[erlang-questions] Force TLS v1.2

Frank Muller frank.muller.erl@REDACTED
Fri Apr 26 08:25:41 CEST 2019 

Small typo in ssl_client/0:
_______________________________
tcp_client() ->
    {ok, TcpSock} = gen_tcp:connect("local_proxy_for_traffic_fitering",
12345, [ binary, {active, true}, {packet. 0} ]),
    ok = gen_tcp:send(TcpSocket, <<"CONNECT…">>),
    … got 200OK ...
    TcpSocket.

ssl_client() ->
  TcpSocket = tcp_client(),
  Opts = [ {verify, verify_none}, {cacertfile, "cacert.pem"}, {versions,
['tlsv1.2']} ],
  {ok, Sock} = ssl:connect(TcpSocket, Opts),
   Sock.

connect() ->
      SslSocket = ssl_client(),
      ok = ssl:send("...some data...">>, SslSocket),
      …
      ok.
_______________________________


Hi guys
>
> I’m trying to connect to a remote SSL server using a filtering Proxy in
> between.
>
> First, I try to establish a normal TCP connection to this local Proxy
> using the CONNECT word.
>
> Second, I upgrade the TCP socket to SSL as in this snippet code:
>
> _______________________________
> tcp_client() ->
>     {ok, TcpSock} = gen_tcp:connect("local_proxy_f
> or_traffic_filtering", 12345, [ binary, {active,true}, {packet,0} ]),
>
>     ok = gen_tcp:send(TcpSocket, <<"CONNECT…">>),
>     … got 200OK ...
>     TcpSocket.
>
> ssl_client() ->
>   TcpSocket = tcp_client(),
>   Opts = [ {verify, verify_none}, {cacertfile, "cacert.pem"}, {versions,
> ['tlsv1.2']} ],
>   {ok, Sock} = ssl:connect(TcpSocket, Opts).
>
> connect() ->
>       SslSocket = ssl_client(),
>       ok = ssl:send(SslSocket, <<"...some data...">>),
>>       ok.
> _______________________________
>
> When i call the ssl:send/2, the remote SSL server (I’ve no control on this
> server) immediately closes the connection with {error, closed}.
>
> Furthermore, the SSL server claims I’m using SSL v1.3 (from the logs we've
> got).
>
> Questions:
> a. is it the right way to establish an SSL connection via a proxy?
>
> b. how can I really ensure I’m using SSL v1.2 and not v1.3?
>
>
> My config: Erlang 21.3.5, Ubuntu 18.04 LTS, Kernel 4.4.0-grs-64 on a very
> restricted environment: no sudo, no direct internet access
>
> /Frank
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20190426/997f3a18/attachment.htm>

More information about the erlang-questions mailing list