<div dir="ltr"><div><p>I think the following patch would solve the problem, in a good way.</p>

<p>I am not sure why they send an invalid value instead of no value, but
 this way invalid values will be ignored and ssl will fallback to default values 
if there are no valid values in the extension.</p>diff --git a/lib/ssl/src/ssl_cipher.erl b/lib/ssl/src/ssl_cipher.erl<br>index 8584e56..fd101ef 100644<br>--- a/lib/ssl/src/ssl_cipher.erl<br>+++ b/lib/ssl/src/ssl_cipher.erl<br>@@ -1573,8 +1573,9 @@ hash_algorithm(?SHA) -> sha;<br> hash_algorithm(?SHA224) -> sha224;<br> hash_algorithm(?SHA256) -> sha256;<br> hash_algorithm(?SHA384) -> sha384;<br>-hash_algorithm(?SHA512) -> sha512.<br>-<br>+hash_algorithm(?SHA512) -> sha512;<br>+hash_algorithm(_) -> undefined.<br>+ <br> sign_algorithm(anon)  -> ?ANON;<br> sign_algorithm(rsa)   -> ?RSA;<br> sign_algorithm(dsa)   -> ?DSA;<br>@@ -1582,7 +1583,8 @@ sign_algorithm(ecdsa) -> ?ECDSA;<br> sign_algorithm(?ANON) -> anon;<br> sign_algorithm(?RSA) -> rsa;<br> sign_algorithm(?DSA) -> dsa;<br>-sign_algorithm(?ECDSA) -> ecdsa.<br>+sign_algorithm(?ECDSA) -> ecdsa;<br>+sign_algorithm(_) -> undefined.<br> <br> hash_size(null) -><br>     0;<br>diff --git a/lib/ssl/src/ssl_handshake.erl b/lib/ssl/src/ssl_handshake.erl<br>index 12a17cb..32da478 100644<br>--- a/lib/ssl/src/ssl_handshake.erl<br>+++ b/lib/ssl/src/ssl_handshake.erl<br>@@ -587,7 +587,11 @@ select_hashsign(#hash_sign_algos{hash_sign_algos = HashSigns}, Cert, {Major, Min<br>     #'OTPCertificate'{tbsCertificate = TBSCert} =public_key:pkix_decode_cert(Cert, otp),<br>     #'OTPSubjectPublicKeyInfo'{algorithm = {_,Algo, _}} = TBSCert#'OTPTBSCertificate'.subjectPublicKeyInfo,<br>     DefaultHashSign = {_, Sign} = select_hashsign_algs(undefined, Algo, Version),<br>-    case lists:filter(fun({sha, dsa}) -><br>+    case lists:filter(fun({_, undefined}) -> %% ignore invalid extension signature values<br>+                  false;<br>+             ({undefined, _}) -> %% ignore invalid extension hash values<br>+                  false;<br>+             ({sha, dsa}) -><br>                   true;<br>              ({_, dsa}) -><br>                   false;<br><br></div>Regards Ingela Erlang/OTP team - Ericsson AB<br><div><br><br><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">2015-06-07 17:12 GMT+02:00 Denis Justinek <span dir="ltr"><<a href="mailto:denis.justinek@gmail.com" target="_blank">denis.justinek@gmail.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div>Hello! <br><br>For the last few days I stared experiencing problems when connecting to Apple Push Notification Service (APNS) with <br>Erlangs SSL.<br><br>When trying to connect I encounter the following error:<br><br>** exception exit: {{function_clause,[{ssl_cipher,hash_algorithm,"ï",<br>                                                  [{file,"ssl_cipher.erl"},{line,1196}]},<br>                                      {ssl_handshake,'-decode_handshake/3-lc$^0/1-0-',1,<br>                                                     [{file,"ssl_handshake.erl"},{line,945}]},<br>                                      {ssl_handshake,'-decode_handshake/3-lc$^0/1-0-',1,<br>                                                     [{file,"ssl_handshake.erl"},{line,946}]},<br>                                      {ssl_handshake,decode_handshake,3,<br>                                                     [{file,"ssl_handshake.erl"},{line,945}]},<br>                                      {tls_handshake,get_tls_handshake_aux,3,<br>                                                     [{file,"tls_handshake.erl"},{line,155}]},<br>                                      {tls_connection,next_state,4,<br>                                                      [{file,"tls_connection.erl"},{line,433}]},<br>                                      {tls_connection,next_state,4,<br>                                                      [{file,"tls_connection.erl"},{line,437}]},<br>                                      {gen_fsm,handle_msg,7,[{file,"gen_fsm.erl"},{line,503}]}]},<br>                    {gen_fsm,sync_send_all_state_event,<br>                             [<0.1221.0>,{start,1000},infinity]}}<br>     in function  gen_fsm:sync_send_all_state_event/3 (gen_fsm.erl, line 242)<br>     in call from ssl_connection:sync_send_all_state_event/2 (ssl_connection.erl, line 1654)<br>     in call from ssl_connection:handshake/2 (ssl_connection.erl, line 101)<br>     in call from tls_connection:start_fsm/8 (tls_connection.erl, line 81)<br>     in call from ssl_connection:connect/8 (ssl_connection.erl, line 71)<br>16:53:13.961 <0.1221.0> Undefined Undefined [error] gen_fsm <0.1221.0> in state certify terminated with reason: no function clause matching ssl_cipher:hash_algorithm(239) line 1196<br>16:53:13.964 <0.1221.0> Undefined Undefined [error] CRASH REPORT Process <0.1221.0> with 0 neighbours exited with reason: no function clause matching ssl_cipher:hash_algorithm(239) line 1196 in gen_fsm:terminate/7 line 611<br>16:53:13.965 <0.174.0> Undefined Undefined [error] Supervisor tls_connection_sup had child undefined started with {tls_connection,start_link,undefined} at <0.1221.0> exit with reason no function clause matching ssl_cipher:hash_algorithm(239) line 1196 in context child_terminated<br><br>Steps to reproduce (you need an APNS certificate for this):<br><br>    application:ensure_all_started(ssl).<br>    Address = "<a href="http://gateway.sandbox.push.apple.com" target="_blank">gateway.sandbox.push.apple.com</a>".<br>    Port = 2195.<br>    Cert = "cert.pem".<br>    CertPass = "*****".<br>    Options1 = [{certfile,Cert},{password,CertPass},{mode,binary}].<br>    Timeout = 1000.<br>    {ok,Socket} = ssl:connect(Address, Port, Options1, Timeout).<br><br>If we try to connect with the same certificate by using OpenSSL from command line (s_client) if works fine with no errors.<br><br>    Terminal command: openssl s_client -connect <a href="http://gateway.sandbox.push.apple.com:2195" target="_blank">gateway.sandbox.push.apple.com:2195</a> -cert cert.pem -debug <br>    Enter pass phrase for cert.pem:<br>    CONNECTED(00000003)<br>    ...<br>    Certificate chain<br>     0 s:/C=US/ST=California/L=Cupertino/O=Apple Inc./CN=<a href="http://gateway.sandbox.push.apple.com" target="_blank">gateway.sandbox.push.apple.com</a><br>       i:/C=US/O=Entrust, Inc./OU=<a href="http://www.entrust.net/rpa" target="_blank">www.entrust.net/rpa</a> is incorporated by reference/OU=(c) 2009 Entrust, Inc./CN=Entrust Certification Authority - L1C<br>     1 s:/C=US/O=Entrust, Inc./OU=<a href="http://www.entrust.net/rpa" target="_blank">www.entrust.net/rpa</a> is incorporated by reference/OU=(c) 2009 Entrust, Inc./CN=Entrust Certification Authority - L1C<br>       i:/O=Entrust.net/OU=<a href="http://www.entrust.net/CPS_2048" target="_blank">www.entrust.net/CPS_2048</a> incorp. by ref. (limits liab.)/OU=(c) 1999 Entrust.net Limited/CN=Entrust.net Certification Authority (2048)<br>    ---<br>    ...<br>    subject=/C=US/ST=California/L=Cupertino/O=Apple Inc./CN=<a href="http://gateway.sandbox.push.apple.com" target="_blank">gateway.sandbox.push.apple.com</a><br>    issuer=/C=US/O=Entrust, Inc./OU=<a href="http://www.entrust.net/rpa" target="_blank">www.entrust.net/rpa</a> is incorporated by reference/OU=(c) 2009 Entrust, Inc./CN=Entrust Certification Authority - L1C<br>    ---<br>    No client certificate CA names sent<br>    ---<br>    SSL handshake has read 2760 bytes and written 2363 bytes<br>    ---<br>    New, TLSv1/SSLv3, Cipher is AES256-SHA<br>    Server public key is 2048 bit<br>    Secure Renegotiation IS supported<br>    Compression: NONE<br>    Expansion: NONE<br>    SSL-Session:<br>        Protocol  : TLSv1<br>        Cipher    : AES256-SHA<br>        Session-ID: <br>        Session-ID-ctx: <br>        Master-Key: ...<br>        Key-Arg   : None<br>        Start Time: 1433689177<br>        Timeout   : 300 (sec)<br>        Verify return code: 0 (ok)<br>---<br><br>Is this an issue with Erlang SSL module? How can it be mitigated?<br><br></div>This can be reproduced on OSX and Linux - Erlang 17.4.<br><div><br>With regards,<br>    Denis<br></div></div>
<br>_______________________________________________<br>
erlang-questions mailing list<br>
<a href="mailto:erlang-questions@erlang.org">erlang-questions@erlang.org</a><br>
<a href="http://erlang.org/mailman/listinfo/erlang-questions" target="_blank">http://erlang.org/mailman/listinfo/erlang-questions</a><br>
<br></blockquote></div><br></div>