[erlang-questions] SSL handshake fails
Daniel Abrahamsson
daniel.abrahamsson@REDACTED
Wed Sep 24 11:43:13 CEST 2014
Got exactly the same error for some of our connections after upgrading from
R16B03 to 17.3.
Will this patch be included with the next stable release on the 17.x branch?
//Daniel
On Tue, Sep 23, 2014 at 2:29 PM, Ingela Andin <ingela.andin@REDACTED>
wrote:
> Hi!
>
> After some investigation I have concluded that the server may send an
> SNI-extension, and that if it does so, it shall be empty.
>
> "In this event, the
> server SHALL include an extension of type "server_name" in the
> (extended) server hello. The "extension_data" field of this
> extension SHALL be empty."
>
>
> I do not really see the point in include an empty SNI-extension on the
> server side, but as the RFC says so here comes a patch to handle it.
>
> diff --git a/lib/ssl/src/ssl_handshake.erl b/lib/ssl/src/ssl_handshake.erl
> index 22673e4..eee33ef 100644
> --- a/lib/ssl/src/ssl_handshake.erl
> +++ b/lib/ssl/src/ssl_handshake.erl
> @@ -1732,6 +1732,9 @@
> dec_hello_extensions(<<?UINT16(?EC_POINT_FORMATS_EXT), ?UINT16(Len),
> #ec_point_formats{ec_point_format_list =
> ECPointFormats}});
>
> +dec_hello_extensions(<<?UINT16(?SNI_EXT), ?UINT16(Len), Rest/binary>>,
> Acc) when Len == 0 ->
> + dec_hello_extensions(Rest, Acc#hello_extensions{sni = ""}); %% Server
> may send an empy SNI
> +
> dec_hello_extensions(<<?UINT16(?SNI_EXT), ?UINT16(Len),
> ExtData:Len/binary, Rest/binary>>, Acc) ->
> <<?UINT16(_), NameList/binary>> = ExtData,
>
>
> Regards Ingela Erlang/OTP Team - Ericsson AB
>
>
>
> 2014-09-19 11:00 GMT+02:00 Iván Martínez <ivan.martinez@REDACTED>:
>
>> Hello all,
>> I just hired a CentOS 7 server that came with very little software
>> installed. I installed Erlang 17.3 from sources, attached is output of the
>> configure step. Now I'm trying to install zotonic but it fails when trying
>> to do a SSL handshake with github, see below:
>>
>> [ivan@REDACTED zotonic]$ make
>> erl -noshell -s inets -s ssl \
>> -eval '{ok, saved_to_file} = httpc:request(get, {"
>> https://github.com/rebar/rebar/wiki/rebar", []}, [], [{stream,
>> "./rebar"}])' \
>> -s init stop
>> {"init terminating in
>> do_boot",{{badmatch,{error,{failed_connect,[{to_address,{"github.com",443}},{inet,[inet],{eoptions,{{{badmatch,<<0
>> bytes>>},[{ssl_handshake,dec_hello_extensions,2,[{file,"ssl_handshake.erl"},{line,1737}]},{ssl_handshake,decode_handshake,3,[{file,"ssl_handshake.erl"},{line,926}]},{tls_handshake,get_tls_handshake_aux,3,[{file,"tls_handshake.erl"},{line,155}]},{tls_connection,next_state,4,[{file,"tls_connection.erl"},{line,433}]},{gen_fsm,handle_msg,7,[{file,"gen_fsm.erl"},{line,503}]},{proc_lib,init_p_do_apply,3,[{file,"proc_lib.erl"},{line,237}]}]},{gen_fsm,sync_send_all_state_event,[<0.54.0>,{start,infinity},infinity]}}}}]}}},[{erl_eval,expr,3,[]}]}}
>>
>> Crash dump was written to: erl_crash.dump
>> init terminating in do_boot ()
>> make: *** [rebar] Error 1
>>
>> I tried to do the handshake with openssl and apparently it works:
>>
>> [ivan@REDACTED zotonic]$ openssl s_client -host github.com -port 443
>> CONNECTED(00000003)
>> depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert
>> High Assurance EV Root CA
>> verify return:1
>> depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert
>> SHA2 Extended Validation Server CA
>> verify return:1
>> depth=0 businessCategory = Private Organization, 1.3.6.1.4.1.311.60.2.1.3
>> = US, 1.3.6.1.4.1.311.60.2.1.2 = Delaware, serialNumber = 5157550, street =
>> 548 4th Street, postalCode = 94107, C = US, ST = California, L = San
>> Francisco, O = "GitHub, Inc.", CN = github.com
>> verify return:1
>> ---
>> Certificate chain
>> 0 s:/businessCategory=Private
>> Organization/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Delaware/serialNumber=5157550/street=548
>> 4th Street/postalCode=94107/C=US/ST=California/L=San Francisco/O=GitHub,
>> Inc./CN=github.com
>> i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 Extended
>> Validation Server CA
>> 1 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 Extended
>> Validation Server CA
>> i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance
>> EV Root CA
>> ---
>> Server certificate
>> -----BEGIN CERTIFICATE-----
>> MIIF4DCCBMigAwIBAgIQDACTENIG2+M3VTWAEY3chzANBgkqhkiG9w0BAQsFADB1
>> ...
>> XX4C2NesiZcLYbc2n7B9O+63M2k=
>> -----END CERTIFICATE-----
>> subject=/businessCategory=Private
>> Organization/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Delaware/serialNumber=5157550/street=548
>> 4th Street/postalCode=94107/C=US/ST=California/L=San Francisco/O=GitHub,
>> Inc./CN=github.com
>> issuer=/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2
>> Extended Validation Server CA
>> ---
>> No client certificate CA names sent
>> Server Temp Key: ECDH, prime256v1, 256 bits
>> ---
>> SSL handshake has read 3233 bytes and written 375 bytes
>> ---
>> New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
>> Server public key is 2048 bit
>> Secure Renegotiation IS supported
>> Compression: NONE
>> Expansion: NONE
>> SSL-Session:
>> Protocol : TLSv1.2
>> Cipher : ECDHE-RSA-AES128-GCM-SHA256
>> Session-ID:
>> DDEF6E78852287351EC5B20FFDD2578F8996E7226CB883A5F1A94325048B79C6
>> Session-ID-ctx:
>> Master-Key:
>> D6C6283F463BFCD5A160E0CCE0CC8962CF944E5C98153040E4BC20466981B1622A5327C1E6BBED5F1751A049782908E5
>> Key-Arg : None
>> Krb5 Principal: None
>> PSK identity: None
>> PSK identity hint: None
>> Start Time: 1411113552
>> Timeout : 300 (sec)
>> Verify return code: 0 (ok)
>> ---
>> closed
>>
>> What can be wrong?. Thank you.
>> Ivan
>>
>> _______________________________________________
>> erlang-questions mailing list
>> erlang-questions@REDACTED
>> http://erlang.org/mailman/listinfo/erlang-questions
>>
>>
>
> _______________________________________________
> erlang-questions mailing list
> erlang-questions@REDACTED
> http://erlang.org/mailman/listinfo/erlang-questions
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20140924/75f10858/attachment.htm>
More information about the erlang-questions
mailing list