[erlang-questions] SSL connection problem

Ingela Andin ingela.andin@REDACTED
Mon Jun 8 12:01:49 CEST 2015 

Hi!

Humm, well I take the patch back, I was a little to quick there.
I will come back with a new patch suggestion.
And of course we want to have a full understanding of the problem before
making it official, so that we do not break anything else.

Regards Ingela Erlang/OTP team -Ericsson AB



2015-06-08 11:02 GMT+02:00 Andreas Schultz <aschultz@REDACTED>:

> Hi,
>
> ----- On 8 Jun, 2015, at 10:30, Ingela Andin ingela.andin@REDACTED wrote:
>
> > I think the following patch would solve the problem, in a good way.
> >
> > I am not sure why they send an invalid value instead of no value, but
> this way
> > invalid values will be ignored and ssl will fallback to default values
> if there
> > are no valid values in the extension.
>
> Some more context on this, RFC 5246, Section 7.4.1.4.1. has this to say
> about
> unknown values:
>
>    Note: this extension is not meaningful for TLS versions prior to 1.2.
>    Clients MUST NOT offer it if they are offering prior versions.
>    However, even if clients do offer it, the rules specified in [TLSEXT]
>    require servers to ignore extensions they do not understand.
>
> Also, the Apple server send the extension in question in an "Certificate
> Request",
> with the actual value beeing: 0xEF 0xEF (in decimal 239,239). IANA's TLS
> extension
> registry (
> http://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml)
> defines the range 224-255 for SignatureAlgorithm and HashAlgorithm as
> "Reserved for Private Use". So it is perfectly valid for the server to
> send those.
>
> Andreas
>
> > diff --git a/lib/ssl/src/ssl_cipher.erl
> > b/lib/ssl/src/ssl_cipher.erl
> > index 8584e56..fd101ef 100644
> > --- a/lib/ssl/src/ssl_cipher.erl
> > +++ b/lib/ssl/src/ssl_cipher.erl
> > @@ -1573,8 +1573,9 @@ hash_algorithm(?SHA) -> sha;
> > hash_algorithm(?SHA224) -> sha224;
> > hash_algorithm(?SHA256) -> sha256;
> > hash_algorithm(?SHA384) -> sha384;
> > -hash_algorithm(?SHA512) -> sha512.
> > -
> > +hash_algorithm(?SHA512) -> sha512;
> > +hash_algorithm(_) -> undefined.
> > +
> > sign_algorithm(anon) -> ?ANON;
> > sign_algorithm(rsa) -> ?RSA;
> > sign_algorithm(dsa) -> ?DSA;
> > @@ -1582,7 +1583,8 @@ sign_algorithm(ecdsa) -> ?ECDSA;
> > sign_algorithm(?ANON) -> anon;
> > sign_algorithm(?RSA) -> rsa;
> > sign_algorithm(?DSA) -> dsa;
> > -sign_algorithm(?ECDSA) -> ecdsa.
> > +sign_algorithm(?ECDSA) -> ecdsa;
> > +sign_algorithm(_) -> undefined.
> >
> > hash_size(null) ->
> > 0;
> > diff --git a/lib/ssl/src/ssl_handshake.erl
> b/lib/ssl/src/ssl_handshake.erl
> > index 12a17cb..32da478 100644
> > --- a/lib/ssl/src/ssl_handshake.erl
> > +++ b/lib/ssl/src/ssl_handshake.erl
> > @@ -587,7 +587,11 @@ select_hashsign(#hash_sign_algos{hash_sign_algos =
> > HashSigns}, Cert, {Major, Min
> > #'OTPCertificate'{tbsCertificate = TBSCert}
> =public_key:pkix_decode_cert(Cert,
> > otp),
> > #'OTPSubjectPublicKeyInfo'{algorithm = {_,Algo, _}} =
> > TBSCert#'OTPTBSCertificate'.subjectPublicKeyInfo,
> > DefaultHashSign = {_, Sign} = select_hashsign_algs(undefined, Algo,
> Version),
> > - case lists:filter(fun({sha, dsa}) ->
> > + case lists:filter(fun({_, undefined}) -> %% ignore invalid extension
> signature
> > values
> > + false;
> > + ({undefined, _}) -> %% ignore invalid extension hash values
> > + false;
> > + ({sha, dsa}) ->
> > true;
> > ({_, dsa}) ->
> > false;
> >
> > Regards Ingela Erlang/OTP team - Ericsson AB
> >
> >
> >
> >
> > 2015-06-07 17:12 GMT+02:00 Denis Justinek < denis.justinek@REDACTED > :
> >
> >
> >
> > Hello!
> >
> > For the last few days I stared experiencing problems when connecting to
> Apple
> > Push Notification Service (APNS) with
> > Erlangs SSL.
> >
> > When trying to connect I encounter the following error:
> >
> > ** exception exit: {{function_clause,[{ssl_cipher,hash_algorithm,"ï",
> > [{file,"ssl_cipher.erl"},{line,1196}]},
> > {ssl_handshake,'-decode_handshake/3-lc$^0/1-0-',1,
> > [{file,"ssl_handshake.erl"},{line,945}]},
> > {ssl_handshake,'-decode_handshake/3-lc$^0/1-0-',1,
> > [{file,"ssl_handshake.erl"},{line,946}]},
> > {ssl_handshake,decode_handshake,3,
> > [{file,"ssl_handshake.erl"},{line,945}]},
> > {tls_handshake,get_tls_handshake_aux,3,
> > [{file,"tls_handshake.erl"},{line,155}]},
> > {tls_connection,next_state,4,
> > [{file,"tls_connection.erl"},{line,433}]},
> > {tls_connection,next_state,4,
> > [{file,"tls_connection.erl"},{line,437}]},
> > {gen_fsm,handle_msg,7,[{file,"gen_fsm.erl"},{line,503}]}]},
> > {gen_fsm,sync_send_all_state_event,
> > [<0.1221.0>,{start,1000},infinity]}}
> > in function gen_fsm:sync_send_all_state_event/3 (gen_fsm.erl, line 242)
> > in call from ssl_connection:sync_send_all_state_event/2
> (ssl_connection.erl,
> > line 1654)
> > in call from ssl_connection:handshake/2 (ssl_connection.erl, line 101)
> > in call from tls_connection:start_fsm/8 (tls_connection.erl, line 81)
> > in call from ssl_connection:connect/8 (ssl_connection.erl, line 71)
> > 16:53:13.961 <0.1221.0> Undefined Undefined [error] gen_fsm <0.1221.0>
> in state
> > certify terminated with reason: no function clause matching
> > ssl_cipher:hash_algorithm(239) line 1196
> > 16:53:13.964 <0.1221.0> Undefined Undefined [error] CRASH REPORT Process
> > <0.1221.0> with 0 neighbours exited with reason: no function clause
> matching
> > ssl_cipher:hash_algorithm(239) line 1196 in gen_fsm:terminate/7 line 611
> > 16:53:13.965 <0.174.0> Undefined Undefined [error] Supervisor
> tls_connection_sup
> > had child undefined started with {tls_connection,start_link,undefined} at
> > <0.1221.0> exit with reason no function clause matching
> > ssl_cipher:hash_algorithm(239) line 1196 in context child_terminated
> >
> > Steps to reproduce (you need an APNS certificate for this):
> >
> > application:ensure_all_started(ssl).
> > Address = " gateway.sandbox.push.apple.com ".
> > Port = 2195.
> > Cert = "cert.pem".
> > CertPass = "*****".
> > Options1 = [{certfile,Cert},{password,CertPass},{mode,binary}].
> > Timeout = 1000.
> > {ok,Socket} = ssl:connect(Address, Port, Options1, Timeout).
> >
> > If we try to connect with the same certificate by using OpenSSL from
> command
> > line (s_client) if works fine with no errors.
> >
> > Terminal command: openssl s_client -connect
> gateway.sandbox.push.apple.com:2195
> > -cert cert.pem -debug
> > Enter pass phrase for cert.pem:
> > CONNECTED(00000003)
> > ...
> > Certificate chain
> > 0 s:/C=US/ST=California/L=Cupertino/O=Apple Inc./CN=
> > gateway.sandbox.push.apple.com
> > i:/C=US/O=Entrust, Inc./OU= www.entrust.net/rpa is incorporated by
> > reference/OU=(c) 2009 Entrust, Inc./CN=Entrust Certification Authority -
> L1C
> > 1 s:/C=US/O=Entrust, Inc./OU= www.entrust.net/rpa is incorporated by
> > reference/OU=(c) 2009 Entrust, Inc./CN=Entrust Certification Authority -
> L1C
> > i:/O=Entrust.net/OU= www.entrust.net/CPS_2048 incorp. by ref. (limits
> > liab.)/OU=(c) 1999 Entrust.net Limited/CN=Entrust.net Certification
> Authority
> > (2048)
> > ---
> > ...
> > subject=/C=US/ST=California/L=Cupertino/O=Apple Inc./CN=
> > gateway.sandbox.push.apple.com
> > issuer=/C=US/O=Entrust, Inc./OU= www.entrust.net/rpa is incorporated by
> > reference/OU=(c) 2009 Entrust, Inc./CN=Entrust Certification Authority -
> L1C
> > ---
> > No client certificate CA names sent
> > ---
> > SSL handshake has read 2760 bytes and written 2363 bytes
> > ---
> > New, TLSv1/SSLv3, Cipher is AES256-SHA
> > Server public key is 2048 bit
> > Secure Renegotiation IS supported
> > Compression: NONE
> > Expansion: NONE
> > SSL-Session:
> > Protocol : TLSv1
> > Cipher : AES256-SHA
> > Session-ID:
> > Session-ID-ctx:
> > Master-Key: ...
> > Key-Arg : None
> > Start Time: 1433689177
> > Timeout : 300 (sec)
> > Verify return code: 0 (ok)
> > ---
> >
> > Is this an issue with Erlang SSL module? How can it be mitigated?
> >
> > This can be reproduced on OSX and Linux - Erlang 17.4.
> >
> > With regards,
> > Denis
> >
> > _______________________________________________
> > erlang-questions mailing list
> > erlang-questions@REDACTED
> > http://erlang.org/mailman/listinfo/erlang-questions
> >
> >
> >
> > _______________________________________________
> > erlang-questions mailing list
> > erlang-questions@REDACTED
> > http://erlang.org/mailman/listinfo/erlang-questions
>
> --
> --
> Dipl. Inform.
> Andreas Schultz
>
> email: as@REDACTED
> phone: +49-391-819099-224
> mobil: +49-170-2226073
>
> ------------------- enabling your networks -------------------
>
> Travelping GmbH               phone:         +49-391-819099229
> Roentgenstr. 13               fax:           +49-391-819099299
> D-39108 Magdeburg             email:       info@REDACTED
> GERMANY                       web:   http://www.travelping.com
>
> Company Registration: Amtsgericht Stendal Reg No.:   HRB 10578
> Geschaeftsfuehrer: Holger Winkelmann | VAT ID No.: DE236673780
> --------------------------------------------------------------
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20150608/d488e93d/attachment.htm>

More information about the erlang-questions mailing list