[erlang-questions] Making SSL fail silently

Andreas Schultz <>
Sun Mar 9 17:11:15 CET 2014


Hi,

----- Original Message -----
> I've investigated this case a bit and it seems to me that ECC handshake
> implementation has a bug:
> As fas as I understand RFC 4492 (
> https://tools.ietf.org/html/rfc4492#section-5.1 ), it tells that it's OK for
> server to not support all curves supported by client if there are enough
> curves supported by both of them.
> So if I'm correct, the tls_v1:enum_to_oid/1 function should have a default
> clause returning some magic value ('unsupported_curve' ?) which should be
> filtered out from EllipticCurves list in ?ELLIPTIC_CURVES_EXT clause of
> ssl_handshake:dec_hello_extensions/2 (line 1654).

There have been several changes that went into R16B03 and R17 concerning
the curve selection. Did you check if your problem also occurs with those
releases?

Andreas

> 
> I hope to fix it today.
> 
> 
> 2014-03-09 1:49 GMT+04:00 Ingela Andin <  > :
> 
> 
> 
> Hi!
> 
> 2014-03-07 11:14 GMT+01:00 Danil Zagoskin <  > :
> 
> 
> 
> 
> Thank you!
> 
> May I help you? Test case, pull request, etc?
> 
> 
> You are always welcome to make a pull request which, if you follow the guide
> lines, should include a test case.
> 
> 
> Regards Ingela Erlang/OTP team - Ericsson AB
> 
> 
> 
> 
> 
> 2014-03-07 1:39 GMT+04:00 Ingela Andin <  > :
> 
> 
> 
> Hi!
> 
> 2014-03-06 11:50 GMT+01:00 Danil Zagoskin <  > :
> 
> 
> 
> 
> Hello!
> 
> My application is listening SSL port using ssl:listen, ssl:transport_accept
> and ssl:ssl_accept (indeed it uses some old patched mochiweb).
> Erlang/OTP release is R16B02.
> I use SASL for error logging.
> 
> Due to existence of network scanners, network errors and buggy clients some
> of connections fail to negotiate. This leads to two kind of log entries:
> 1. "insufficient security", etc.
> 2. Crash reports due to a function_clause error in tls_v1:enum_to_oid(0)
> (this may be not the only one, but definitely the most popular)
> 
> First one seems to be fixed by {log_alert, false} ssl option.
> Second one keeps flooding logs with huge state printouts.
> 
> So, my question is: How to make all SSL-related troubles not to generate
> error reports? Simple {error, handshake_failed} returned by one of accepting
> functions would be enough.
> 
> 
> 
> 
> The first option should logically be enough. I think the problem is that
> tls_v1:enum_to_oid
> should have a try and throw a handshake alert if it fails or be ignored,
> depending on situation, i.e. be an expected error instead of an unexpected
> error. I will create an issue to handle that.
> 
> Regards Ingela Erlang/OTP team - Ericsson AB
> 
> _______________________________________________
> erlang-questions mailing list
> 
> http://erlang.org/mailman/listinfo/erlang-questions
> 
> 
> 
> 
> --
> ---------------------------------------------
> Данил Загоскин | +7 906 064 20 47 | 
> 
> 
> 
> 
> --
> ---------------------------------------------
> Данил Загоскин | +7 906 064 20 47 | 
> 
> _______________________________________________
> erlang-questions mailing list
> 
> http://erlang.org/mailman/listinfo/erlang-questions
> 

-- 
-- 
Dipl. Inform.
Andreas Schultz

email: 
phone: +49-391-819099-224
mobil: +49-170-2226073

------------------- enabling your networks -------------------

Travelping GmbH               phone:         +49-391-819099229
Roentgenstr. 13               fax:           +49-391-819099299
D-39108 Magdeburg             email:       
GERMANY                       web:   http://www.travelping.com

Company Registration: Amtsgericht Stendal Reg No.:   HRB 10578
Geschaeftsfuehrer: Holger Winkelmann | VAT ID No.: DE236673780
--------------------------------------------------------------



More information about the erlang-questions mailing list