<div dir="ltr"><div><div><div><div class="gmail_extra">Hi!<br><br></div><div class="gmail_extra">After some investigation I have concluded that the server may send an SNI-extension, and that if it does so, it shall be empty.<br><pre>"In this event, the
server SHALL include an extension of type "server_name" in the
(extended) server hello. The "extension_data" field of this
extension SHALL be empty."</pre><br></div><div class="gmail_extra">I do not really see the point in include an empty SNI-extension on the server side, but as the RFC says so here comes a patch to handle it.<br></div><div class="gmail_extra"><br>diff --git a/lib/ssl/src/ssl_handshake.erl b/lib/ssl/src/ssl_handshake.erl<br>index 22673e4..eee33ef 100644<br>--- a/lib/ssl/src/ssl_handshake.erl<br>+++ b/lib/ssl/src/ssl_handshake.erl<br>@@ -1732,6 +1732,9 @@ dec_hello_extensions(<<?UINT16(?EC_POINT_FORMATS_EXT), ?UINT16(Len),<br> #ec_point_formats{ec_point_format_list =<br> ECPointFormats}});<br> <br>+dec_hello_extensions(<<?UINT16(?SNI_EXT), ?UINT16(Len), Rest/binary>>, Acc) when Len == 0 -> <br>+ dec_hello_extensions(Rest, Acc#hello_extensions{sni = ""}); %% Server may send an empy SNI<br>+<br> dec_hello_extensions(<<?UINT16(?SNI_EXT), ?UINT16(Len),<br> ExtData:Len/binary, Rest/binary>>, Acc) -><br> <<?UINT16(_), NameList/binary>> = ExtData,<br><br><div class="gmail_quote"><br></div><div class="gmail_quote">Regards Ingela Erlang/OTP Team - Ericsson AB<br></div><div class="gmail_quote"><br><br><br>2014-09-19 11:00 GMT+02:00 Iván Martínez <span dir="ltr"><<a href="mailto:ivan.martinez@iberlang.com" target="_blank">ivan.martinez@iberlang.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">Hello all,<br>I just hired a CentOS 7 server that came with very little software installed. I installed Erlang 17.3 from sources, attached is output of the configure step. Now I'm trying to install zotonic but it fails when trying to do a SSL handshake with github, see below:<br><br>[ivan@strasbourg1 zotonic]$ make<br>erl -noshell -s inets -s ssl \<br> -eval '{ok, saved_to_file} = httpc:request(get, {"<a href="https://github.com/rebar/rebar/wiki/rebar" target="_blank">https://github.com/rebar/rebar/wiki/rebar</a>", []}, [], [{stream, "./rebar"}])' \<br> -s init stop<br>{"init terminating in do_boot",{{badmatch,{error,{failed_connect,[{to_address,{"<a href="http://github.com" target="_blank">github.com</a>",443}},{inet,[inet],{eoptions,{{{badmatch,<<0 bytes>>},[{ssl_handshake,dec_hello_extensions,2,[{file,"ssl_handshake.erl"},{line,1737}]},{ssl_handshake,decode_handshake,3,[{file,"ssl_handshake.erl"},{line,926}]},{tls_handshake,get_tls_handshake_aux,3,[{file,"tls_handshake.erl"},{line,155}]},{tls_connection,next_state,4,[{file,"tls_connection.erl"},{line,433}]},{gen_fsm,handle_msg,7,[{file,"gen_fsm.erl"},{line,503}]},{proc_lib,init_p_do_apply,3,[{file,"proc_lib.erl"},{line,237}]}]},{gen_fsm,sync_send_all_state_event,[<0.54.0>,{start,infinity},infinity]}}}}]}}},[{erl_eval,expr,3,[]}]}}<br><br>Crash dump was written to: erl_crash.dump<br>init terminating in do_boot ()<br>make: *** [rebar] Error 1<br><br>I tried to do the handshake with openssl and apparently it works:<br><br>[ivan@strasbourg1 zotonic]$ openssl s_client -host <a href="http://github.com" target="_blank">github.com</a> -port 443<br>CONNECTED(00000003)<br>depth=2 C = US, O = DigiCert Inc, OU = <a href="http://www.digicert.com" target="_blank">www.digicert.com</a>, CN = DigiCert High Assurance EV Root CA<br>verify return:1<br>depth=1 C = US, O = DigiCert Inc, OU = <a href="http://www.digicert.com" target="_blank">www.digicert.com</a>, CN = DigiCert SHA2 Extended Validation Server CA<br>verify return:1<br>depth=0 businessCategory = Private Organization, 1.3.6.1.4.1.311.60.2.1.3 = US, 1.3.6.1.4.1.311.60.2.1.2 = Delaware, serialNumber = 5157550, street = 548 4th Street, postalCode = 94107, C = US, ST = California, L = San Francisco, O = "GitHub, Inc.", CN = <a href="http://github.com" target="_blank">github.com</a><br>verify return:1<br>---<br>Certificate chain<br> 0 s:/businessCategory=Private Organization/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Delaware/serialNumber=5157550/street=548 4th Street/postalCode=94107/C=US/ST=California/L=San Francisco/O=GitHub, Inc./CN=<a href="http://github.com" target="_blank">github.com</a><br> i:/C=US/O=DigiCert Inc/OU=<a href="http://www.digicert.com/CN=DigiCert" target="_blank">www.digicert.com/CN=DigiCert</a> SHA2 Extended Validation Server CA<br> 1 s:/C=US/O=DigiCert Inc/OU=<a href="http://www.digicert.com/CN=DigiCert" target="_blank">www.digicert.com/CN=DigiCert</a> SHA2 Extended Validation Server CA<br> i:/C=US/O=DigiCert Inc/OU=<a href="http://www.digicert.com/CN=DigiCert" target="_blank">www.digicert.com/CN=DigiCert</a> High Assurance EV Root CA<br>---<br>Server certificate<br>-----BEGIN CERTIFICATE-----<br>MIIF4DCCBMigAwIBAgIQDACTENIG2+M3VTWAEY3chzANBgkqhkiG9w0BAQsFADB1<br>...<br>XX4C2NesiZcLYbc2n7B9O+63M2k=<br>-----END CERTIFICATE-----<br>subject=/businessCategory=Private Organization/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Delaware/serialNumber=5157550/street=548 4th Street/postalCode=94107/C=US/ST=California/L=San Francisco/O=GitHub, Inc./CN=<a href="http://github.com" target="_blank">github.com</a><br>issuer=/C=US/O=DigiCert Inc/OU=<a href="http://www.digicert.com/CN=DigiCert" target="_blank">www.digicert.com/CN=DigiCert</a> SHA2 Extended Validation Server CA<br>---<br>No client certificate CA names sent<br>Server Temp Key: ECDH, prime256v1, 256 bits<br>---<br>SSL handshake has read 3233 bytes and written 375 bytes<br>---<br>New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256<br>Server public key is 2048 bit<br>Secure Renegotiation IS supported<br>Compression: NONE<br>Expansion: NONE<br>SSL-Session:<br> Protocol : TLSv1.2<br> Cipher : ECDHE-RSA-AES128-GCM-SHA256<br> Session-ID: DDEF6E78852287351EC5B20FFDD2578F8996E7226CB883A5F1A94325048B79C6<br> Session-ID-ctx: <br> Master-Key: D6C6283F463BFCD5A160E0CCE0CC8962CF944E5C98153040E4BC20466981B1622A5327C1E6BBED5F1751A049782908E5<br> Key-Arg : None<br> Krb5 Principal: None<br> PSK identity: None<br> PSK identity hint: None<br> Start Time: 1411113552<br> Timeout : 300 (sec)<br> Verify return code: 0 (ok)<br>---<br>closed<br><br>What can be wrong?. Thank you.<br>Ivan<br></div>
<br>_______________________________________________<br>
erlang-questions mailing list<br>
<a href="mailto:erlang-questions@erlang.org" target="_blank">erlang-questions@erlang.org</a><br>
<a href="http://erlang.org/mailman/listinfo/erlang-questions" target="_blank">http://erlang.org/mailman/listinfo/erlang-questions</a><br>
<br></blockquote></div><br></div></div></div></div></div>