[erlang-questions] Erlang/OTP 21.0-rc1 (Release Candidate)

Ingela Andin ingela.andin@REDACTED
Wed May 16 14:43:22 CEST 2018


Hi!

Finally a solution:

https://github.com/erlang/otp/pull/1820

Regards Ingela Erlang/OTP team - Ericsson AB

2018-05-07 8:55 GMT+02:00 Ingela Andin <ingela.andin@REDACTED>:

> Hi again!
>
> I think I need to take back that last change, it is a bit more
> complicated. I will work on a real fix during the week.
>
> Regards Ingela Erlang/OTP Team
>
>
> 2018-05-04 19:18 GMT+02:00 Ingela Andin <ingela.andin@REDACTED>:
>
>> I hope this hole fix please try it out:
>>
>> diff --git a/lib/ssl/src/ssl_cipher.erl b/lib/ssl/src/ssl_cipher.erl
>> index 0956d35..ed8663b 100644
>> --- a/lib/ssl/src/ssl_cipher.erl
>> +++ b/lib/ssl/src/ssl_cipher.erl
>> @@ -2837,11 +2837,13 @@ key_uses(OtpCert) ->
>>      Extensions = ssl_certificate:extensions_list(TBSExtensions),
>>      case ssl_certificate:select_extension(?'id-ce-keyUsage',
>> Extensions) of
>>      undefined ->
>> -        undefined;
>> +        [];
>>      #'Extension'{extnValue = KeyUses} ->
>>              KeyUses
>>      end.
>>
>> +filter_keyuse_suites(_, [], CipherSuits, _) ->
>> +    CipherSuits;
>>  filter_keyuse_suites(Use, KeyUse, CipherSuits, Suites) ->
>>      case ssl_certificate:is_valid_key_usage(KeyUse, Use) of
>>      true ->
>>
>>
>> Regards Ingela Erlang/OTP Team - Ericsson AB
>>
>>
>>
>> 2018-05-04 17:41 GMT+02:00 Ingela Andin <ingela.andin@REDACTED>:
>>
>>> Hi!
>>>
>>> Thank you for the example
>>>
>>> I did find one bug, the patch is here:
>>>
>>> diff --git a/lib/ssl/src/ssl_cipher.erl b/lib/ssl/src/ssl_cipher.erl
>>> index 0956d35..dd3dc54 100644
>>> --- a/lib/ssl/src/ssl_cipher.erl
>>> +++ b/lib/ssl/src/ssl_cipher.erl
>>> @@ -2837,7 +2837,7 @@ key_uses(OtpCert) ->
>>>      Extensions = ssl_certificate:extensions_list(TBSExtensions),
>>>      case ssl_certificate:select_extension(?'id-ce-keyUsage',
>>> Extensions) of
>>>      undefined ->
>>> -        undefined;
>>> +        [];
>>>      #'Extension'{extnValue = KeyUses} ->
>>>              KeyUses
>>>      end.
>>>
>>>
>>> my other sslv2 issue seems not to be related. (Probably a OpenSSL issue)
>>> Your example does however not work perfect
>>> so I am continuing to look into this!
>>>
>>> Regards Ingela Erlang/OTP team - Ericsson AB
>>>
>>>
>>>
>>>
>>>
>>> 2018-05-04 12:25 GMT+02:00 Roger Lipscombe <roger@REDACTED>:
>>>
>>>> On 4 May 2018 at 08:32, Ingela Andin <ingela.andin@REDACTED> wrote:
>>>> > This error is consistent with one of the errors I am seeing in the
>>>> nightly
>>>> > builds when running OpenSSL with only default parameters so I suspect
>>>> > something is off in combination
>>>> > version negotiation and cipher suite selection checks. I am looking
>>>> in to
>>>> > it!
>>>>
>>>> I'm seeing the same, if it helps to reproduce. I generated my
>>>> certificates with:
>>>>
>>>> #!/bin/sh
>>>>
>>>> # Create the CA key and certificate.
>>>> openssl genrsa -out ca.key 2048
>>>> openssl req -new -x509 -nodes -key ca.key -days 3653 -out ca.pem -subj
>>>> "/CN=Test CA"
>>>>
>>>> # Create the server key and CSR.
>>>> openssl genrsa -out server.key 2048
>>>> openssl req -new -key server.key -out server.csr -subj "/CN=localhost"
>>>>
>>>> # Sign the CSR with the CA key.
>>>> serial=$(date +"%s")
>>>> openssl x509 -req -days 3563 -CA ca.pem -CAserial $serial
>>>> -CAcreateserial -CAkey ca.key -in server.csr -out server.pem
>>>> rm $serial
>>>>
>>>> I tested with:
>>>>
>>>> % Server
>>>> {ok, _} = application:ensure_all_started(ssl).
>>>> Port = 11002.
>>>> LOpts = [{certfile, "server.pem"}, {keyfile, "server.key"}].
>>>> {ok, LSock} = ssl:listen(Port, LOpts).
>>>> {ok, CSock} = ssl:transport_accept(LSock).
>>>> ok = ssl:ssl_accept(CSock).
>>>>
>>>> % Client
>>>> {ok, _} = application:ensure_all_started(ssl).
>>>> Port = 11002.
>>>> COpts = [{verify, verify_peer}, {cacertfile, "ca.pem"}].
>>>> {ok, Sock} = ssl:connect("localhost", Port, COpts).
>>>>
>>>> The server reports:
>>>>
>>>> =INFO REPORT==== 4-May-2018::11:22:20.971130 ===
>>>> TLS server: In state hello at tls_handshake.erl:130 generated SERVER
>>>> ALERT: Fatal - Handshake Failure - malformed_handshake_data
>>>>
>>>> ** exception error: no match of right hand side value
>>>> {error,{tls_alert,"handshake failure"}}
>>>>
>>>> The client reports:
>>>>
>>>> =INFO REPORT==== 4-May-2018::11:22:20.981524 ===
>>>> TLS client: In state hello received SERVER ALERT: Fatal - Handshake
>>>> Failure
>>>>
>>>> ** exception error: no match of right hand side value
>>>> {error,{tls_alert,"handshake failure"}}
>>>>
>>>> The same code works fine with 20.3.1
>>>>
>>>> Thanks,
>>>> Roger.
>>>>
>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20180516/c37d8024/attachment.htm>


More information about the erlang-questions mailing list