Hi!<div><br></div><div>Maybe it can help - <a href="https://blog.process-one.net/apple-increasing-security-of-push-service-ahead-of-wwdc/">https://blog.process-one.net/apple-increasing-security-of-push-service-ahead-of-wwdc/</a><br><br>воскресенье, 7 июня 2015 г. пользователь Guilherme Andrade написал:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<br>
<div>On 07-06-2015 16:12, Denis Justinek
wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div>Hello! <br>
<br>
For the last few days I stared experiencing problems when
connecting to Apple Push Notification Service (APNS) with <br>
Erlangs SSL.<br>
</div>
</div>
</blockquote>
<br>
Yeah, I've been getting this too, albeit only on the sandbox
endpoint; R16B03-1 here.<br>
<br>
It's rather weird; the TLS 1.2 spec[1] lists the following hashing
algorithms:<br>
<pre> enum {
none(0), md5(1), sha1(2), sha224(3), sha256(4), sha384(5),
sha512(6), (255)
} HashAlgorithm;
239 being 0xEF, it's a rather suspicious bitmask, so I would go with
either 1) handshake message being wrongly decoded or 2) something fishy
on the their end.
[1]: <a href="https://www.ietf.org/rfc/rfc5246.txt" target="_blank">https://www.ietf.org/rfc/rfc5246.txt</a>
</pre>
<br>
<blockquote type="cite">
<div dir="ltr">
<div><br>
When trying to connect I encounter the following error:<br>
<br>
** exception exit:
{{function_clause,[{ssl_cipher,hash_algorithm,"ï",<br>
[{file,"ssl_cipher.erl"},{line,1196}]},<br>
{ssl_handshake,'-decode_handshake/3-lc$^0/1-0-',1,<br>
[{file,"ssl_handshake.erl"},{line,945}]},<br>
{ssl_handshake,'-decode_handshake/3-lc$^0/1-0-',1,<br>
[{file,"ssl_handshake.erl"},{line,946}]},<br>
{ssl_handshake,decode_handshake,3,<br>
[{file,"ssl_handshake.erl"},{line,945}]},<br>
{tls_handshake,get_tls_handshake_aux,3,<br>
[{file,"tls_handshake.erl"},{line,155}]},<br>
{tls_connection,next_state,4,<br>
[{file,"tls_connection.erl"},{line,433}]},<br>
{tls_connection,next_state,4,<br>
[{file,"tls_connection.erl"},{line,437}]},<br>
{gen_fsm,handle_msg,7,[{file,"gen_fsm.erl"},{line,503}]}]},<br>
{gen_fsm,sync_send_all_state_event,<br>
[<0.1221.0>,{start,1000},infinity]}}<br>
in function gen_fsm:sync_send_all_state_event/3
(gen_fsm.erl, line 242)<br>
in call from ssl_connection:sync_send_all_state_event/2
(ssl_connection.erl, line 1654)<br>
in call from ssl_connection:handshake/2
(ssl_connection.erl, line 101)<br>
in call from tls_connection:start_fsm/8
(tls_connection.erl, line 81)<br>
in call from ssl_connection:connect/8
(ssl_connection.erl, line 71)<br>
16:53:13.961 <0.1221.0> Undefined Undefined [error]
gen_fsm <0.1221.0> in state certify terminated with
reason: no function clause matching
ssl_cipher:hash_algorithm(239) line 1196<br>
16:53:13.964 <0.1221.0> Undefined Undefined [error]
CRASH REPORT Process <0.1221.0> with 0 neighbours exited
with reason: no function clause matching
ssl_cipher:hash_algorithm(239) line 1196 in
gen_fsm:terminate/7 line 611<br>
16:53:13.965 <0.174.0> Undefined Undefined [error]
Supervisor tls_connection_sup had child undefined started with
{tls_connection,start_link,undefined} at <0.1221.0> exit
with reason no function clause matching
ssl_cipher:hash_algorithm(239) line 1196 in context
child_terminated<br>
<br>
Steps to reproduce (you need an APNS certificate for this):<br>
<br>
application:ensure_all_started(ssl).<br>
Address = "<a href="http://gateway.sandbox.push.apple.com" target="_blank">gateway.sandbox.push.apple.com</a>".<br>
Port = 2195.<br>
Cert = "cert.pem".<br>
CertPass = "*****".<br>
Options1 =
[{certfile,Cert},{password,CertPass},{mode,binary}].<br>
Timeout = 1000.<br>
{ok,Socket} = ssl:connect(Address, Port, Options1,
Timeout).<br>
<br>
If we try to connect with the same certificate by using
OpenSSL from command line (s_client) if works fine with no
errors.<br>
<br>
Terminal command: openssl s_client -connect <a href="http://gateway.sandbox.push.apple.com:2195" target="_blank">gateway.sandbox.push.apple.com:2195</a>
-cert cert.pem -debug <br>
Enter pass phrase for cert.pem:<br>
CONNECTED(00000003)<br>
...<br>
Certificate chain<br>
0 s:/C=US/ST=California/L=Cupertino/O=Apple Inc./CN=<a href="http://gateway.sandbox.push.apple.com" target="_blank">gateway.sandbox.push.apple.com</a><br>
i:/C=US/O=Entrust, Inc./OU=<a href="http://www.entrust.net/rpa" target="_blank">www.entrust.net/rpa</a> is
incorporated by reference/OU=(c) 2009 Entrust, Inc./CN=Entrust
Certification Authority - L1C<br>
1 s:/C=US/O=Entrust, Inc./OU=<a href="http://www.entrust.net/rpa" target="_blank">www.entrust.net/rpa</a> is
incorporated by reference/OU=(c) 2009 Entrust, Inc./CN=Entrust
Certification Authority - L1C<br>
i:/O=Entrust.net/OU=<a href="http://www.entrust.net/CPS_2048" target="_blank">www.entrust.net/CPS_2048</a>
incorp. by ref. (limits liab.)/OU=(c) 1999 Entrust.net
Limited/CN=Entrust.net Certification Authority (2048)<br>
---<br>
...<br>
subject=/C=US/ST=California/L=Cupertino/O=Apple Inc./CN=<a href="http://gateway.sandbox.push.apple.com" target="_blank">gateway.sandbox.push.apple.com</a><br>
issuer=/C=US/O=Entrust, Inc./OU=<a href="http://www.entrust.net/rpa" target="_blank">www.entrust.net/rpa</a> is
incorporated by reference/OU=(c) 2009 Entrust, Inc./CN=Entrust
Certification Authority - L1C<br>
---<br>
No client certificate CA names sent<br>
---<br>
SSL handshake has read 2760 bytes and written 2363 bytes<br>
---<br>
New, TLSv1/SSLv3, Cipher is AES256-SHA<br>
Server public key is 2048 bit<br>
Secure Renegotiation IS supported<br>
Compression: NONE<br>
Expansion: NONE<br>
SSL-Session:<br>
Protocol : TLSv1<br>
Cipher : AES256-SHA<br>
Session-ID: <br>
Session-ID-ctx: <br>
Master-Key: ...<br>
Key-Arg : None<br>
Start Time: 1433689177<br>
Timeout : 300 (sec)<br>
Verify return code: 0 (ok)<br>
---<br>
<br>
Is this an issue with Erlang SSL module? How can it be
mitigated?<br>
<br>
</div>
This can be reproduced on OSX and Linux - Erlang 17.4.<br>
<div><br>
With regards,<br>
Denis<br>
</div>
</div>
<br>
<fieldset></fieldset>
<br>
<pre>_______________________________________________
erlang-questions mailing list
<a href="javascript:_e(%7B%7D,'cvml','erlang-questions@erlang.org');" target="_blank">erlang-questions@erlang.org</a>
<a href="http://erlang.org/mailman/listinfo/erlang-questions" target="_blank">http://erlang.org/mailman/listinfo/erlang-questions</a>
</pre>
</blockquote>
<br>
<pre cols="72">--
Guilherme
<a href="https://www.gandrade.net/" target="_blank">https://www.gandrade.net/</a>
PGP: 0x602B2AD8 / B348 C976 CCE1 A02A 017E 4649 7A6E B621 602B 2AD8
</pre>
</div>
</blockquote></div><br><br>-- <br><div dir="ltr">Петровский Александр / Alexander Petrovsky,<br><br>Skype: askjuise<br><div>Phone: +7 914 8 820 815<div><br></div></div></div><br>