<html>
  <head>
    <meta content="text/html; charset=utf-8" http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    <br>
    <br>
    <div class="moz-cite-prefix">On 07-06-2015 22:15, Alexander
      Petrovsky wrote:<br>
    </div>
    <blockquote
cite="mid:CAH57y_RZeLp3N2hEiZ9PGzC2P4MWmy_j8q=O3Lfmy_pQPH9RAQ@mail.gmail.com"
      type="cite">Hi!
      <div><br>
      </div>
      <div>Maybe it can help - <a moz-do-not-send="true"
href="https://blog.process-one.net/apple-increasing-security-of-push-service-ahead-of-wwdc/">https://blog.process-one.net/apple-increasing-security-of-push-service-ahead-of-wwdc/</a><br>
      </div>
    </blockquote>
    <br>
    Thank you, very enlightening. It doesn't feel quite safe to fallback
    to 'null' / 'anon', though? Hmm...<br>
    <br>
    <br>
    <blockquote
cite="mid:CAH57y_RZeLp3N2hEiZ9PGzC2P4MWmy_j8q=O3Lfmy_pQPH9RAQ@mail.gmail.com"
      type="cite">
      <div><br>
        воскресенье, 7 июня 2015 г. пользователь Guilherme Andrade
        написал:<br>
        <blockquote class="gmail_quote" style="margin:0 0 0
          .8ex;border-left:1px #ccc solid;padding-left:1ex">
          <div bgcolor="#FFFFFF" text="#000000"> <br>
            <div>On 07-06-2015 16:12, Denis Justinek wrote:<br>
            </div>
            <blockquote type="cite">
              <div dir="ltr">
                <div>Hello! <br>
                  <br>
                  For the last few days I stared experiencing problems
                  when connecting to Apple Push Notification Service
                  (APNS) with <br>
                  Erlangs SSL.<br>
                </div>
              </div>
            </blockquote>
            <br>
            Yeah, I've been getting this too, albeit only on the sandbox
            endpoint; R16B03-1 here.<br>
            <br>
            It's rather weird; the TLS 1.2 spec[1] lists the following
            hashing algorithms:<br>
            <pre>      enum {
          none(0), md5(1), sha1(2), sha224(3), sha256(4), sha384(5),
          sha512(6), (255)
      } HashAlgorithm;

239 being 0xEF, it's a rather suspicious bitmask, so I would go with 
either 1) handshake message being wrongly decoded or 2) something fishy 
on the their end.



[1]: <a moz-do-not-send="true" href="https://www.ietf.org/rfc/rfc5246.txt" target="_blank">https://www.ietf.org/rfc/rfc5246.txt</a>
</pre>
            <br>
            <blockquote type="cite">
              <div dir="ltr">
                <div><br>
                  When trying to connect I encounter the following
                  error:<br>
                  <br>
                  ** exception exit:
                  {{function_clause,[{ssl_cipher,hash_algorithm,"ï",<br>
                                                                   
                  [{file,"ssl_cipher.erl"},{line,1196}]},<br>
                                                       
                  {ssl_handshake,'-decode_handshake/3-lc$^0/1-0-',1,<br>
                                                                      
                  [{file,"ssl_handshake.erl"},{line,945}]},<br>
                                                       
                  {ssl_handshake,'-decode_handshake/3-lc$^0/1-0-',1,<br>
                                                                      
                  [{file,"ssl_handshake.erl"},{line,946}]},<br>
                                                       
                  {ssl_handshake,decode_handshake,3,<br>
                                                                      
                  [{file,"ssl_handshake.erl"},{line,945}]},<br>
                                                       
                  {tls_handshake,get_tls_handshake_aux,3,<br>
                                                                      
                  [{file,"tls_handshake.erl"},{line,155}]},<br>
                                                       
                  {tls_connection,next_state,4,<br>
                                                                       
                  [{file,"tls_connection.erl"},{line,433}]},<br>
                                                       
                  {tls_connection,next_state,4,<br>
                                                                       
                  [{file,"tls_connection.erl"},{line,437}]},<br>
                                                       
                  {gen_fsm,handle_msg,7,[{file,"gen_fsm.erl"},{line,503}]}]},<br>
                                     
                  {gen_fsm,sync_send_all_state_event,<br>
                                              
                  [<0.1221.0>,{start,1000},infinity]}}<br>
                       in function  gen_fsm:sync_send_all_state_event/3
                  (gen_fsm.erl, line 242)<br>
                       in call from
                  ssl_connection:sync_send_all_state_event/2
                  (ssl_connection.erl, line 1654)<br>
                       in call from ssl_connection:handshake/2
                  (ssl_connection.erl, line 101)<br>
                       in call from tls_connection:start_fsm/8
                  (tls_connection.erl, line 81)<br>
                       in call from ssl_connection:connect/8
                  (ssl_connection.erl, line 71)<br>
                  16:53:13.961 <0.1221.0> Undefined Undefined
                  [error] gen_fsm <0.1221.0> in state certify
                  terminated with reason: no function clause matching
                  ssl_cipher:hash_algorithm(239) line 1196<br>
                  16:53:13.964 <0.1221.0> Undefined Undefined
                  [error] CRASH REPORT Process <0.1221.0> with 0
                  neighbours exited with reason: no function clause
                  matching ssl_cipher:hash_algorithm(239) line 1196 in
                  gen_fsm:terminate/7 line 611<br>
                  16:53:13.965 <0.174.0> Undefined Undefined
                  [error] Supervisor tls_connection_sup had child
                  undefined started with
                  {tls_connection,start_link,undefined} at
                  <0.1221.0> exit with reason no function clause
                  matching ssl_cipher:hash_algorithm(239) line 1196 in
                  context child_terminated<br>
                  <br>
                  Steps to reproduce (you need an APNS certificate for
                  this):<br>
                  <br>
                      application:ensure_all_started(ssl).<br>
                      Address = "<a moz-do-not-send="true"
                    href="http://gateway.sandbox.push.apple.com"
                    target="_blank">gateway.sandbox.push.apple.com</a>".<br>
                      Port = 2195.<br>
                      Cert = "cert.pem".<br>
                      CertPass = "*****".<br>
                      Options1 =
                  [{certfile,Cert},{password,CertPass},{mode,binary}].<br>
                      Timeout = 1000.<br>
                      {ok,Socket} = ssl:connect(Address, Port, Options1,
                  Timeout).<br>
                  <br>
                  If we try to connect with the same certificate by
                  using OpenSSL from command line (s_client) if works
                  fine with no errors.<br>
                  <br>
                      Terminal command: openssl s_client -connect <a
                    moz-do-not-send="true"
                    href="http://gateway.sandbox.push.apple.com:2195"
                    target="_blank">gateway.sandbox.push.apple.com:2195</a>
                  -cert cert.pem -debug <br>
                      Enter pass phrase for cert.pem:<br>
                      CONNECTED(00000003)<br>
                      ...<br>
                      Certificate chain<br>
                       0 s:/C=US/ST=California/L=Cupertino/O=Apple
                  Inc./CN=<a moz-do-not-send="true"
                    href="http://gateway.sandbox.push.apple.com"
                    target="_blank">gateway.sandbox.push.apple.com</a><br>
                         i:/C=US/O=Entrust, Inc./OU=<a
                    moz-do-not-send="true"
                    href="http://www.entrust.net/rpa" target="_blank">www.entrust.net/rpa</a>
                  is incorporated by reference/OU=(c) 2009 Entrust,
                  Inc./CN=Entrust Certification Authority - L1C<br>
                       1 s:/C=US/O=Entrust, Inc./OU=<a
                    moz-do-not-send="true"
                    href="http://www.entrust.net/rpa" target="_blank">www.entrust.net/rpa</a>
                  is incorporated by reference/OU=(c) 2009 Entrust,
                  Inc./CN=Entrust Certification Authority - L1C<br>
                         i:/O=Entrust.net/OU=<a moz-do-not-send="true"
                    href="http://www.entrust.net/CPS_2048"
                    target="_blank">www.entrust.net/CPS_2048</a> incorp.
                  by ref. (limits liab.)/OU=(c) 1999 Entrust.net
                  Limited/CN=Entrust.net Certification Authority (2048)<br>
                      ---<br>
                      ...<br>
                      subject=/C=US/ST=California/L=Cupertino/O=Apple
                  Inc./CN=<a moz-do-not-send="true"
                    href="http://gateway.sandbox.push.apple.com"
                    target="_blank">gateway.sandbox.push.apple.com</a><br>
                      issuer=/C=US/O=Entrust, Inc./OU=<a
                    moz-do-not-send="true"
                    href="http://www.entrust.net/rpa" target="_blank">www.entrust.net/rpa</a>
                  is incorporated by reference/OU=(c) 2009 Entrust,
                  Inc./CN=Entrust Certification Authority - L1C<br>
                      ---<br>
                      No client certificate CA names sent<br>
                      ---<br>
                      SSL handshake has read 2760 bytes and written 2363
                  bytes<br>
                      ---<br>
                      New, TLSv1/SSLv3, Cipher is AES256-SHA<br>
                      Server public key is 2048 bit<br>
                      Secure Renegotiation IS supported<br>
                      Compression: NONE<br>
                      Expansion: NONE<br>
                      SSL-Session:<br>
                          Protocol  : TLSv1<br>
                          Cipher    : AES256-SHA<br>
                          Session-ID: <br>
                          Session-ID-ctx: <br>
                          Master-Key: ...<br>
                          Key-Arg   : None<br>
                          Start Time: 1433689177<br>
                          Timeout   : 300 (sec)<br>
                          Verify return code: 0 (ok)<br>
                  ---<br>
                  <br>
                  Is this an issue with Erlang SSL module? How can it be
                  mitigated?<br>
                  <br>
                </div>
                This can be reproduced on OSX and Linux - Erlang 17.4.<br>
                <div><br>
                  With regards,<br>
                      Denis<br>
                </div>
              </div>
              <br>
              <fieldset></fieldset>
              <br>
              <pre>_______________________________________________
erlang-questions mailing list
<a moz-do-not-send="true" href="javascript:_e(%7B%7D,'cvml','erlang-questions@erlang.org');" target="_blank">erlang-questions@erlang.org</a>
<a moz-do-not-send="true" href="http://erlang.org/mailman/listinfo/erlang-questions" target="_blank">http://erlang.org/mailman/listinfo/erlang-questions</a>
</pre>
            </blockquote>
            <br>
            <pre cols="72">-- 
Guilherme

<a moz-do-not-send="true" href="https://www.gandrade.net/" target="_blank">https://www.gandrade.net/</a>
PGP: 0x602B2AD8 / B348 C976 CCE1 A02A 017E 4649 7A6E B621 602B 2AD8
</pre>
          </div>
        </blockquote>
      </div>
      <br>
      <br>
      -- <br>
      <div dir="ltr">Петровский Александр / Alexander Petrovsky,<br>
        <br>
        Skype: askjuise<br>
        <div>Phone: +7 914 8 820 815
          <div><br>
          </div>
        </div>
      </div>
      <br>
    </blockquote>
    <br>
    <pre class="moz-signature" cols="72">-- 
Guilherme

<a class="moz-txt-link-freetext" href="https://www.gandrade.net/">https://www.gandrade.net/</a>
PGP: 0x602B2AD8 / B348 C976 CCE1 A02A 017E 4649 7A6E B621 602B 2AD8
</pre>
  </body>
</html>