<html>
  <head>
    <meta content="text/html; charset=utf-8" http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    <div class="moz-cite-prefix">On 10/08/2014 10:47 AM, Ingela Andin
      wrote:<br>
    </div>
    <blockquote
cite="mid:CAFj9NSSC6GWA0cqPs53drj5yjkCOn1Y3BDOGKkOS7gigfYEUFA@mail.gmail.com"
      type="cite">
      <div dir="ltr">Hi!<br>
        <div>
          <div class="gmail_extra"><br>
            <div class="gmail_quote">2014-10-08 0:22 GMT+02:00 Andre
              Graf <span dir="ltr"><<a moz-do-not-send="true"
                  href="mailto:andre.graf@erl.io" target="_blank">andre.graf@erl.io</a>></span>:<br>
              <blockquote class="gmail_quote" style="margin:0px 0px 0px
                0.8ex;border-left:1px solid
                rgb(204,204,204);padding-left:1ex">Hi there,<br>
                <br>
                today I wrote a EUnit test suite that should check the
                SSL connection<br>
                setup to an Erlang SSL server. Although the test cases
                are pretty simple<br>
                and standard I stumbled upon various inconsistencies
                when testing<br>
                against different OTP versions (R15B02,
                R16B03-1,OTP-17.3.1). I thought<br>
                I share my findings.<br>
                <br>
                The different test cases are:<br>
                <br>
                1. Connect No Client Auth (SUCCESS)<br>
                2. Connect No Client Auth (FAIL: wrong CA)<br>
                3. Connect Client Auth (SUCCESS)<br>
                4. Connect Client Auth (FAIL: no Client Cert provided)<br>
                5. Connect Client Auth (FAIL: Client Cert expired)<br>
                6. Connect Client Auth (FAIL: CRL check, Client Cert
                revoked)<br>
                7. Connect Client Auth (SUCCESS, CRL check)<br>
                <br>
                Inconsistencies in expected return of 'ssl:connect/2' in
                test case 2:<br>
                - R15B02: {error,"unknown ca"}}<br>
                - R16B03-1: {error,{tls_alert,"unknown ca"}}<br>
                - OTP-17.3.1: {error,{tls_alert,"unknown ca"}}<br>
                <br>
              </blockquote>
              <div><br>
              </div>
              <div>This is part of the documented potential
                incompatibility that we choose to do to to improve the
                quality of the error messages.<br>
              </div>
              <div><br>
                 </div>
              <blockquote class="gmail_quote" style="margin:0px 0px 0px
                0.8ex;border-left:1px solid
                rgb(204,204,204);padding-left:1ex">
                Inconsistencies in expected return of 'ssl:connect/2' in
                test case 3:<br>
                - R15B02: {ok, Sock}<br>
                - R16B03-1: {ok, Sock}<br>
                - OTP-17.3.1: {error,closed}<br>
                <br>
              </blockquote>
              <div><br>
              </div>
              <div>Will try your test case when I get time. Seems
                strange.<br>
              </div>
              <div><br>
                 </div>
              <blockquote class="gmail_quote" style="margin:0px 0px 0px
                0.8ex;border-left:1px solid
                rgb(204,204,204);padding-left:1ex">
                Inconsistencies in expected return of 'ssl:connect/2' in
                test case 4:<br>
                - R15B02: {error,esslconnect}<br>
                - R16B03-1: {error,{tls_alert,"handshake failure"}}<br>
                - OTP-17.3.1: {error,{tls_alert,"handshake failure"}}<br>
                <br>
              </blockquote>
              <div> <br>
                This is also part of the documented potential
                incompatibility that we choose to do to to improve the
                quality of the error messages.<br>
                <br>
                <br>
              </div>
              <blockquote class="gmail_quote" style="margin:0px 0px 0px
                0.8ex;border-left:1px solid
                rgb(204,204,204);padding-left:1ex">
                Inconsistencies in expected return of 'ssl:connect/2' in
                test case 5:<br>
                - R15B02: {error,"certificate expired"}<br>
                - R16B03-1: {error,{tls_alert,"certificate expired"}}<br>
                - OTP-17.3.1: {error,{tls_alert,"unknown ca"}}<br>
                <br>
              </blockquote>
              <div> Will try your test case when I get time. Seems
                strange.<br>
                <br>
                <br>
              </div>
              <blockquote class="gmail_quote" style="margin:0px 0px 0px
                0.8ex;border-left:1px solid
                rgb(204,204,204);padding-left:1ex">
                Inconsistencies in expected return of 'ssl:connect/2' in
                test case 6:<br>
                - R15B02: SSL handshake process crashes<br>
                - R16B03-1: {error,{tls_alert,"certificate revoked"}}<br>
                - OTP-17.3.1: {error,closed}<br>
                <br>
              </blockquote>
              <div> <br>
              </div>
              <div>Alas you can never depend on getting the correct
                error message an not {error,closed} as<br>
              </div>
              <div>tcp does note have a delivery guarantee on
                application level, only on transport level. <br>
              </div>
              <div>So ssl sends its alert and then closes the socket,
                and with bad timing the application may<br>
              </div>
              <div>receive the socket close before it receives the error
                message data.<br>
              </div>
              <div><br>
              </div>
              <blockquote class="gmail_quote" style="margin:0px 0px 0px
                0.8ex;border-left:1px solid
                rgb(204,204,204);padding-left:1ex">
                Inconsistencies in expected return of 'ssl:connect/2' in
                test case 7:<br>
                - R15B02: {ok, Socket}<br>
                - R16B03-1: {ok, Socket}<br>
                - OTP-17.3.1: {error,{tls_alert,"unknown ca"}}<br>
                <br>
              </blockquote>
              <div> <br>
                Will try your test case when I get time. Seems strange.<br>
                <br>
                 <br>
              </div>
              <div>Regards Ingela Erlang/OTP team - Ericsson AB<br>
              </div>
              <div><br>
                <br>
              </div>
              <blockquote class="gmail_quote" style="margin:0px 0px 0px
                0.8ex;border-left:1px solid
                rgb(204,204,204);padding-left:1ex">
                No inconsistencies in test case 1. :)<br>
                <br>
                The code is available on <a moz-do-not-send="true"
                  href="https://github.com/dergraf/erlang_ssl_tester"
                  target="_blank">https://github.com/dergraf/erlang_ssl_tester</a>.<br>
                <br>
                Cheers,<br>
                André<br>
                _______________________________________________<br>
                erlang-questions mailing list<br>
                <a moz-do-not-send="true"
                  href="mailto:erlang-questions@erlang.org">erlang-questions@erlang.org</a><br>
                <a moz-do-not-send="true"
                  href="http://erlang.org/mailman/listinfo/erlang-questions"
                  target="_blank">http://erlang.org/mailman/listinfo/erlang-questions</a><br>
              </blockquote>
            </div>
            <br>
          </div>
        </div>
      </div>
    </blockquote>
    Hello Ingela,<br>
    <br>
    Thanks for your reply. Please let me know if you need any help with
    the test case. The tests should pass on R16B03-1, just run 'rebar
    eunit'. <br>
    <br>
    Cheers,<br>
    André<br>
  </body>
</html>