<div dir="ltr">I've investigated this case a bit and it seems to me that ECC handshake implementation has a bug:<div>As fas as I understand RFC 4492 (<a href="https://tools.ietf.org/html/rfc4492#section-5.1">https://tools.ietf.org/html/rfc4492#section-5.1</a>), it tells that it's OK for server to not support all curves supported by client if there are enough curves supported by both of them.<br>
</div><div>So if I'm correct, the tls_v1:enum_to_oid/1 function should have a default clause returning some magic value ('unsupported_curve' ?) which should be filtered out from EllipticCurves list in ?ELLIPTIC_CURVES_EXT clause of ssl_handshake:dec_hello_extensions/2 (line 1654).</div>
<div><br></div><div>I hope to fix it today.</div></div><div class="gmail_extra"><br><br><div class="gmail_quote">2014-03-09 1:49 GMT+04:00 Ingela Andin <span dir="ltr"><<a href="mailto:ingela.andin@gmail.com" target="_blank">ingela.andin@gmail.com</a>></span>:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Hi!<br><div class="gmail_extra"><br><div class="gmail_quote">2014-03-07 11:14 GMT+01:00 Danil Zagoskin <span dir="ltr"><<a href="mailto:z@gosk.in" target="_blank">z@gosk.in</a>></span>:<div class="">
<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">Thank you!<div><br></div><div>May I help you? Test case, pull request, etc?</div></div><div class="gmail_extra"><br></div></blockquote><div><br></div></div><div>You are always welcome to make a pull request which, if you follow the guide lines, should include a test case.</div>
<div class="">
<div><br></div><div><br></div><div>Regards Ingela Erlang/OTP team - Ericsson AB</div><div><br></div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="gmail_extra">
<br><div class="gmail_quote">2014-03-07 1:39 GMT+04:00 Ingela Andin <span dir="ltr"><<a href="mailto:ingela.andin@gmail.com" target="_blank">ingela.andin@gmail.com</a>></span>:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div><div dir="ltr">Hi!<div><br></div><div class="gmail_extra"><div class="gmail_quote">2014-03-06 11:50 GMT+01:00 Danil Zagoskin <span dir="ltr"><<a href="mailto:z@gosk.in" target="_blank">z@gosk.in</a>></span>:<div>
<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div dir="ltr">Hello!<div><br></div><div>My application is listening SSL port using ssl:listen, ssl:transport_accept and ssl:ssl_accept (indeed it uses some old patched mochiweb).</div><div>Erlang/OTP release is R16B02.</div>
<div>I use SASL for error logging.</div><div><br></div><div>Due to existence of network scanners, network errors and buggy clients some of connections fail to negotiate. This leads to two kind of log entries:</div><div> 1. "insufficient security", etc.</div>
<div> 2. Crash reports due to a function_clause error in tls_v1:enum_to_oid(0) (this may be not the only one, but definitely the most popular)</div><div><br></div><div>First one seems to be fixed by {log_alert, false} ssl option.</div>
<div>Second one keeps flooding logs with huge state printouts.</div><div><br></div><div>So, my question is: How to make all SSL-related troubles not to generate error reports? Simple {error, handshake_failed} returned by one of accepting functions would be enough.</div>
<div><br></div><div><br></div></div></blockquote><div><br></div><div> </div></div><div style="font-family:arial,sans-serif;font-size:13px"><br><div>The first option should logically be enough. I think the problem is that tls_v1:enum_to_oid</div>
</div><div>
<div style="font-family:arial,sans-serif;font-size:13px">should have a try and throw a handshake alert if it fails or be ignored, depending on situation, i.e. be an expected error instead of an unexpected error. I will create an issue to handle that.</div>
<div style="font-family:arial,sans-serif;font-size:13px"><br></div><div style="font-family:arial,sans-serif;font-size:13px">Regards Ingela Erlang/OTP team - Ericsson AB</div></div></div></div></div>
<br></div></div>_______________________________________________<br>
erlang-questions mailing list<br>
<a href="mailto:erlang-questions@erlang.org" target="_blank">erlang-questions@erlang.org</a><br>
<a href="http://erlang.org/mailman/listinfo/erlang-questions" target="_blank">http://erlang.org/mailman/listinfo/erlang-questions</a><br>
<br></blockquote></div><span><font color="#888888"><br><br clear="all"><div><br></div>-- <br><font face="'courier new', monospace">---------------------------------------------</font><div><font face="'courier new', monospace">Данил Загоскин | <a href="tel:%2B7%20906%20064%2020%2047" value="+79060642047" target="_blank">+7 906 064 20 47</a> | <a href="mailto:z@gosk.in" target="_blank">z@gosk.in</a></font></div>
</font></span></div>
</blockquote></div></div><br></div></div>
</blockquote></div><br><br clear="all"><div><br></div>-- <br><font face="'courier new', monospace">---------------------------------------------</font><div><font face="'courier new', monospace">Данил Загоскин | +7 906 064 20 47 | <a href="mailto:z@gosk.in" target="_blank">z@gosk.in</a></font></div>
</div>