[erlang-questions] SSL handshake fails

Iván Martínez ivan.martinez@REDACTED
Fri Sep 19 15:40:00 CEST 2014


I realized it's just attempting to download rebar, so I just put it in the
project folder myself and it doesn't complain anymore. Still that's a
workaround, there is some issue. Will report it to zotonic guys.
Thank you,
Ivan

2014-09-19 14:50 GMT+02:00 Ben Murphy <benmmurphy@REDACTED>:

> I think it is because it sends an empty server_name extension and otp
> cannot handle it.
>
>    A server that receives a client hello containing the "server_name"
>    extension MAY use the information contained in the extension to guide
>    its selection of an appropriate certificate to return to the client,
>    and/or other aspects of security policy.  In this event, the server
>    SHALL include an extension of type "server_name" in the (extended)
>    server hello.  The "extension_data" field of this extension SHALL be
>    empty.
>
>
>
> On Fri, Sep 19, 2014 at 10:00 AM, Iván Martínez
> <ivan.martinez@REDACTED> wrote:
> > Hello all,
> > I just hired a CentOS 7 server that came with very little software
> > installed. I installed Erlang 17.3 from sources, attached is output of
> the
> > configure step. Now I'm trying to install zotonic but it fails when
> trying
> > to do a SSL handshake with github, see below:
> >
> > [ivan@REDACTED zotonic]$ make
> > erl -noshell -s inets -s ssl \
> >   -eval '{ok, saved_to_file} = httpc:request(get,
> > {"https://github.com/rebar/rebar/wiki/rebar", []}, [], [{stream,
> > "./rebar"}])' \
> >   -s init stop
> > {"init terminating in
> > do_boot",{{badmatch,{error,{failed_connect,[{to_address,{"github.com
> ",443}},{inet,[inet],{eoptions,{{{badmatch,<<0
> >
> bytes>>},[{ssl_handshake,dec_hello_extensions,2,[{file,"ssl_handshake.erl"},{line,1737}]},{ssl_handshake,decode_handshake,3,[{file,"ssl_handshake.erl"},{line,926}]},{tls_handshake,get_tls_handshake_aux,3,[{file,"tls_handshake.erl"},{line,155}]},{tls_connection,next_state,4,[{file,"tls_connection.erl"},{line,433}]},{gen_fsm,handle_msg,7,[{file,"gen_fsm.erl"},{line,503}]},{proc_lib,init_p_do_apply,3,[{file,"proc_lib.erl"},{line,237}]}]},{gen_fsm,sync_send_all_state_event,[<0.54.0>,{start,infinity},infinity]}}}}]}}},[{erl_eval,expr,3,[]}]}}
> >
> > Crash dump was written to: erl_crash.dump
> > init terminating in do_boot ()
> > make: *** [rebar] Error 1
> >
> > I tried to do the handshake with openssl and apparently it works:
> >
> > [ivan@REDACTED zotonic]$ openssl s_client -host github.com -port 443
> > CONNECTED(00000003)
> > depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert
> High
> > Assurance EV Root CA
> > verify return:1
> > depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert
> SHA2
> > Extended Validation Server CA
> > verify return:1
> > depth=0 businessCategory = Private Organization,
> 1.3.6.1.4.1.311.60.2.1.3 =
> > US, 1.3.6.1.4.1.311.60.2.1.2 = Delaware, serialNumber = 5157550, street =
> > 548 4th Street, postalCode = 94107, C = US, ST = California, L = San
> > Francisco, O = "GitHub, Inc.", CN = github.com
> > verify return:1
> > ---
> > Certificate chain
> >  0 s:/businessCategory=Private
> >
> Organization/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Delaware/serialNumber=5157550/street=548
> > 4th Street/postalCode=94107/C=US/ST=California/L=San Francisco/O=GitHub,
> > Inc./CN=github.com
> >    i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 Extended
> > Validation Server CA
> >  1 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 Extended
> > Validation Server CA
> >    i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High
> Assurance EV
> > Root CA
> > ---
> > Server certificate
> > -----BEGIN CERTIFICATE-----
> > MIIF4DCCBMigAwIBAgIQDACTENIG2+M3VTWAEY3chzANBgkqhkiG9w0BAQsFADB1
> > ...
> > XX4C2NesiZcLYbc2n7B9O+63M2k=
> > -----END CERTIFICATE-----
> > subject=/businessCategory=Private
> >
> Organization/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Delaware/serialNumber=5157550/street=548
> > 4th Street/postalCode=94107/C=US/ST=California/L=San Francisco/O=GitHub,
> > Inc./CN=github.com
> > issuer=/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2
> Extended
> > Validation Server CA
> > ---
> > No client certificate CA names sent
> > Server Temp Key: ECDH, prime256v1, 256 bits
> > ---
> > SSL handshake has read 3233 bytes and written 375 bytes
> > ---
> > New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
> > Server public key is 2048 bit
> > Secure Renegotiation IS supported
> > Compression: NONE
> > Expansion: NONE
> > SSL-Session:
> >     Protocol  : TLSv1.2
> >     Cipher    : ECDHE-RSA-AES128-GCM-SHA256
> >     Session-ID:
> > DDEF6E78852287351EC5B20FFDD2578F8996E7226CB883A5F1A94325048B79C6
> >     Session-ID-ctx:
> >     Master-Key:
> >
> D6C6283F463BFCD5A160E0CCE0CC8962CF944E5C98153040E4BC20466981B1622A5327C1E6BBED5F1751A049782908E5
> >     Key-Arg   : None
> >     Krb5 Principal: None
> >     PSK identity: None
> >     PSK identity hint: None
> >     Start Time: 1411113552
> >     Timeout   : 300 (sec)
> >     Verify return code: 0 (ok)
> > ---
> > closed
> >
> > What can be wrong?. Thank you.
> > Ivan
> >
> > _______________________________________________
> > erlang-questions mailing list
> > erlang-questions@REDACTED
> > http://erlang.org/mailman/listinfo/erlang-questions
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20140919/88712951/attachment.htm>


More information about the erlang-questions mailing list