[erlang-questions] SSL connection problem

Ingela Andin ingela.andin@REDACTED
Mon Jun 8 10:30:24 CEST 2015 

I think the following patch would solve the problem, in a good way.

I am not sure why they send an invalid value instead of no value, but this
way invalid values will be ignored and ssl will fallback to default values
if there are no valid values in the extension.
diff --git a/lib/ssl/src/ssl_cipher.erl b/lib/ssl/src/ssl_cipher.erl
index 8584e56..fd101ef 100644
--- a/lib/ssl/src/ssl_cipher.erl
+++ b/lib/ssl/src/ssl_cipher.erl
@@ -1573,8 +1573,9 @@ hash_algorithm(?SHA) -> sha;
 hash_algorithm(?SHA224) -> sha224;
 hash_algorithm(?SHA256) -> sha256;
 hash_algorithm(?SHA384) -> sha384;
-hash_algorithm(?SHA512) -> sha512.
-
+hash_algorithm(?SHA512) -> sha512;
+hash_algorithm(_) -> undefined.
+
 sign_algorithm(anon)  -> ?ANON;
 sign_algorithm(rsa)   -> ?RSA;
 sign_algorithm(dsa)   -> ?DSA;
@@ -1582,7 +1583,8 @@ sign_algorithm(ecdsa) -> ?ECDSA;
 sign_algorithm(?ANON) -> anon;
 sign_algorithm(?RSA) -> rsa;
 sign_algorithm(?DSA) -> dsa;
-sign_algorithm(?ECDSA) -> ecdsa.
+sign_algorithm(?ECDSA) -> ecdsa;
+sign_algorithm(_) -> undefined.

 hash_size(null) ->
     0;
diff --git a/lib/ssl/src/ssl_handshake.erl b/lib/ssl/src/ssl_handshake.erl
index 12a17cb..32da478 100644
--- a/lib/ssl/src/ssl_handshake.erl
+++ b/lib/ssl/src/ssl_handshake.erl
@@ -587,7 +587,11 @@ select_hashsign(#hash_sign_algos{hash_sign_algos =
HashSigns}, Cert, {Major, Min
     #'OTPCertificate'{tbsCertificate = TBSCert}
=public_key:pkix_decode_cert(Cert, otp),
     #'OTPSubjectPublicKeyInfo'{algorithm = {_,Algo, _}} =
TBSCert#'OTPTBSCertificate'.subjectPublicKeyInfo,
     DefaultHashSign = {_, Sign} = select_hashsign_algs(undefined, Algo,
Version),
-    case lists:filter(fun({sha, dsa}) ->
+    case lists:filter(fun({_, undefined}) -> %% ignore invalid extension
signature values
+                  false;
+             ({undefined, _}) -> %% ignore invalid extension hash values
+                  false;
+             ({sha, dsa}) ->
                   true;
              ({_, dsa}) ->
                   false;

Regards Ingela Erlang/OTP team - Ericsson AB




2015-06-07 17:12 GMT+02:00 Denis Justinek <denis.justinek@REDACTED>:

> Hello!
>
> For the last few days I stared experiencing problems when connecting to
> Apple Push Notification Service (APNS) with
> Erlangs SSL.
>
> When trying to connect I encounter the following error:
>
> ** exception exit: {{function_clause,[{ssl_cipher,hash_algorithm,"ï",
>
> [{file,"ssl_cipher.erl"},{line,1196}]},
>
> {ssl_handshake,'-decode_handshake/3-lc$^0/1-0-',1,
>
> [{file,"ssl_handshake.erl"},{line,945}]},
>
> {ssl_handshake,'-decode_handshake/3-lc$^0/1-0-',1,
>
> [{file,"ssl_handshake.erl"},{line,946}]},
>                                       {ssl_handshake,decode_handshake,3,
>
> [{file,"ssl_handshake.erl"},{line,945}]},
>
> {tls_handshake,get_tls_handshake_aux,3,
>
> [{file,"tls_handshake.erl"},{line,155}]},
>                                       {tls_connection,next_state,4,
>
> [{file,"tls_connection.erl"},{line,433}]},
>                                       {tls_connection,next_state,4,
>
> [{file,"tls_connection.erl"},{line,437}]},
>
> {gen_fsm,handle_msg,7,[{file,"gen_fsm.erl"},{line,503}]}]},
>                     {gen_fsm,sync_send_all_state_event,
>                              [<0.1221.0>,{start,1000},infinity]}}
>      in function  gen_fsm:sync_send_all_state_event/3 (gen_fsm.erl, line
> 242)
>      in call from ssl_connection:sync_send_all_state_event/2
> (ssl_connection.erl, line 1654)
>      in call from ssl_connection:handshake/2 (ssl_connection.erl, line 101)
>      in call from tls_connection:start_fsm/8 (tls_connection.erl, line 81)
>      in call from ssl_connection:connect/8 (ssl_connection.erl, line 71)
> 16:53:13.961 <0.1221.0> Undefined Undefined [error] gen_fsm <0.1221.0> in
> state certify terminated with reason: no function clause matching
> ssl_cipher:hash_algorithm(239) line 1196
> 16:53:13.964 <0.1221.0> Undefined Undefined [error] CRASH REPORT Process
> <0.1221.0> with 0 neighbours exited with reason: no function clause
> matching ssl_cipher:hash_algorithm(239) line 1196 in gen_fsm:terminate/7
> line 611
> 16:53:13.965 <0.174.0> Undefined Undefined [error] Supervisor
> tls_connection_sup had child undefined started with
> {tls_connection,start_link,undefined} at <0.1221.0> exit with reason no
> function clause matching ssl_cipher:hash_algorithm(239) line 1196 in
> context child_terminated
>
> Steps to reproduce (you need an APNS certificate for this):
>
>     application:ensure_all_started(ssl).
>     Address = "gateway.sandbox.push.apple.com".
>     Port = 2195.
>     Cert = "cert.pem".
>     CertPass = "*****".
>     Options1 = [{certfile,Cert},{password,CertPass},{mode,binary}].
>     Timeout = 1000.
>     {ok,Socket} = ssl:connect(Address, Port, Options1, Timeout).
>
> If we try to connect with the same certificate by using OpenSSL from
> command line (s_client) if works fine with no errors.
>
>     Terminal command: openssl s_client -connect
> gateway.sandbox.push.apple.com:2195 -cert cert.pem -debug
>     Enter pass phrase for cert.pem:
>     CONNECTED(00000003)
>     ...
>     Certificate chain
>      0 s:/C=US/ST=California/L=Cupertino/O=Apple Inc./CN=
> gateway.sandbox.push.apple.com
>        i:/C=US/O=Entrust, Inc./OU=www.entrust.net/rpa is incorporated by
> reference/OU=(c) 2009 Entrust, Inc./CN=Entrust Certification Authority - L1C
>      1 s:/C=US/O=Entrust, Inc./OU=www.entrust.net/rpa is incorporated by
> reference/OU=(c) 2009 Entrust, Inc./CN=Entrust Certification Authority - L1C
>        i:/O=Entrust.net/OU=www.entrust.net/CPS_2048 incorp. by ref.
> (limits liab.)/OU=(c) 1999 Entrust.net Limited/CN=Entrust.net Certification
> Authority (2048)
>     ---
>     ...
>     subject=/C=US/ST=California/L=Cupertino/O=Apple Inc./CN=
> gateway.sandbox.push.apple.com
>     issuer=/C=US/O=Entrust, Inc./OU=www.entrust.net/rpa is incorporated
> by reference/OU=(c) 2009 Entrust, Inc./CN=Entrust Certification Authority -
> L1C
>     ---
>     No client certificate CA names sent
>     ---
>     SSL handshake has read 2760 bytes and written 2363 bytes
>     ---
>     New, TLSv1/SSLv3, Cipher is AES256-SHA
>     Server public key is 2048 bit
>     Secure Renegotiation IS supported
>     Compression: NONE
>     Expansion: NONE
>     SSL-Session:
>         Protocol  : TLSv1
>         Cipher    : AES256-SHA
>         Session-ID:
>         Session-ID-ctx:
>         Master-Key: ...
>         Key-Arg   : None
>         Start Time: 1433689177
>         Timeout   : 300 (sec)
>         Verify return code: 0 (ok)
> ---
>
> Is this an issue with Erlang SSL module? How can it be mitigated?
>
> This can be reproduced on OSX and Linux - Erlang 17.4.
>
> With regards,
>     Denis
>
> _______________________________________________
> erlang-questions mailing list
> erlang-questions@REDACTED
> http://erlang.org/mailman/listinfo/erlang-questions
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20150608/443e9813/attachment.htm>

More information about the erlang-questions mailing list