[erlang-questions] SSL handshake failure

Ingela Andin ingela.andin@REDACTED
Thu Dec 22 12:56:06 CET 2016 

Hi!

I think this might be a timing bug. Can you try the following patch?

Regards Ingela Erlang/OTP Team - Ericsson AB

*diff --git a/lib/ssl/src/tls_connection.erl
b/lib/ssl/src/tls_connection.erl*

*index 32991d3..e1f8e78 100644*

*--- a/lib/ssl/src/tls_connection.erl*

*+++ b/lib/ssl/src/tls_connection.erl*

@@ -420,6 +420,7 @@ handle_common_event(internal, #alert{} = Alert,
StateName,

 handle_common_event(internal,  #ssl_tls{type = ?HANDSHAKE, fragment =
Data},

                    StateName, #state{protocol_buffers =


#protocol_buffers{tls_handshake_buffer = Buf0} = Buffers,

+                                      unprocessed_handshake_events =
NumUnprocessed,

                                      negotiated_version = Version,

                                      ssl_options = Options} = State0) ->

     try

@@ -432,7 +433,7 @@ handle_common_event(internal,  #ssl_tls{type =
?HANDSHAKE, fragment = Data},

            connection ->

                ssl_connection:hibernate_after(StateName, State, Events);

            _ ->

-               {next_state, StateName,
State#state{unprocessed_handshake_events = unprocessed_events(Events)},
Events}

+               {next_state, StateName,
State#state{unprocessed_handshake_events = unprocessed_events(Events,
NumUnprocessed)}, Events}

        end

     catch throw:#alert{} = Alert ->

            ssl_connection:handle_own_alert(Alert, Version, StateName,
State0)

@@ -615,8 +616,6 @@ next_event(StateName, Record, State, Actions) ->

            {next_state, StateName, State, [{next_event, internal, Alert} |
Actions]}

     end.



-tls_handshake_events([]) ->

-    throw(?ALERT_REC(?FATAL, ?HANDSHAKE_FAILURE, malformed_handshake));

 tls_handshake_events(Packets) ->

     lists:map(fun(Packet) ->

                      {next_event, internal, {handshake, Packet}}

@@ -727,8 +726,10 @@ gen_info(Event, StateName, #state{negotiated_version =
Version} = State) ->


malformed_handshake_data),

                                            Version, StateName, State)

     end.

-

-unprocessed_events(Events) ->

+

+unprocessed_events([], Unprocessed) ->

+    Unprocessed;

+unprocessed_events(Events, _) ->

     %% The first handshake event will be processed immediately

     %% as it is entered first in the event queue and

     %% when it is processed there will be length(Events)-1




2016-12-21 14:47 GMT+01:00 Justin Wood <justin.k.wood@REDACTED>:

> After upgrading to Erlang OTP-19.2 and, in different requests, specified
> the version as one of tlsv1, tlsv1.1 or tlsv1.2. Every time I received the
> same error.
>
> I'm not sure if it is helpful at all, but I can replicate this on Windows,
> OSX 10.11 (El Capitan) and Ubuntu 14.04. I have not tried on other
> platforms.
>
> Is there any other information that I would be able to give that would be
> helpful?
>
> On Wed, Dec 21, 2016 at 3:38 AM, Technion <technion@REDACTED> wrote:
>
>> Hi Justin,
>>
>>
>> Is this earlier discussion relevant:
>>
>>
>> http://erlang.org/pipermail/erlang-questions/2016-November/090780.html
>>
>>
>>
>>
>>
>> ------------------------------
>> *From:* erlang-questions-bounces@REDACTED <
>> erlang-questions-bounces@REDACTED> on behalf of Justin Wood <
>> justin.k.wood@REDACTED>
>> *Sent:* Wednesday, 21 December 2016 11:56 AM
>> *To:* erlang-questions@REDACTED
>> *Subject:* [erlang-questions] SSL handshake failure
>>
>> Hi there,
>>
>> I am attempting to use the ssl module in order to get a socket to a
>> remote server (MongoDB). I am using the following line of code (OTP 19)
>>
>> ssl:connect("my-server.net", 27017, [binary, {active, false}, {packet,
>> raw}], 5000).
>>
>> Whenever I use this, I get the following:
>>
>> =ERROR REPORT==== 20-Dec-2016::19:13:13 ===
>> SSL: certify: tls_connection.erl:603:Fatal error: handshake failure -
>> malformed_handshake
>> {error,{tls_alert,"handshake failure"}}
>>
>> Which lead me to look into erlang:get_stacktrace/0
>>
>> erlang:get_stacktrace().
>> [{tls_connection,start_fsm,8,
>>                  [{file,"tls_connection.erl"},{line,79}]},
>>  {ssl_connection,connect,8,
>>                  [{file,"ssl_connection.erl"},{line,84}]},
>>  {erl_eval,do_apply,6,[{file,"erl_eval.erl"},{line,674}]},
>>  {shell,exprs,7,[{file,"shell.erl"},{line,686}]},
>>  {shell,eval_exprs,7,[{file,"shell.erl"},{line,641}]},
>>  {shell,eval_loop,3,[{file,"shell.erl"},{line,626}]}]
>>
>> My problem is that the certificate that the server is using should be
>> legitimate. I can connect, without error, using other clients and languages.
>>
>> I took a look through Wireshark in order to try and figure out what is
>> going on and this is what I see.
>>
>> * The Client says hello and presents a list of cipher suites.
>> * The Server says hello and says that it wants to use
>> TLS_RSA_WITH_AES_256_GCM_SHA384 (This cipher is in the list that the
>> client sends)
>> * The Server sends the Client the certificates it is using (these both
>> appear to be signed by DigiCert).
>> * The Server sends an encrypted handshake message.
>> * The Client responds with a Fatal Alert stating a Handshake Failure.
>> * The Server sends another encrypted handshake message.
>>
>> I have verified that ssl:connect/4 is working fine as I can connect to a
>> number of different miscellaneous services (including a number of other
>> MongoDB instances).
>>
>> I was wondering if there is anything else I can do to try and figure out
>> why erlang does not allow this connection.
>>
>> Justin
>>
>
>
> _______________________________________________
> erlang-questions mailing list
> erlang-questions@REDACTED
> http://erlang.org/mailman/listinfo/erlang-questions
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20161222/7840b7bd/attachment.htm>

More information about the erlang-questions mailing list