[erlang-questions] Erlang/OTP 21.0-rc1 (Release Candidate)

Ingela Andin ingela.andin@REDACTED
Fri May 4 09:32:59 CEST 2018


Hi!


2018-05-03 18:08 GMT+02:00 Loïc Hoguin <essen@REDACTED>:

> Hello,
>
> On 05/03/2018 01:54 PM, Loïc Hoguin wrote:
>
>> * SSL is broken. See [1] for example. I can see the same thing happening
>> on 5 different Linux distributions (with different OpenSSL versions) and on
>> OSX. A quick try in the shell is not much better:
>>
>
>
Thank you for shouting, that is what the release candidate is for. So we
can catch the problems early!




> OK it's just a very misleading error message I think.
>


Well that depends, this is not really an error message that you should get
unless you have a buggy or malicious client. But of course now we might be
getting it due to a bug and then
it could be misleading!



>
> Switching my server's test keys from RSA to DSA fixes it so I think this
> issue is caused by:
>
>   OTP-14769    Application(s): ssl
>
>                For security reasons RSA-key exchange cipher suites are
>                no longer supported by default
>


I do not really suspect this change. RSA-certificates are still supported.
Just cipher suites using RSA encryption/decryption in the key exchange
process are not supported.
When you switched to a DSA-certificate an other cipher suite was picked
that did not expose the problem.  If there had been no common cipher suites
you would have got another error.



>
> Still, it probably should provide a more helpful error message than this:
>
> *** System report during acceptor_SUITE:ssl_echo/1 in ssl 2018-05-03
> 11:13:04.343 ***
> =INFO REPORT==== 3-May-2018::11:13:04.342940 ===
> TLS server: In state hello at tls_handshake.erl:130 generated SERVER
> ALERT: Fatal - Handshake Failure - malformed_handshake_data
>
> *** System report during acceptor_SUITE:ssl_echo/1 in ssl 2018-05-03
> 11:13:04.348 ***
> =INFO REPORT==== 3-May-2018::11:13:04.348265 ===
> TLS client: In state hello received SERVER ALERT: Fatal - Handshake Failure
>
> "malformed_handshake_data" sounds like the client would have sent a
> malformed handshake, ie bad data, when the actual issue seems to be that
> the certificate configured is no longer supported. The server generating an
> alert about its own certificate doesn't sound quite right either.
>
> That being said I do not really know the intent so I'm guessing a bit. All
> I know for sure is that it's confusing.
>
>

This error is consistent with one of the errors I am seeing in the nightly
builds when running OpenSSL with only default parameters so I suspect
something is off in combination
version negotiation and cipher suite selection checks. I am looking in to
it!

Regards Ingela Erlang/OTP Team






> Cheers,
>
>
> --
> Loïc Hoguin
> https://ninenines.eu
> _______________________________________________
> erlang-questions mailing list
> erlang-questions@REDACTED
> http://erlang.org/mailman/listinfo/erlang-questions
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20180504/ddae0edc/attachment.htm>


More information about the erlang-questions mailing list