[erlang-questions] Force TLS v1.2
Frank Muller
frank.muller.erl@REDACTED
Mon Apr 29 11:35:51 CEST 2019
Hi Andreas
Thanks for pointing out that.
I just tried with {active,false} but nothing changed.
The connection is closed immediately.
Any other hint?
/Frank
Hi Frank,
>
> Sorry, that I can't really help you, but I did notice that the Erlang SSL
> usage example for upgrading a socket to TLS [1] says:
>
> *> Step 5:* Ensure active is set to false before trying to upgrade a
> connection to an SSL connection, otherwise SSL handshake messages can be
> delivered to the wrong process
>
> Your example seems to be using an active connection.
>
> Maybe you could post a more complete, ready to run sample to get more
> feedback...
>
> Regards
> Andreas
>
> 1: http://erlang.org/doc/apps/ssl/using_ssl.html
>
> Am Fr., 26. Apr. 2019 um 08:25 Uhr schrieb Frank Muller <
> frank.muller.erl@REDACTED>:
>
>> Small typo in ssl_client/0:
>> _______________________________
>> tcp_client() ->
>> {ok, TcpSock} = gen_tcp:connect("local_proxy_for_traffic_fitering",
>> 12345, [ binary, {active, true}, {packet. 0} ]),
>> ok = gen_tcp:send(TcpSocket, <<"CONNECT…">>),
>> … got 200OK ...
>> TcpSocket.
>>
>> ssl_client() ->
>> TcpSocket = tcp_client(),
>> Opts = [ {verify, verify_none}, {cacertfile, "cacert.pem"}, {versions,
>> ['tlsv1.2']} ],
>> {ok, Sock} = ssl:connect(TcpSocket, Opts),
>> Sock.
>>
>> connect() ->
>> SslSocket = ssl_client(),
>> ok = ssl:send("...some data...">>, SslSocket),
>> …
>> ok.
>> _______________________________
>>
>>
>> Hi guys
>>>
>>> I’m trying to connect to a remote SSL server using a filtering Proxy in
>>> between.
>>>
>>> First, I try to establish a normal TCP connection to this local Proxy
>>> using the CONNECT word.
>>>
>>> Second, I upgrade the TCP socket to SSL as in this snippet code:
>>>
>>> _______________________________
>>> tcp_client() ->
>>> {ok, TcpSock} = gen_tcp:connect("local_proxy_f
>>> or_traffic_filtering", 12345, [ binary, {active,true}, {packet,0} ]),
>>>
>>> ok = gen_tcp:send(TcpSocket, <<"CONNECT…">>),
>>> … got 200OK ...
>>> TcpSocket.
>>>
>>> ssl_client() ->
>>> TcpSocket = tcp_client(),
>>> Opts = [ {verify, verify_none}, {cacertfile, "cacert.pem"}, {versions,
>>> ['tlsv1.2']} ],
>>> {ok, Sock} = ssl:connect(TcpSocket, Opts).
>>>
>>> connect() ->
>>> SslSocket = ssl_client(),
>>> ok = ssl:send(SslSocket, <<"...some data...">>),
>>> …
>>> ok.
>>> _______________________________
>>>
>>> When i call the ssl:send/2, the remote SSL server (I’ve no control on
>>> this server) immediately closes the connection with {error, closed}.
>>>
>>> Furthermore, the SSL server claims I’m using SSL v1.3 (from the logs
>>> we've got).
>>>
>>> Questions:
>>> a. is it the right way to establish an SSL connection via a proxy?
>>>
>>> b. how can I really ensure I’m using SSL v1.2 and not v1.3?
>>>
>>>
>>> My config: Erlang 21.3.5, Ubuntu 18.04 LTS, Kernel 4.4.0-grs-64 on a
>>> very restricted environment: no sudo, no direct internet access
>>>
>>> /Frank
>>>
>> _______________________________________________
>
>
>> erlang-questions mailing list
>> erlang-questions@REDACTED
>> http://erlang.org/mailman/listinfo/erlang-questions
>>
>
>
> --
> --
> Dipl.-Inform. Andreas Schultz
>
> ----------------------- enabling your networks ----------------------
> Travelping GmbH Phone: +49-391-81 90 99 0
> Roentgenstr. 13 Fax: +49-391-81 90 99 299
> 39108 Magdeburg Email: info@REDACTED
> GERMANY Web: http://www.travelping.com
>
> Company Registration: Amtsgericht Stendal Reg No.: HRB 10578
> Geschaeftsfuehrer: Holger Winkelmann VAT ID No.: DE236673780
> ---------------------------------------------------------------------
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20190429/825f737b/attachment.htm>
More information about the erlang-questions
mailing list