closed,tcp_error,...}],
>>
>> [{file,"tls_connection.erl"},{line,836}]},
>>
>> {tls_connection,handle_alerts,2,
>>
>> [{file,"tls_connection.erl"},{line,834}]},
>>
>> {gen_fsm,handle_msg,7,[{file,"gen_fsm.erl"},{line,503}]},
>>
>>
>> {proc_lib,init_p_do_apply,3,
>>
>> [{file,"proc_lib.erl"},{line,239}]}]},
>>
>> {gen_fsm,sync_send_all_state_event,
>>
>> [<0.61.0>,{start,infinity},infinity]}}}}]}}
>> =================
>>
>> Server sends alert warning 112 (unrecognized_name), but
>> tls_connection.erl has no function to handle this alert. ssl_alert.hrl do
>> mention this alert.
>>
>> I also found
>> http://stackoverflow.com/questions/7615645/ssl-handshake-alert-unrecognized-name-error-since-upgrade-to-java-1-7-0.
>> Java 1.7 is also behaving kind of same. I have not tested myself though. As
>> first answer mentions, that most choose to ignore server alert warning 112
>> (unrecognized_name). Erlang/Otp should also consider to ignore it. This
>> thread mentions that we can disable SNI in java 1.7.  Do we have similar
>> option in Erlang/Otp? Is disabling SNI right choice?
>>
>> Adding following function in tls_connection.erl solves the problem:
>> =========
>> handle_alert(#alert{level = ?WARNING, description = ?UNRECOGNISED_NAME} =
>> Alert, StateName,
>> #state{ssl_options = SslOpts} = State0) ->
>>     log_alert(SslOpts#ssl_options.log_alert, StateName, Alert),
>>     {Record, State} = next_record(State0),
>>     next_state(StateName, StateName, Record, State).
>> ===========
>>
>> This issue supposed to be fixed in
>> https://github.com/erlang/otp/commit/d18e7b25a17a0c62c0beddc81f23b1dea18b7ef4.
>> But It seems like you forgot to commit changes in file tls_connection.erl.
>>
>> Waiting for your kind reply to sort out this issue asap.
>>
>> Thanks & Regards,
>> Atul Atri.
>>
>>
>>
>>
>>
>> On Fri, Apr 4, 2014 at 7:10 PM, Ingela Andin <ingela.andin@REDACTED>wrote:
>>
>>> Hi!
>>>
>>> This is fixed in the latest version 17.0 (comming soon) or check master
>>> branch at github.
>>>
>>> Regards Ingela Erlang/OTP team - Ericsson AB
>>>
>>>
>>> 2014-04-04 10:33 GMT+02:00 atul atri <atulatri2004@REDACTED>:
>>>
>>>>  Hi,
>>>>
>>>> I am using httpc to connect to a website that is using invalid
>>>> certificate. But it is crashing while ssl handshake.
>>>>
>>>> ======
>>>> 7> httpc:request(post, {"https://somewhere.com", [],
>>>> "application/x-www-form-urlencoded", ""}, [{ssl, [{verify, verify_none}]}],
>>>> []).                               {error,{failed_connect,[{to_address,{"
>>>> somewhere.com",
>>>>                                      443}},
>>>>                         {inet,[inet],
>>>>
>>>> {eoptions,{{function_clause,[{tls_connection,handle_alert,
>>>>
>>>> [{alert,1,112,{"tls_connection.erl",375}},
>>>>
>>>> hello,
>>>>
>>>> {state,client,
>>>>
>>>> {#Ref<0.0.0.137>,<0.74.0>},
>>>>
>>>> gen_tcp,tls_connection,tcp,tcp_closed,tcp_error,...}],
>>>>
>>>> [{file,"tls_connection.erl"},{line,834}]},
>>>>
>>>> {tls_connection,handle_alerts,2,
>>>>
>>>> [{file,"tls_connection.erl"},{line,832}]},
>>>>
>>>> {gen_fsm,handle_msg,7,[{file,"gen_fsm.erl"},{line,505}]},
>>>>
>>>> {proc_lib,init_p_do_apply,3,
>>>>
>>>> [{file,"proc_lib.erl"},{line,239}]}]},
>>>>
>>>> {gen_fsm,sync_send_all_state_event,
>>>>
>>>> [<0.75.0>,{start,infinity},infinity]}}}}]}}
>>>> =======
>>>>
>>>> I am able to browse website in Firefox.
>>>>
>>>> My elang version is
>>>> ====
>>>> [root@REDACTED ~]# erl
>>>> Erlang R16B03-1 (erts-5.10.4) [source] [64-bit] [smp:2:2]
>>>> [async-threads:10] [hipe] [kernel-poll:false]
>>>>
>>>> Eshell V5.10.4  (abort with ^G)
>>>> ====
>>>>
>>>> I googled it and it looks some thing related to
>>>> http://permalink.gmane.org/gmane.comp.lang.erlang.bugs/4302.
>>>>
>>>> Any help to fix or work around this is much appreciated.
>>>>
>>>> Thanks & Regards,
>>>> Atul Atri.
>>>>
>>>>
>>>> _______________________________________________
>>>> erlang-questions mailing list
>>>> erlang-questions@REDACTED
>>>> http://erlang.org/mailman/listinfo/erlang-questions
>>>>
>>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20140411/d09aee74/attachment.htm>


More information about the erlang-questions mailing list