<div dir="ltr">Hi again!<div><br></div><div>On second thought, you did connect to an TLS server not to a upgradeable tcp server as I was thinking about.</div><div>So your approach should work as it is was ssl internally does. Your site does seem to require a server name indication though,</div><div>which you will get with ssl:connect .</div><div><br></div><div>{ok, Tcp} = gen_tcp:connect("<a href="http://httpbin.org/" rel="noreferrer" target="_blank">httpbin.org</a>", 443, [binary]).</div><div>{ok, Ssl} = ssl:connect(Tcp, [{server_name_indication,"<a href="http://httpbin.org">httpbin.org</a>"}], 30000).    <br></div><div><div class="gmail_extra">







<div class="gmail_quote"><span style="font-variant-ligatures:no-common-ligatures;color:rgb(0,0,0);font-family:menlo;font-size:11px"> </span></div><div class="gmail_quote">works.</div><div class="gmail_quote"><br></div><div class="gmail_quote"><br></div><div class="gmail_quote">Regards Ingela Erlang/OTP team - Ericsson AB</div><div class="gmail_quote"><br></div><div class="gmail_quote">2017-05-12 15:04 GMT+02:00 Ingela Andin <span dir="ltr"><<a href="mailto:ingela.andin@gmail.com" target="_blank">ingela.andin@gmail.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div>Hi!<br><br></div><div><div><div class="gmail_extra"><div class="gmail_quote"><span class="gmail-">2017-05-12 12:52 GMT+02:00 Dmitry Kolesnikov <span dir="ltr"><<a href="mailto:dmkolesnikov@gmail.com" target="_blank">dmkolesnikov@gmail.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Hello,<br>
<br>
I hope Ingela and other bright people could help me to localize an issue with ssl 8.1 at Erlang/OTP 19 [erts-8.2]. The issue listed below is repeatable in shell and prod deployments.<br>
<br>
```<br>
ssl:start().<br>
{ok, Tcp} = gen_tcp:connect("<a href="http://httpbin.org" rel="noreferrer" target="_blank">httpbin.org</a>", 443, [binary]).<br>
{ok, Ssl} = ssl:connect(Tcp, [], 30000).<br>
<br>
=ERROR REPORT==== 12-May-2017::13:34:21 ===<br>
SSL: hello: ssl_alert.erl:88:Fatal error: internal error<br>
** exception error: no match of right hand side value {error,{tls_alert,"internal error"}}<br>
```<br>
<br>
It is not clear the root cause of SSL alert. Why the remote side decline SSL connection with ALERT 80? curl <a href="https://httpbin.org" rel="noreferrer" target="_blank">https://httpbin.org</a> works.<br>
<br></blockquote><div><br></div></span><div>It is the server that sends the alert 80, which means that the server experienced an internal error. <br></div><div><br>The following works fine:<br><br>ssl:connect("<a href="http://httpbin.org" target="_blank">httpbin.org</a>", 443, []).<br>{ok,{sslsocket,{gen_tcp,#Port<<wbr>0.839>,tls_connection,<br>                        undefined},<br>               <0.105.0>}}<br><br></div><div><br></div><div>If you first want to manually start a tcp connection and then upgrade it to TLS the client and server need to somehow agree on this so that the server is ready to receive the TLS<br></div><div>client hello when it is sent by the client. This is often referred to as STARTTLS and is used by a lot of protocols like FTPS.<br><br></div><div>Regards Ingela Erlang/OTP Team Ericsson AB<br></div><div><div class="gmail-h5"><div><br><br> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
curl Client Hello is following<br>
<br>
```<br>
TLSv1.2 Record Layer: Handshake Protocol: Client Hello<br>
    Content Type: Handshake (22)<br>
    Version: TLS 1.0 (0x0301)<br>
    Length: 224<br>
    Handshake Protocol: Client Hello<br>
        Handshake Type: Client Hello (1)<br>
        Length: 220<br>
        Version: TLS 1.2 (0x0303)<br>
        Random<br>
        Session ID Length: 0<br>
        Cipher Suites Length: 110<br>
        Cipher Suites (55 suites)<br>
            Cipher Suite: TLS_EMPTY_RENEGOTIATION_INFO_S<wbr>CSV (0x00ff)<br>
            Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_G<wbr>CM_SHA384 (0xc02c)<br>
            Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_G<wbr>CM_SHA256 (0xc02b)<br>
            Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_C<wbr>BC_SHA384 (0xc024)<br>
            Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_C<wbr>BC_SHA256 (0xc023)<br>
            Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_C<wbr>BC_SHA (0xc00a)<br>
            Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_C<wbr>BC_SHA (0xc009)<br>
            Cipher Suite: TLS_ECDHE_ECDSA_WITH_3DES_EDE_<wbr>CBC_SHA (0xc008)<br>
            Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM<wbr>_SHA384 (0xc030)<br>
            Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM<wbr>_SHA256 (0xc02f)<br>
            Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC<wbr>_SHA384 (0xc028)<br>
            Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC<wbr>_SHA256 (0xc027)<br>
            Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC<wbr>_SHA (0xc014)<br>
            Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC<wbr>_SHA (0xc013)<br>
            Cipher Suite: TLS_ECDHE_RSA_WITH_3DES_EDE_CB<wbr>C_SHA (0xc012)<br>
            Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_256_GC<wbr>M_SHA384 (0xc02e)<br>
            Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_128_GC<wbr>M_SHA256 (0xc02d)<br>
            Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_256_CB<wbr>C_SHA384 (0xc026)<br>
            Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_128_CB<wbr>C_SHA256 (0xc025)<br>
            Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_256_CB<wbr>C_SHA (0xc005)<br>
            Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_128_CB<wbr>C_SHA (0xc004)<br>
            Cipher Suite: TLS_ECDH_ECDSA_WITH_3DES_EDE_C<wbr>BC_SHA (0xc003)<br>
            Cipher Suite: TLS_ECDH_RSA_WITH_AES_256_GCM_<wbr>SHA384 (0xc032)<br>
            Cipher Suite: TLS_ECDH_RSA_WITH_AES_128_GCM_<wbr>SHA256 (0xc031)<br>
            Cipher Suite: TLS_ECDH_RSA_WITH_AES_256_CBC_<wbr>SHA384 (0xc02a)<br>
            Cipher Suite: TLS_ECDH_RSA_WITH_AES_128_CBC_<wbr>SHA256 (0xc029)<br>
            Cipher Suite: TLS_ECDH_RSA_WITH_AES_256_CBC_<wbr>SHA (0xc00f)<br>
            Cipher Suite: TLS_ECDH_RSA_WITH_AES_128_CBC_<wbr>SHA (0xc00e)<br>
            Cipher Suite: TLS_ECDH_RSA_WITH_3DES_EDE_CBC<wbr>_SHA (0xc00d)<br>
            Cipher Suite: TLS_DHE_RSA_WITH_AES_256_GCM_S<wbr>HA384 (0x009f)<br>
            Cipher Suite: TLS_DHE_RSA_WITH_AES_128_GCM_S<wbr>HA256 (0x009e)<br>
            Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_S<wbr>HA256 (0x006b)<br>
            Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_S<wbr>HA256 (0x0067)<br>
            Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_S<wbr>HA (0x0039)<br>
            Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_S<wbr>HA (0x0033)<br>
            Cipher Suite: TLS_DHE_RSA_WITH_3DES_EDE_CBC_<wbr>SHA (0x0016)<br>
            Cipher Suite: TLS_RSA_WITH_AES_256_GCM_SHA38<wbr>4 (0x009d)<br>
            Cipher Suite: TLS_RSA_WITH_AES_128_GCM_SHA25<wbr>6 (0x009c)<br>
            Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA25<wbr>6 (0x003d)<br>
            Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA25<wbr>6 (0x003c)<br>
            Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)<br>
            Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)<br>
            Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)<br>
            Cipher Suite: TLS_ECDHE_ECDSA_WITH_RC4_128_S<wbr>HA (0xc007)<br>
            Cipher Suite: TLS_ECDHE_RSA_WITH_RC4_128_SHA (0xc011)<br>
            Cipher Suite: TLS_ECDH_ECDSA_WITH_RC4_128_SH<wbr>A (0xc002)<br>
            Cipher Suite: TLS_ECDH_RSA_WITH_RC4_128_SHA (0xc00c)<br>
            Cipher Suite: TLS_RSA_WITH_RC4_128_SHA (0x0005)<br>
            Cipher Suite: TLS_RSA_WITH_RC4_128_MD5 (0x0004)<br>
            Cipher Suite: TLS_PSK_WITH_AES_256_CBC_SHA38<wbr>4 (0x00af)<br>
            Cipher Suite: TLS_PSK_WITH_AES_128_CBC_SHA25<wbr>6 (0x00ae)<br>
            Cipher Suite: TLS_PSK_WITH_AES_256_CBC_SHA (0x008d)<br>
            Cipher Suite: TLS_PSK_WITH_AES_128_CBC_SHA (0x008c)<br>
            Cipher Suite: TLS_PSK_WITH_RC4_128_SHA (0x008a)<br>
            Cipher Suite: TLS_PSK_WITH_3DES_EDE_CBC_SHA (0x008b)<br>
        Compression Methods Length: 1<br>
        Compression Methods (1 method)<br>
        Extensions Length: 69<br>
        Extension: server_name<br>
        Extension: elliptic_curves<br>
        Extension: ec_point_formats<br>
        Extension: signature_algorithms<br>
        Extension: status_request<br>
        Extension: signed_certificate_timestamp<br>
```<br>
<br>
OTP ssl lib Client Hello is following<br>
<br>
```<br>
TLSv1.2 Record Layer: Handshake Protocol: Client Hello<br>
    Content Type: Handshake (22)<br>
    Version: TLS 1.0 (0x0301)<br>
    Length: 213<br>
    Handshake Protocol: Client Hello<br>
        Handshake Type: Client Hello (1)<br>
        Length: 209<br>
        Version: TLS 1.2 (0x0303)<br>
        Random<br>
        Session ID Length: 0<br>
        Cipher Suites Length: 100<br>
        Cipher Suites (50 suites)<br>
            Cipher Suite: TLS_EMPTY_RENEGOTIATION_INFO_S<wbr>CSV (0x00ff)<br>
            Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_G<wbr>CM_SHA384 (0xc02c)<br>
            Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM<wbr>_SHA384 (0xc030)<br>
            Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_C<wbr>BC_SHA384 (0xc024)<br>
            Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC<wbr>_SHA384 (0xc028)<br>
            Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_256_GC<wbr>M_SHA384 (0xc02e)<br>
            Cipher Suite: TLS_ECDH_RSA_WITH_AES_256_GCM_<wbr>SHA384 (0xc032)<br>
            Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_256_CB<wbr>C_SHA384 (0xc026)<br>
            Cipher Suite: TLS_ECDH_RSA_WITH_AES_256_CBC_<wbr>SHA384 (0xc02a)<br>
            Cipher Suite: TLS_DHE_RSA_WITH_AES_256_GCM_S<wbr>HA384 (0x009f)<br>
            Cipher Suite: TLS_DHE_DSS_WITH_AES_256_GCM_S<wbr>HA384 (0x00a3)<br>
            Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_S<wbr>HA256 (0x006b)<br>
            Cipher Suite: TLS_DHE_DSS_WITH_AES_256_CBC_S<wbr>HA256 (0x006a)<br>
            Cipher Suite: TLS_RSA_WITH_AES_256_GCM_SHA38<wbr>4 (0x009d)<br>
            Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA25<wbr>6 (0x003d)<br>
            Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_G<wbr>CM_SHA256 (0xc02b)<br>
            Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM<wbr>_SHA256 (0xc02f)<br>
            Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_C<wbr>BC_SHA256 (0xc023)<br>
            Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC<wbr>_SHA256 (0xc027)<br>
            Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_128_GC<wbr>M_SHA256 (0xc02d)<br>
            Cipher Suite: TLS_ECDH_RSA_WITH_AES_128_GCM_<wbr>SHA256 (0xc031)<br>
            Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_128_CB<wbr>C_SHA256 (0xc025)<br>
            Cipher Suite: TLS_ECDH_RSA_WITH_AES_128_CBC_<wbr>SHA256 (0xc029)<br>
            Cipher Suite: TLS_DHE_RSA_WITH_AES_128_GCM_S<wbr>HA256 (0x009e)<br>
            Cipher Suite: TLS_DHE_DSS_WITH_AES_128_GCM_S<wbr>HA256 (0x00a2)<br>
            Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_S<wbr>HA256 (0x0067)<br>
            Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_S<wbr>HA256 (0x0040)<br>
            Cipher Suite: TLS_RSA_WITH_AES_128_GCM_SHA25<wbr>6 (0x009c)<br>
            Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA25<wbr>6 (0x003c)<br>
            Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_C<wbr>BC_SHA (0xc00a)<br>
            Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC<wbr>_SHA (0xc014)<br>
            Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_S<wbr>HA (0x0039)<br>
            Cipher Suite: TLS_DHE_DSS_WITH_AES_256_CBC_S<wbr>HA (0x0038)<br>
            Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_256_CB<wbr>C_SHA (0xc005)<br>
            Cipher Suite: TLS_ECDH_RSA_WITH_AES_256_CBC_<wbr>SHA (0xc00f)<br>
            Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)<br>
            Cipher Suite: TLS_ECDHE_ECDSA_WITH_3DES_EDE_<wbr>CBC_SHA (0xc008)<br>
            Cipher Suite: TLS_ECDHE_RSA_WITH_3DES_EDE_CB<wbr>C_SHA (0xc012)<br>
            Cipher Suite: TLS_DHE_RSA_WITH_3DES_EDE_CBC_<wbr>SHA (0x0016)<br>
            Cipher Suite: TLS_DHE_DSS_WITH_3DES_EDE_CBC_<wbr>SHA (0x0013)<br>
            Cipher Suite: TLS_ECDH_ECDSA_WITH_3DES_EDE_C<wbr>BC_SHA (0xc003)<br>
            Cipher Suite: TLS_ECDH_RSA_WITH_3DES_EDE_CBC<wbr>_SHA (0xc00d)<br>
            Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)<br>
            Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_C<wbr>BC_SHA (0xc009)<br>
            Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC<wbr>_SHA (0xc013)<br>
            Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_S<wbr>HA (0x0033)<br>
            Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_S<wbr>HA (0x0032)<br>
            Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_128_CB<wbr>C_SHA (0xc004)<br>
            Cipher Suite: TLS_ECDH_RSA_WITH_AES_128_CBC_<wbr>SHA (0xc00e)<br>
            Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)<br>
        Compression Methods Length: 1<br>
        Compression Methods (1 method)<br>
        Extensions Length: 68<br>
        Extension: elliptic_curves<br>
        Extension: ec_point_formats<br>
```<br>
<br>
In case of curl the following Server Hello is send back<br>
```<br>
TLSv1.2 Record Layer: Handshake Protocol: Server Hello<br>
    Content Type: Handshake (22)<br>
    Version: TLS 1.2 (0x0303)<br>
    Length: 87<br>
    Handshake Protocol: Server Hello<br>
        Handshake Type: Server Hello (2)<br>
        Length: 83<br>
        Version: TLS 1.2 (0x0303)<br>
        Random<br>
        Session ID Length: 32<br>
        Session ID: bbc2e52ca6918654931096e223825a<wbr>4a173780c8d010837d...<br>
        Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM<wbr>_SHA256 (0xc02f)<br>
        Compression Method: null (0)<br>
        Extensions Length: 11<br>
        Extension: ec_point_formats<br>
        Extension: renegotiation_info<br>
```<br>
<br>
I can restrict ssl lib to work with TLS_ECDHE_RSA_WITH_AES_128_GCM<wbr>_SHA256 but it fails as well.<br>
<br>
```<br>
{ok, Tcp} = gen_tcp:connect("<a href="http://httpbin.org" rel="noreferrer" target="_blank">httpbin.org</a>", 443, [binary]).<br>
{ok, Ssl} = ssl:connect(Tcp, [{ciphers, [{ecdhe_rsa,aes_128_gcm,null,s<wbr>ha256}]}], 30000).<br>
<br>
=ERROR REPORT==== 12-May-2017::13:49:28 ===<br>
SSL: hello: ssl_alert.erl:88:Fatal error: internal error<br>
** exception error: no match of right hand side value {error,{tls_alert,"internal error"}}<br>
```<br>
<br>
Thanks you in advanced!<br>
<br>
Best Regards,<br>
Dmitry<br>
<br>
<br>
______________________________<wbr>_________________<br>
erlang-questions mailing list<br>
<a href="mailto:erlang-questions@erlang.org" target="_blank">erlang-questions@erlang.org</a><br>
<a href="http://erlang.org/mailman/listinfo/erlang-questions" rel="noreferrer" target="_blank">http://erlang.org/mailman/list<wbr>info/erlang-questions</a><br>
</blockquote></div></div></div><br></div></div></div></div>
</blockquote></div><br></div></div></div>