[erlang-questions] How to downgrade a TLS connection to TCP without an TLS Alert exchange

Rob A'Court <>
Tue Oct 24 11:38:54 CEST 2017


Hi

Is there a way to downgrade a TLS connection to TCP without an TLS Alert
exchange in Erlang/Elixir?

To give a bit of context: We've implemented the MS-TDS protocol (used by
Microsoft SQL Server) using Elixir and the ssl and gen_tcp libraries. A TDS
connection typically is unencrypted apart from the login. It starts
unencrypted with a prelogin handshake, after that comes the TLS handshake,
and encrypted login packet is sent and then all further packets are
unencrypted.

Using :ssl.close to downgrade the socket to TCP expects a TLS alert
exchange to end the SSL connection however TDS does not expect or support
TLS alerts, it simply goes back to being unencrypted after the login. I
appreciate this is not standard TLS but I'm not expecting to change
Microsoft's protocol to SQL Server any time soon!

Currently we stop encryption by sending data directly to the TCP socket and
changing the controlling process of the TCP socket to our receiving
process. This works however it leaves the ssl_connection process hanging
around. It monitors our receiving process and if that process dies a TLS
alert is sent which TDS is not expecting. The alert is only sent in some
teardown scenarios but it just seems rather messy. We're wondering if
there's a better way to approach our problem?

Many thanks

Rob
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20171024/95df01d8/attachment.html>


More information about the erlang-questions mailing list