[erlang-questions] Force TLS v1.2

Frank Muller frank.muller.erl@REDACTED
Mon Apr 29 11:35:51 CEST 2019


Hi Andreas

Thanks for pointing out that.
I just tried with {active,false} but nothing changed.
The connection is closed immediately.

Any other hint?

/Frank

Hi Frank,
>
> Sorry, that I can't really help you, but I did notice that the Erlang SSL
> usage example for upgrading a socket to TLS [1] says:
>
> *> Step 5:* Ensure active is set to false before trying to upgrade a
> connection to an SSL connection, otherwise SSL handshake messages can be
> delivered to the wrong process
>
> Your example seems to be using an active connection.
>
> Maybe you could post a more complete, ready to run sample to get more
> feedback...
>
> Regards
> Andreas
>
> 1: http://erlang.org/doc/apps/ssl/using_ssl.html
>
> Am Fr., 26. Apr. 2019 um 08:25 Uhr schrieb Frank Muller <
> frank.muller.erl@REDACTED>:
>
>> Small typo in ssl_client/0:
>> _______________________________
>> tcp_client() ->
>>     {ok, TcpSock} = gen_tcp:connect("local_proxy_for_traffic_fitering",
>> 12345, [ binary, {active, true}, {packet. 0} ]),
>>     ok = gen_tcp:send(TcpSocket, <<"CONNECT…">>),
>>     … got 200OK ...
>>     TcpSocket.
>>
>> ssl_client() ->
>>   TcpSocket = tcp_client(),
>>   Opts = [ {verify, verify_none}, {cacertfile, "cacert.pem"}, {versions,
>> ['tlsv1.2']} ],
>>   {ok, Sock} = ssl:connect(TcpSocket, Opts),
>>    Sock.
>>
>> connect() ->
>>       SslSocket = ssl_client(),
>>       ok = ssl:send("...some data...">>, SslSocket),
>>>>       ok.
>> _______________________________
>>
>>
>> Hi guys
>>>
>>> I’m trying to connect to a remote SSL server using a filtering Proxy in
>>> between.
>>>
>>> First, I try to establish a normal TCP connection to this local Proxy
>>> using the CONNECT word.
>>>
>>> Second, I upgrade the TCP socket to SSL as in this snippet code:
>>>
>>> _______________________________
>>> tcp_client() ->
>>>     {ok, TcpSock} = gen_tcp:connect("local_proxy_f
>>> or_traffic_filtering", 12345, [ binary, {active,true}, {packet,0} ]),
>>>
>>>     ok = gen_tcp:send(TcpSocket, <<"CONNECT…">>),
>>>     … got 200OK ...
>>>     TcpSocket.
>>>
>>> ssl_client() ->
>>>   TcpSocket = tcp_client(),
>>>   Opts = [ {verify, verify_none}, {cacertfile, "cacert.pem"}, {versions,
>>> ['tlsv1.2']} ],
>>>   {ok, Sock} = ssl:connect(TcpSocket, Opts).
>>>
>>> connect() ->
>>>       SslSocket = ssl_client(),
>>>       ok = ssl:send(SslSocket, <<"...some data...">>),
>>>>>>       ok.
>>> _______________________________
>>>
>>> When i call the ssl:send/2, the remote SSL server (I’ve no control on
>>> this server) immediately closes the connection with {error, closed}.
>>>
>>> Furthermore, the SSL server claims I’m using SSL v1.3 (from the logs
>>> we've got).
>>>
>>> Questions:
>>> a. is it the right way to establish an SSL connection via a proxy?
>>>
>>> b. how can I really ensure I’m using SSL v1.2 and not v1.3?
>>>
>>>
>>> My config: Erlang 21.3.5, Ubuntu 18.04 LTS, Kernel 4.4.0-grs-64 on a
>>> very restricted environment: no sudo, no direct internet access
>>>
>>> /Frank
>>>
>> _______________________________________________
>
>
>> erlang-questions mailing list
>> erlang-questions@REDACTED
>> http://erlang.org/mailman/listinfo/erlang-questions
>>
>
>
> --
> --
> Dipl.-Inform. Andreas Schultz
>
> ----------------------- enabling your networks ----------------------
> Travelping GmbH                     Phone:  +49-391-81 90 99 0
> Roentgenstr. 13                     Fax:    +49-391-81 90 99 299
> 39108 Magdeburg                     Email:  info@REDACTED
> GERMANY                             Web:    http://www.travelping.com
>
> Company Registration: Amtsgericht Stendal        Reg No.:   HRB 10578
> Geschaeftsfuehrer: Holger Winkelmann          VAT ID No.: DE236673780
> ---------------------------------------------------------------------
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20190429/825f737b/attachment.htm>


More information about the erlang-questions mailing list