[erlang-questions] Erlang/OTP 21.0-rc1 (Release Candidate)

Ingela Andin ingela.andin@REDACTED
Fri May 4 19:18:20 CEST 2018


I hope this hole fix please try it out:

diff --git a/lib/ssl/src/ssl_cipher.erl b/lib/ssl/src/ssl_cipher.erl
index 0956d35..ed8663b 100644
--- a/lib/ssl/src/ssl_cipher.erl
+++ b/lib/ssl/src/ssl_cipher.erl
@@ -2837,11 +2837,13 @@ key_uses(OtpCert) ->
     Extensions = ssl_certificate:extensions_list(TBSExtensions),
     case ssl_certificate:select_extension(?'id-ce-keyUsage', Extensions) of
     undefined ->
-        undefined;
+        [];
     #'Extension'{extnValue = KeyUses} ->
             KeyUses
     end.

+filter_keyuse_suites(_, [], CipherSuits, _) ->
+    CipherSuits;
 filter_keyuse_suites(Use, KeyUse, CipherSuits, Suites) ->
     case ssl_certificate:is_valid_key_usage(KeyUse, Use) of
     true ->


Regards Ingela Erlang/OTP Team - Ericsson AB



2018-05-04 17:41 GMT+02:00 Ingela Andin <ingela.andin@REDACTED>:

> Hi!
>
> Thank you for the example
>
> I did find one bug, the patch is here:
>
> diff --git a/lib/ssl/src/ssl_cipher.erl b/lib/ssl/src/ssl_cipher.erl
> index 0956d35..dd3dc54 100644
> --- a/lib/ssl/src/ssl_cipher.erl
> +++ b/lib/ssl/src/ssl_cipher.erl
> @@ -2837,7 +2837,7 @@ key_uses(OtpCert) ->
>      Extensions = ssl_certificate:extensions_list(TBSExtensions),
>      case ssl_certificate:select_extension(?'id-ce-keyUsage', Extensions)
> of
>      undefined ->
> -        undefined;
> +        [];
>      #'Extension'{extnValue = KeyUses} ->
>              KeyUses
>      end.
>
>
> my other sslv2 issue seems not to be related. (Probably a OpenSSL issue)
> Your example does however not work perfect
> so I am continuing to look into this!
>
> Regards Ingela Erlang/OTP team - Ericsson AB
>
>
>
>
>
> 2018-05-04 12:25 GMT+02:00 Roger Lipscombe <roger@REDACTED>:
>
>> On 4 May 2018 at 08:32, Ingela Andin <ingela.andin@REDACTED> wrote:
>> > This error is consistent with one of the errors I am seeing in the
>> nightly
>> > builds when running OpenSSL with only default parameters so I suspect
>> > something is off in combination
>> > version negotiation and cipher suite selection checks. I am looking in
>> to
>> > it!
>>
>> I'm seeing the same, if it helps to reproduce. I generated my
>> certificates with:
>>
>> #!/bin/sh
>>
>> # Create the CA key and certificate.
>> openssl genrsa -out ca.key 2048
>> openssl req -new -x509 -nodes -key ca.key -days 3653 -out ca.pem -subj
>> "/CN=Test CA"
>>
>> # Create the server key and CSR.
>> openssl genrsa -out server.key 2048
>> openssl req -new -key server.key -out server.csr -subj "/CN=localhost"
>>
>> # Sign the CSR with the CA key.
>> serial=$(date +"%s")
>> openssl x509 -req -days 3563 -CA ca.pem -CAserial $serial
>> -CAcreateserial -CAkey ca.key -in server.csr -out server.pem
>> rm $serial
>>
>> I tested with:
>>
>> % Server
>> {ok, _} = application:ensure_all_started(ssl).
>> Port = 11002.
>> LOpts = [{certfile, "server.pem"}, {keyfile, "server.key"}].
>> {ok, LSock} = ssl:listen(Port, LOpts).
>> {ok, CSock} = ssl:transport_accept(LSock).
>> ok = ssl:ssl_accept(CSock).
>>
>> % Client
>> {ok, _} = application:ensure_all_started(ssl).
>> Port = 11002.
>> COpts = [{verify, verify_peer}, {cacertfile, "ca.pem"}].
>> {ok, Sock} = ssl:connect("localhost", Port, COpts).
>>
>> The server reports:
>>
>> =INFO REPORT==== 4-May-2018::11:22:20.971130 ===
>> TLS server: In state hello at tls_handshake.erl:130 generated SERVER
>> ALERT: Fatal - Handshake Failure - malformed_handshake_data
>>
>> ** exception error: no match of right hand side value
>> {error,{tls_alert,"handshake failure"}}
>>
>> The client reports:
>>
>> =INFO REPORT==== 4-May-2018::11:22:20.981524 ===
>> TLS client: In state hello received SERVER ALERT: Fatal - Handshake
>> Failure
>>
>> ** exception error: no match of right hand side value
>> {error,{tls_alert,"handshake failure"}}
>>
>> The same code works fine with 20.3.1
>>
>> Thanks,
>> Roger.
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20180504/16120e4c/attachment.htm>


More information about the erlang-questions mailing list