[erlang-questions] SSL connection problem
Guilherme Andrade
g@REDACTED
Sun Jun 7 22:27:34 CEST 2015
On 07-06-2015 16:12, Denis Justinek wrote:
> Hello!
>
> For the last few days I stared experiencing problems when connecting
> to Apple Push Notification Service (APNS) with
> Erlangs SSL.
Yeah, I've been getting this too, albeit only on the sandbox endpoint;
R16B03-1 here.
It's rather weird; the TLS 1.2 spec[1] lists the following hashing
algorithms:
enum {
none(0), md5(1), sha1(2), sha224(3), sha256(4), sha384(5),
sha512(6), (255)
} HashAlgorithm;
239 being 0xEF, it's a rather suspicious bitmask, so I would go with
either 1) handshake message being wrongly decoded or 2) something fishy
on the their end.
[1]: https://www.ietf.org/rfc/rfc5246.txt
>
> When trying to connect I encounter the following error:
>
> ** exception exit: {{function_clause,[{ssl_cipher,hash_algorithm,"ï",
>
> [{file,"ssl_cipher.erl"},{line,1196}]},
>
> {ssl_handshake,'-decode_handshake/3-lc$^0/1-0-',1,
>
> [{file,"ssl_handshake.erl"},{line,945}]},
>
> {ssl_handshake,'-decode_handshake/3-lc$^0/1-0-',1,
>
> [{file,"ssl_handshake.erl"},{line,946}]},
> {ssl_handshake,decode_handshake,3,
>
> [{file,"ssl_handshake.erl"},{line,945}]},
>
> {tls_handshake,get_tls_handshake_aux,3,
>
> [{file,"tls_handshake.erl"},{line,155}]},
> {tls_connection,next_state,4,
>
> [{file,"tls_connection.erl"},{line,433}]},
> {tls_connection,next_state,4,
>
> [{file,"tls_connection.erl"},{line,437}]},
>
> {gen_fsm,handle_msg,7,[{file,"gen_fsm.erl"},{line,503}]}]},
> {gen_fsm,sync_send_all_state_event,
> [<0.1221.0>,{start,1000},infinity]}}
> in function gen_fsm:sync_send_all_state_event/3 (gen_fsm.erl,
> line 242)
> in call from ssl_connection:sync_send_all_state_event/2
> (ssl_connection.erl, line 1654)
> in call from ssl_connection:handshake/2 (ssl_connection.erl, line
> 101)
> in call from tls_connection:start_fsm/8 (tls_connection.erl, line 81)
> in call from ssl_connection:connect/8 (ssl_connection.erl, line 71)
> 16:53:13.961 <0.1221.0> Undefined Undefined [error] gen_fsm <0.1221.0>
> in state certify terminated with reason: no function clause matching
> ssl_cipher:hash_algorithm(239) line 1196
> 16:53:13.964 <0.1221.0> Undefined Undefined [error] CRASH REPORT
> Process <0.1221.0> with 0 neighbours exited with reason: no function
> clause matching ssl_cipher:hash_algorithm(239) line 1196 in
> gen_fsm:terminate/7 line 611
> 16:53:13.965 <0.174.0> Undefined Undefined [error] Supervisor
> tls_connection_sup had child undefined started with
> {tls_connection,start_link,undefined} at <0.1221.0> exit with reason
> no function clause matching ssl_cipher:hash_algorithm(239) line 1196
> in context child_terminated
>
> Steps to reproduce (you need an APNS certificate for this):
>
> application:ensure_all_started(ssl).
> Address = "gateway.sandbox.push.apple.com
> <http://gateway.sandbox.push.apple.com>".
> Port = 2195.
> Cert = "cert.pem".
> CertPass = "*****".
> Options1 = [{certfile,Cert},{password,CertPass},{mode,binary}].
> Timeout = 1000.
> {ok,Socket} = ssl:connect(Address, Port, Options1, Timeout).
>
> If we try to connect with the same certificate by using OpenSSL from
> command line (s_client) if works fine with no errors.
>
> Terminal command: openssl s_client -connect
> gateway.sandbox.push.apple.com:2195
> <http://gateway.sandbox.push.apple.com:2195> -cert cert.pem -debug
> Enter pass phrase for cert.pem:
> CONNECTED(00000003)
> ...
> Certificate chain
> 0 s:/C=US/ST=California/L=Cupertino/O=Apple
> Inc./CN=gateway.sandbox.push.apple.com
> <http://gateway.sandbox.push.apple.com>
> i:/C=US/O=Entrust, Inc./OU=www.entrust.net/rpa
> <http://www.entrust.net/rpa> is incorporated by reference/OU=(c) 2009
> Entrust, Inc./CN=Entrust Certification Authority - L1C
> 1 s:/C=US/O=Entrust, Inc./OU=www.entrust.net/rpa
> <http://www.entrust.net/rpa> is incorporated by reference/OU=(c) 2009
> Entrust, Inc./CN=Entrust Certification Authority - L1C
> i:/O=Entrust.net/OU=www.entrust.net/CPS_2048
> <http://www.entrust.net/CPS_2048> incorp. by ref. (limits
> liab.)/OU=(c) 1999 Entrust.net Limited/CN=Entrust.net Certification
> Authority (2048)
> ---
> ...
> subject=/C=US/ST=California/L=Cupertino/O=Apple
> Inc./CN=gateway.sandbox.push.apple.com
> <http://gateway.sandbox.push.apple.com>
> issuer=/C=US/O=Entrust, Inc./OU=www.entrust.net/rpa
> <http://www.entrust.net/rpa> is incorporated by reference/OU=(c) 2009
> Entrust, Inc./CN=Entrust Certification Authority - L1C
> ---
> No client certificate CA names sent
> ---
> SSL handshake has read 2760 bytes and written 2363 bytes
> ---
> New, TLSv1/SSLv3, Cipher is AES256-SHA
> Server public key is 2048 bit
> Secure Renegotiation IS supported
> Compression: NONE
> Expansion: NONE
> SSL-Session:
> Protocol : TLSv1
> Cipher : AES256-SHA
> Session-ID:
> Session-ID-ctx:
> Master-Key: ...
> Key-Arg : None
> Start Time: 1433689177
> Timeout : 300 (sec)
> Verify return code: 0 (ok)
> ---
>
> Is this an issue with Erlang SSL module? How can it be mitigated?
>
> This can be reproduced on OSX and Linux - Erlang 17.4.
>
> With regards,
> Denis
>
>
> _______________________________________________
> erlang-questions mailing list
> erlang-questions@REDACTED
> http://erlang.org/mailman/listinfo/erlang-questions
--
Guilherme
https://www.gandrade.net/
PGP: 0x602B2AD8 / B348 C976 CCE1 A02A 017E 4649 7A6E B621 602B 2AD8
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20150607/5a9ab644/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20150607/5a9ab644/attachment.bin>
More information about the erlang-questions
mailing list