[erlang-questions] Making SSL fail silently

Danil Zagoskin z@REDACTED
Sun Mar 9 14:44:10 CET 2014


I've investigated this case a bit and it seems to me that ECC handshake
implementation has a bug:
As fas as I understand RFC 4492 (
https://tools.ietf.org/html/rfc4492#section-5.1), it tells that it's OK for
server to not support all curves supported by client if there are enough
curves supported by both of them.
So if I'm correct, the tls_v1:enum_to_oid/1 function should have a default
clause returning some magic value ('unsupported_curve' ?) which should be
filtered out from EllipticCurves list in ?ELLIPTIC_CURVES_EXT clause of
ssl_handshake:dec_hello_extensions/2 (line 1654).

I hope to fix it today.


2014-03-09 1:49 GMT+04:00 Ingela Andin <ingela.andin@REDACTED>:

> Hi!
>
> 2014-03-07 11:14 GMT+01:00 Danil Zagoskin <z@REDACTED>:
>
> Thank you!
>>
>> May I help you? Test case, pull request, etc?
>>
>>
> You are always welcome to make a pull request which, if you follow the
> guide lines, should include a test case.
>
>
> Regards Ingela Erlang/OTP team - Ericsson AB
>
>
>
>>
>> 2014-03-07 1:39 GMT+04:00 Ingela Andin <ingela.andin@REDACTED>:
>>
>>> Hi!
>>>
>>> 2014-03-06 11:50 GMT+01:00 Danil Zagoskin <z@REDACTED>:
>>>
>>> Hello!
>>>>
>>>> My application is listening SSL port
>>>> using ssl:listen, ssl:transport_accept and ssl:ssl_accept (indeed it uses
>>>> some old patched mochiweb).
>>>> Erlang/OTP release is R16B02.
>>>> I use SASL for error logging.
>>>>
>>>> Due to existence of network scanners, network errors and buggy clients
>>>> some of connections fail to negotiate. This leads to two kind of log
>>>> entries:
>>>>   1. "insufficient security", etc.
>>>>   2. Crash reports due to a function_clause error
>>>> in tls_v1:enum_to_oid(0) (this may be not the only one, but definitely the
>>>> most popular)
>>>>
>>>> First one seems to be fixed by {log_alert, false} ssl option.
>>>> Second one keeps flooding logs with huge state printouts.
>>>>
>>>> So, my question is: How to make all SSL-related troubles not to
>>>> generate error reports? Simple {error, handshake_failed} returned by one of
>>>> accepting functions would be enough.
>>>>
>>>>
>>>>
>>>
>>>
>>> The first option should logically be enough. I think the problem is that
>>> tls_v1:enum_to_oid
>>>  should have a try and throw a handshake alert if it fails or be
>>> ignored, depending on situation, i.e. be an expected error instead of an
>>> unexpected error.  I will create an issue to handle that.
>>>
>>> Regards Ingela  Erlang/OTP team - Ericsson AB
>>>
>>> _______________________________________________
>>> erlang-questions mailing list
>>> erlang-questions@REDACTED
>>> http://erlang.org/mailman/listinfo/erlang-questions
>>>
>>>
>>
>>
>> --
>> ---------------------------------------------
>> Данил Загоскин | +7 906 064 20 47 | z@REDACTED
>>
>
>


-- 
---------------------------------------------
Данил Загоскин | +7 906 064 20 47 | z@REDACTED
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20140309/ffbcaff6/attachment.htm>


More information about the erlang-questions mailing list