<html>
  <head>
    <meta content="text/html; charset=utf-8" http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    <br>
    <div class="moz-cite-prefix">On 07-06-2015 16:12, Denis Justinek
      wrote:<br>
    </div>
    <blockquote
cite="mid:CAK1S123jS+uvrBx+cxcmUmRS=7pqSNZ8UToJG7TmznT2yZSDTQ@mail.gmail.com"
      type="cite">
      <div dir="ltr">
        <div>Hello! <br>
          <br>
          For the last few days I stared experiencing problems when
          connecting to Apple Push Notification Service (APNS) with <br>
          Erlangs SSL.<br>
        </div>
      </div>
    </blockquote>
    <br>
    Yeah, I've been getting this too, albeit only on the sandbox
    endpoint; R16B03-1 here.<br>
    <br>
    It's rather weird; the TLS 1.2 spec[1] lists the following hashing
    algorithms:<br>
    <pre>      enum {
          none(0), md5(1), sha1(2), sha224(3), sha256(4), sha384(5),
          sha512(6), (255)
      } HashAlgorithm;

239 being 0xEF, it's a rather suspicious bitmask, so I would go with 
either 1) handshake message being wrongly decoded or 2) something fishy 
on the their end.



[1]: <a class="moz-txt-link-freetext" href="https://www.ietf.org/rfc/rfc5246.txt">https://www.ietf.org/rfc/rfc5246.txt</a>
</pre>
    <br>
    <blockquote
cite="mid:CAK1S123jS+uvrBx+cxcmUmRS=7pqSNZ8UToJG7TmznT2yZSDTQ@mail.gmail.com"
      type="cite">
      <div dir="ltr">
        <div><br>
          When trying to connect I encounter the following error:<br>
          <br>
          ** exception exit:
          {{function_clause,[{ssl_cipher,hash_algorithm,"ï",<br>
                                                           
          [{file,"ssl_cipher.erl"},{line,1196}]},<br>
                                               
          {ssl_handshake,'-decode_handshake/3-lc$^0/1-0-',1,<br>
                                                              
          [{file,"ssl_handshake.erl"},{line,945}]},<br>
                                               
          {ssl_handshake,'-decode_handshake/3-lc$^0/1-0-',1,<br>
                                                              
          [{file,"ssl_handshake.erl"},{line,946}]},<br>
                                               
          {ssl_handshake,decode_handshake,3,<br>
                                                              
          [{file,"ssl_handshake.erl"},{line,945}]},<br>
                                               
          {tls_handshake,get_tls_handshake_aux,3,<br>
                                                              
          [{file,"tls_handshake.erl"},{line,155}]},<br>
                                               
          {tls_connection,next_state,4,<br>
                                                               
          [{file,"tls_connection.erl"},{line,433}]},<br>
                                               
          {tls_connection,next_state,4,<br>
                                                               
          [{file,"tls_connection.erl"},{line,437}]},<br>
                                               
          {gen_fsm,handle_msg,7,[{file,"gen_fsm.erl"},{line,503}]}]},<br>
                              {gen_fsm,sync_send_all_state_event,<br>
                                      
          [<0.1221.0>,{start,1000},infinity]}}<br>
               in function  gen_fsm:sync_send_all_state_event/3
          (gen_fsm.erl, line 242)<br>
               in call from ssl_connection:sync_send_all_state_event/2
          (ssl_connection.erl, line 1654)<br>
               in call from ssl_connection:handshake/2
          (ssl_connection.erl, line 101)<br>
               in call from tls_connection:start_fsm/8
          (tls_connection.erl, line 81)<br>
               in call from ssl_connection:connect/8
          (ssl_connection.erl, line 71)<br>
          16:53:13.961 <0.1221.0> Undefined Undefined [error]
          gen_fsm <0.1221.0> in state certify terminated with
          reason: no function clause matching
          ssl_cipher:hash_algorithm(239) line 1196<br>
          16:53:13.964 <0.1221.0> Undefined Undefined [error]
          CRASH REPORT Process <0.1221.0> with 0 neighbours exited
          with reason: no function clause matching
          ssl_cipher:hash_algorithm(239) line 1196 in
          gen_fsm:terminate/7 line 611<br>
          16:53:13.965 <0.174.0> Undefined Undefined [error]
          Supervisor tls_connection_sup had child undefined started with
          {tls_connection,start_link,undefined} at <0.1221.0> exit
          with reason no function clause matching
          ssl_cipher:hash_algorithm(239) line 1196 in context
          child_terminated<br>
          <br>
          Steps to reproduce (you need an APNS certificate for this):<br>
          <br>
              application:ensure_all_started(ssl).<br>
              Address = "<a moz-do-not-send="true"
            href="http://gateway.sandbox.push.apple.com">gateway.sandbox.push.apple.com</a>".<br>
              Port = 2195.<br>
              Cert = "cert.pem".<br>
              CertPass = "*****".<br>
              Options1 =
          [{certfile,Cert},{password,CertPass},{mode,binary}].<br>
              Timeout = 1000.<br>
              {ok,Socket} = ssl:connect(Address, Port, Options1,
          Timeout).<br>
          <br>
          If we try to connect with the same certificate by using
          OpenSSL from command line (s_client) if works fine with no
          errors.<br>
          <br>
              Terminal command: openssl s_client -connect <a
            moz-do-not-send="true"
            href="http://gateway.sandbox.push.apple.com:2195">gateway.sandbox.push.apple.com:2195</a>
          -cert cert.pem -debug <br>
              Enter pass phrase for cert.pem:<br>
              CONNECTED(00000003)<br>
              ...<br>
              Certificate chain<br>
               0 s:/C=US/ST=California/L=Cupertino/O=Apple Inc./CN=<a
            moz-do-not-send="true"
            href="http://gateway.sandbox.push.apple.com">gateway.sandbox.push.apple.com</a><br>
                 i:/C=US/O=Entrust, Inc./OU=<a moz-do-not-send="true"
            href="http://www.entrust.net/rpa">www.entrust.net/rpa</a> is
          incorporated by reference/OU=(c) 2009 Entrust, Inc./CN=Entrust
          Certification Authority - L1C<br>
               1 s:/C=US/O=Entrust, Inc./OU=<a moz-do-not-send="true"
            href="http://www.entrust.net/rpa">www.entrust.net/rpa</a> is
          incorporated by reference/OU=(c) 2009 Entrust, Inc./CN=Entrust
          Certification Authority - L1C<br>
                 i:/O=Entrust.net/OU=<a moz-do-not-send="true"
            href="http://www.entrust.net/CPS_2048">www.entrust.net/CPS_2048</a>
          incorp. by ref. (limits liab.)/OU=(c) 1999 Entrust.net
          Limited/CN=Entrust.net Certification Authority (2048)<br>
              ---<br>
              ...<br>
              subject=/C=US/ST=California/L=Cupertino/O=Apple Inc./CN=<a
            moz-do-not-send="true"
            href="http://gateway.sandbox.push.apple.com">gateway.sandbox.push.apple.com</a><br>
              issuer=/C=US/O=Entrust, Inc./OU=<a moz-do-not-send="true"
            href="http://www.entrust.net/rpa">www.entrust.net/rpa</a> is
          incorporated by reference/OU=(c) 2009 Entrust, Inc./CN=Entrust
          Certification Authority - L1C<br>
              ---<br>
              No client certificate CA names sent<br>
              ---<br>
              SSL handshake has read 2760 bytes and written 2363 bytes<br>
              ---<br>
              New, TLSv1/SSLv3, Cipher is AES256-SHA<br>
              Server public key is 2048 bit<br>
              Secure Renegotiation IS supported<br>
              Compression: NONE<br>
              Expansion: NONE<br>
              SSL-Session:<br>
                  Protocol  : TLSv1<br>
                  Cipher    : AES256-SHA<br>
                  Session-ID: <br>
                  Session-ID-ctx: <br>
                  Master-Key: ...<br>
                  Key-Arg   : None<br>
                  Start Time: 1433689177<br>
                  Timeout   : 300 (sec)<br>
                  Verify return code: 0 (ok)<br>
          ---<br>
          <br>
          Is this an issue with Erlang SSL module? How can it be
          mitigated?<br>
          <br>
        </div>
        This can be reproduced on OSX and Linux - Erlang 17.4.<br>
        <div><br>
          With regards,<br>
              Denis<br>
        </div>
      </div>
      <br>
      <fieldset class="mimeAttachmentHeader"></fieldset>
      <br>
      <pre wrap="">_______________________________________________
erlang-questions mailing list
<a class="moz-txt-link-abbreviated" href="mailto:erlang-questions@erlang.org">erlang-questions@erlang.org</a>
<a class="moz-txt-link-freetext" href="http://erlang.org/mailman/listinfo/erlang-questions">http://erlang.org/mailman/listinfo/erlang-questions</a>
</pre>
    </blockquote>
    <br>
    <pre class="moz-signature" cols="72">-- 
Guilherme

<a class="moz-txt-link-freetext" href="https://www.gandrade.net/">https://www.gandrade.net/</a>
PGP: 0x602B2AD8 / B348 C976 CCE1 A02A 017E 4649 7A6E B621 602B 2AD8
</pre>
  </body>
</html>