[erlang-questions] Erlang/OTP 21.0-rc1 (Release Candidate)

Ingela Andin ingela.andin@REDACTED
Mon May 7 08:55:05 CEST 2018


Hi again!

I think I need to take back that last change, it is a bit more complicated.
I will work on a real fix during the week.

Regards Ingela Erlang/OTP Team

2018-05-04 19:18 GMT+02:00 Ingela Andin <ingela.andin@REDACTED>:

> I hope this hole fix please try it out:
>
> diff --git a/lib/ssl/src/ssl_cipher.erl b/lib/ssl/src/ssl_cipher.erl
> index 0956d35..ed8663b 100644
> --- a/lib/ssl/src/ssl_cipher.erl
> +++ b/lib/ssl/src/ssl_cipher.erl
> @@ -2837,11 +2837,13 @@ key_uses(OtpCert) ->
>      Extensions = ssl_certificate:extensions_list(TBSExtensions),
>      case ssl_certificate:select_extension(?'id-ce-keyUsage', Extensions)
> of
>      undefined ->
> -        undefined;
> +        [];
>      #'Extension'{extnValue = KeyUses} ->
>              KeyUses
>      end.
>
> +filter_keyuse_suites(_, [], CipherSuits, _) ->
> +    CipherSuits;
>  filter_keyuse_suites(Use, KeyUse, CipherSuits, Suites) ->
>      case ssl_certificate:is_valid_key_usage(KeyUse, Use) of
>      true ->
>
>
> Regards Ingela Erlang/OTP Team - Ericsson AB
>
>
>
> 2018-05-04 17:41 GMT+02:00 Ingela Andin <ingela.andin@REDACTED>:
>
>> Hi!
>>
>> Thank you for the example
>>
>> I did find one bug, the patch is here:
>>
>> diff --git a/lib/ssl/src/ssl_cipher.erl b/lib/ssl/src/ssl_cipher.erl
>> index 0956d35..dd3dc54 100644
>> --- a/lib/ssl/src/ssl_cipher.erl
>> +++ b/lib/ssl/src/ssl_cipher.erl
>> @@ -2837,7 +2837,7 @@ key_uses(OtpCert) ->
>>      Extensions = ssl_certificate:extensions_list(TBSExtensions),
>>      case ssl_certificate:select_extension(?'id-ce-keyUsage',
>> Extensions) of
>>      undefined ->
>> -        undefined;
>> +        [];
>>      #'Extension'{extnValue = KeyUses} ->
>>              KeyUses
>>      end.
>>
>>
>> my other sslv2 issue seems not to be related. (Probably a OpenSSL issue)
>> Your example does however not work perfect
>> so I am continuing to look into this!
>>
>> Regards Ingela Erlang/OTP team - Ericsson AB
>>
>>
>>
>>
>>
>> 2018-05-04 12:25 GMT+02:00 Roger Lipscombe <roger@REDACTED>:
>>
>>> On 4 May 2018 at 08:32, Ingela Andin <ingela.andin@REDACTED> wrote:
>>> > This error is consistent with one of the errors I am seeing in the
>>> nightly
>>> > builds when running OpenSSL with only default parameters so I suspect
>>> > something is off in combination
>>> > version negotiation and cipher suite selection checks. I am looking in
>>> to
>>> > it!
>>>
>>> I'm seeing the same, if it helps to reproduce. I generated my
>>> certificates with:
>>>
>>> #!/bin/sh
>>>
>>> # Create the CA key and certificate.
>>> openssl genrsa -out ca.key 2048
>>> openssl req -new -x509 -nodes -key ca.key -days 3653 -out ca.pem -subj
>>> "/CN=Test CA"
>>>
>>> # Create the server key and CSR.
>>> openssl genrsa -out server.key 2048
>>> openssl req -new -key server.key -out server.csr -subj "/CN=localhost"
>>>
>>> # Sign the CSR with the CA key.
>>> serial=$(date +"%s")
>>> openssl x509 -req -days 3563 -CA ca.pem -CAserial $serial
>>> -CAcreateserial -CAkey ca.key -in server.csr -out server.pem
>>> rm $serial
>>>
>>> I tested with:
>>>
>>> % Server
>>> {ok, _} = application:ensure_all_started(ssl).
>>> Port = 11002.
>>> LOpts = [{certfile, "server.pem"}, {keyfile, "server.key"}].
>>> {ok, LSock} = ssl:listen(Port, LOpts).
>>> {ok, CSock} = ssl:transport_accept(LSock).
>>> ok = ssl:ssl_accept(CSock).
>>>
>>> % Client
>>> {ok, _} = application:ensure_all_started(ssl).
>>> Port = 11002.
>>> COpts = [{verify, verify_peer}, {cacertfile, "ca.pem"}].
>>> {ok, Sock} = ssl:connect("localhost", Port, COpts).
>>>
>>> The server reports:
>>>
>>> =INFO REPORT==== 4-May-2018::11:22:20.971130 ===
>>> TLS server: In state hello at tls_handshake.erl:130 generated SERVER
>>> ALERT: Fatal - Handshake Failure - malformed_handshake_data
>>>
>>> ** exception error: no match of right hand side value
>>> {error,{tls_alert,"handshake failure"}}
>>>
>>> The client reports:
>>>
>>> =INFO REPORT==== 4-May-2018::11:22:20.981524 ===
>>> TLS client: In state hello received SERVER ALERT: Fatal - Handshake
>>> Failure
>>>
>>> ** exception error: no match of right hand side value
>>> {error,{tls_alert,"handshake failure"}}
>>>
>>> The same code works fine with 20.3.1
>>>
>>> Thanks,
>>> Roger.
>>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20180507/98d5a74b/attachment.htm>


More information about the erlang-questions mailing list