<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<br>
<br>
<div class="moz-cite-prefix">On 07-06-2015 22:15, Alexander
Petrovsky wrote:<br>
</div>
<blockquote
cite="mid:CAH57y_RZeLp3N2hEiZ9PGzC2P4MWmy_j8q=O3Lfmy_pQPH9RAQ@mail.gmail.com"
type="cite">Hi!
<div><br>
</div>
<div>Maybe it can help - <a moz-do-not-send="true"
href="https://blog.process-one.net/apple-increasing-security-of-push-service-ahead-of-wwdc/">https://blog.process-one.net/apple-increasing-security-of-push-service-ahead-of-wwdc/</a><br>
</div>
</blockquote>
<br>
Thank you, very enlightening. It doesn't feel quite safe to fallback
to 'null' / 'anon', though? Hmm...<br>
<br>
<br>
<blockquote
cite="mid:CAH57y_RZeLp3N2hEiZ9PGzC2P4MWmy_j8q=O3Lfmy_pQPH9RAQ@mail.gmail.com"
type="cite">
<div><br>
воскресенье, 7 июня 2015 г. пользователь Guilherme Andrade
написал:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"> <br>
<div>On 07-06-2015 16:12, Denis Justinek wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div>Hello! <br>
<br>
For the last few days I stared experiencing problems
when connecting to Apple Push Notification Service
(APNS) with <br>
Erlangs SSL.<br>
</div>
</div>
</blockquote>
<br>
Yeah, I've been getting this too, albeit only on the sandbox
endpoint; R16B03-1 here.<br>
<br>
It's rather weird; the TLS 1.2 spec[1] lists the following
hashing algorithms:<br>
<pre> enum {
none(0), md5(1), sha1(2), sha224(3), sha256(4), sha384(5),
sha512(6), (255)
} HashAlgorithm;
239 being 0xEF, it's a rather suspicious bitmask, so I would go with
either 1) handshake message being wrongly decoded or 2) something fishy
on the their end.
[1]: <a moz-do-not-send="true" href="https://www.ietf.org/rfc/rfc5246.txt" target="_blank">https://www.ietf.org/rfc/rfc5246.txt</a>
</pre>
<br>
<blockquote type="cite">
<div dir="ltr">
<div><br>
When trying to connect I encounter the following
error:<br>
<br>
** exception exit:
{{function_clause,[{ssl_cipher,hash_algorithm,"ï",<br>
[{file,"ssl_cipher.erl"},{line,1196}]},<br>
{ssl_handshake,'-decode_handshake/3-lc$^0/1-0-',1,<br>
[{file,"ssl_handshake.erl"},{line,945}]},<br>
{ssl_handshake,'-decode_handshake/3-lc$^0/1-0-',1,<br>
[{file,"ssl_handshake.erl"},{line,946}]},<br>
{ssl_handshake,decode_handshake,3,<br>
[{file,"ssl_handshake.erl"},{line,945}]},<br>
{tls_handshake,get_tls_handshake_aux,3,<br>
[{file,"tls_handshake.erl"},{line,155}]},<br>
{tls_connection,next_state,4,<br>
[{file,"tls_connection.erl"},{line,433}]},<br>
{tls_connection,next_state,4,<br>
[{file,"tls_connection.erl"},{line,437}]},<br>
{gen_fsm,handle_msg,7,[{file,"gen_fsm.erl"},{line,503}]}]},<br>
{gen_fsm,sync_send_all_state_event,<br>
[<0.1221.0>,{start,1000},infinity]}}<br>
in function gen_fsm:sync_send_all_state_event/3
(gen_fsm.erl, line 242)<br>
in call from
ssl_connection:sync_send_all_state_event/2
(ssl_connection.erl, line 1654)<br>
in call from ssl_connection:handshake/2
(ssl_connection.erl, line 101)<br>
in call from tls_connection:start_fsm/8
(tls_connection.erl, line 81)<br>
in call from ssl_connection:connect/8
(ssl_connection.erl, line 71)<br>
16:53:13.961 <0.1221.0> Undefined Undefined
[error] gen_fsm <0.1221.0> in state certify
terminated with reason: no function clause matching
ssl_cipher:hash_algorithm(239) line 1196<br>
16:53:13.964 <0.1221.0> Undefined Undefined
[error] CRASH REPORT Process <0.1221.0> with 0
neighbours exited with reason: no function clause
matching ssl_cipher:hash_algorithm(239) line 1196 in
gen_fsm:terminate/7 line 611<br>
16:53:13.965 <0.174.0> Undefined Undefined
[error] Supervisor tls_connection_sup had child
undefined started with
{tls_connection,start_link,undefined} at
<0.1221.0> exit with reason no function clause
matching ssl_cipher:hash_algorithm(239) line 1196 in
context child_terminated<br>
<br>
Steps to reproduce (you need an APNS certificate for
this):<br>
<br>
application:ensure_all_started(ssl).<br>
Address = "<a moz-do-not-send="true"
href="http://gateway.sandbox.push.apple.com"
target="_blank">gateway.sandbox.push.apple.com</a>".<br>
Port = 2195.<br>
Cert = "cert.pem".<br>
CertPass = "*****".<br>
Options1 =
[{certfile,Cert},{password,CertPass},{mode,binary}].<br>
Timeout = 1000.<br>
{ok,Socket} = ssl:connect(Address, Port, Options1,
Timeout).<br>
<br>
If we try to connect with the same certificate by
using OpenSSL from command line (s_client) if works
fine with no errors.<br>
<br>
Terminal command: openssl s_client -connect <a
moz-do-not-send="true"
href="http://gateway.sandbox.push.apple.com:2195"
target="_blank">gateway.sandbox.push.apple.com:2195</a>
-cert cert.pem -debug <br>
Enter pass phrase for cert.pem:<br>
CONNECTED(00000003)<br>
...<br>
Certificate chain<br>
0 s:/C=US/ST=California/L=Cupertino/O=Apple
Inc./CN=<a moz-do-not-send="true"
href="http://gateway.sandbox.push.apple.com"
target="_blank">gateway.sandbox.push.apple.com</a><br>
i:/C=US/O=Entrust, Inc./OU=<a
moz-do-not-send="true"
href="http://www.entrust.net/rpa" target="_blank">www.entrust.net/rpa</a>
is incorporated by reference/OU=(c) 2009 Entrust,
Inc./CN=Entrust Certification Authority - L1C<br>
1 s:/C=US/O=Entrust, Inc./OU=<a
moz-do-not-send="true"
href="http://www.entrust.net/rpa" target="_blank">www.entrust.net/rpa</a>
is incorporated by reference/OU=(c) 2009 Entrust,
Inc./CN=Entrust Certification Authority - L1C<br>
i:/O=Entrust.net/OU=<a moz-do-not-send="true"
href="http://www.entrust.net/CPS_2048"
target="_blank">www.entrust.net/CPS_2048</a> incorp.
by ref. (limits liab.)/OU=(c) 1999 Entrust.net
Limited/CN=Entrust.net Certification Authority (2048)<br>
---<br>
...<br>
subject=/C=US/ST=California/L=Cupertino/O=Apple
Inc./CN=<a moz-do-not-send="true"
href="http://gateway.sandbox.push.apple.com"
target="_blank">gateway.sandbox.push.apple.com</a><br>
issuer=/C=US/O=Entrust, Inc./OU=<a
moz-do-not-send="true"
href="http://www.entrust.net/rpa" target="_blank">www.entrust.net/rpa</a>
is incorporated by reference/OU=(c) 2009 Entrust,
Inc./CN=Entrust Certification Authority - L1C<br>
---<br>
No client certificate CA names sent<br>
---<br>
SSL handshake has read 2760 bytes and written 2363
bytes<br>
---<br>
New, TLSv1/SSLv3, Cipher is AES256-SHA<br>
Server public key is 2048 bit<br>
Secure Renegotiation IS supported<br>
Compression: NONE<br>
Expansion: NONE<br>
SSL-Session:<br>
Protocol : TLSv1<br>
Cipher : AES256-SHA<br>
Session-ID: <br>
Session-ID-ctx: <br>
Master-Key: ...<br>
Key-Arg : None<br>
Start Time: 1433689177<br>
Timeout : 300 (sec)<br>
Verify return code: 0 (ok)<br>
---<br>
<br>
Is this an issue with Erlang SSL module? How can it be
mitigated?<br>
<br>
</div>
This can be reproduced on OSX and Linux - Erlang 17.4.<br>
<div><br>
With regards,<br>
Denis<br>
</div>
</div>
<br>
<fieldset></fieldset>
<br>
<pre>_______________________________________________
erlang-questions mailing list
<a moz-do-not-send="true" href="javascript:_e(%7B%7D,'cvml','erlang-questions@erlang.org');" target="_blank">erlang-questions@erlang.org</a>
<a moz-do-not-send="true" href="http://erlang.org/mailman/listinfo/erlang-questions" target="_blank">http://erlang.org/mailman/listinfo/erlang-questions</a>
</pre>
</blockquote>
<br>
<pre cols="72">--
Guilherme
<a moz-do-not-send="true" href="https://www.gandrade.net/" target="_blank">https://www.gandrade.net/</a>
PGP: 0x602B2AD8 / B348 C976 CCE1 A02A 017E 4649 7A6E B621 602B 2AD8
</pre>
</div>
</blockquote>
</div>
<br>
<br>
-- <br>
<div dir="ltr">Петровский Александр / Alexander Petrovsky,<br>
<br>
Skype: askjuise<br>
<div>Phone: +7 914 8 820 815
<div><br>
</div>
</div>
</div>
<br>
</blockquote>
<br>
<pre class="moz-signature" cols="72">--
Guilherme
<a class="moz-txt-link-freetext" href="https://www.gandrade.net/">https://www.gandrade.net/</a>
PGP: 0x602B2AD8 / B348 C976 CCE1 A02A 017E 4649 7A6E B621 602B 2AD8
</pre>
</body>
</html>