[erlang-questions] Force TLS v1.2

Andreas Schultz andreas.schultz@REDACTED
Mon Apr 29 08:41:40 CEST 2019 

Hi Frank,

Sorry, that I can't really help you, but I did notice that the Erlang SSL
usage example for upgrading a socket to TLS [1] says:

*> Step 5:* Ensure active is set to false before trying to upgrade a
connection to an SSL connection, otherwise SSL handshake messages can be
delivered to the wrong process

Your example seems to be using an active connection.

Maybe you could post a more complete, ready to run sample to get more
feedback...

Regards
Andreas

1: http://erlang.org/doc/apps/ssl/using_ssl.html

Am Fr., 26. Apr. 2019 um 08:25 Uhr schrieb Frank Muller <
frank.muller.erl@REDACTED>:

> Small typo in ssl_client/0:
> _______________________________
> tcp_client() ->
>     {ok, TcpSock} = gen_tcp:connect("local_proxy_for_traffic_fitering",
> 12345, [ binary, {active, true}, {packet. 0} ]),
>     ok = gen_tcp:send(TcpSocket, <<"CONNECT…">>),
>     … got 200OK ...
>     TcpSocket.
>
> ssl_client() ->
>   TcpSocket = tcp_client(),
>   Opts = [ {verify, verify_none}, {cacertfile, "cacert.pem"}, {versions,
> ['tlsv1.2']} ],
>   {ok, Sock} = ssl:connect(TcpSocket, Opts),
>    Sock.
>
> connect() ->
>       SslSocket = ssl_client(),
>       ok = ssl:send("...some data...">>, SslSocket),
>>       ok.
> _______________________________
>
>
> Hi guys
>>
>> I’m trying to connect to a remote SSL server using a filtering Proxy in
>> between.
>>
>> First, I try to establish a normal TCP connection to this local Proxy
>> using the CONNECT word.
>>
>> Second, I upgrade the TCP socket to SSL as in this snippet code:
>>
>> _______________________________
>> tcp_client() ->
>>     {ok, TcpSock} = gen_tcp:connect("local_proxy_f
>> or_traffic_filtering", 12345, [ binary, {active,true}, {packet,0} ]),
>>
>>     ok = gen_tcp:send(TcpSocket, <<"CONNECT…">>),
>>     … got 200OK ...
>>     TcpSocket.
>>
>> ssl_client() ->
>>   TcpSocket = tcp_client(),
>>   Opts = [ {verify, verify_none}, {cacertfile, "cacert.pem"}, {versions,
>> ['tlsv1.2']} ],
>>   {ok, Sock} = ssl:connect(TcpSocket, Opts).
>>
>> connect() ->
>>       SslSocket = ssl_client(),
>>       ok = ssl:send(SslSocket, <<"...some data...">>),
>>>>       ok.
>> _______________________________
>>
>> When i call the ssl:send/2, the remote SSL server (I’ve no control on
>> this server) immediately closes the connection with {error, closed}.
>>
>> Furthermore, the SSL server claims I’m using SSL v1.3 (from the logs
>> we've got).
>>
>> Questions:
>> a. is it the right way to establish an SSL connection via a proxy?
>>
>> b. how can I really ensure I’m using SSL v1.2 and not v1.3?
>>
>>
>> My config: Erlang 21.3.5, Ubuntu 18.04 LTS, Kernel 4.4.0-grs-64 on a very
>> restricted environment: no sudo, no direct internet access
>>
>> /Frank
>>
> _______________________________________________
> erlang-questions mailing list
> erlang-questions@REDACTED
> http://erlang.org/mailman/listinfo/erlang-questions
>


-- 
-- 
Dipl.-Inform. Andreas Schultz

----------------------- enabling your networks ----------------------
Travelping GmbH                     Phone:  +49-391-81 90 99 0
Roentgenstr. 13                     Fax:    +49-391-81 90 99 299
39108 Magdeburg                     Email:  info@REDACTED
GERMANY                             Web:    http://www.travelping.com

Company Registration: Amtsgericht Stendal        Reg No.:   HRB 10578
Geschaeftsfuehrer: Holger Winkelmann          VAT ID No.: DE236673780
---------------------------------------------------------------------
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20190429/ed2baec0/attachment.htm>

More information about the erlang-questions mailing list