<html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class="">I’m having quite some trouble on the SSL front too. I’m giving it a try to move the riak_core code to R21 and the ssl test [1] fails.<div class=""><br class=""></div><div class="">If I use the original keys (in the repo under test/site1/2-…) I get a handshake failure.</div><div class=""><br class=""></div><div class="">Using those keys I get an handshake failure too:</div><div class=""><br class=""></div><div class=""><div class="">openssl req -x509 -newkey rsa:4096 -keyout test/site1-key.pem -out test/site1-cert.pem -days 3650 -nodes -subj '/CN=US'</div><div class="">openssl req -x509 -newkey rsa:4096 -keyout test/site2-key.pem -out test/site2-cert.pem -days 3650 -nodes -subj '/CN=US’</div><div class=""><br class=""></div><div class="">DSA keys</div><div class=""><br class=""></div><div class=""><div class="">openssl dsaparam -out dsaparams-site1.pem 1024</div><div class="">openssl dsaparam -out dsaparams-site2.pem 1024</div><div class="">openssl req -x509 -newkey dsa:dsaparams-site1.pem -keyout test/site1-key.pem -out test/site1-cert.pem -days 3650 -nodes -subj '/CN=US'</div><div class="">openssl req -x509 -newkey dsa:dsaparams-site2.pem -keyout test/site2-key.pem -out test/site2-cert.pem -days 3650 -nodes -subj '/CN=US’</div></div><div class=""><br class=""></div><div class="">Fail with:</div><div class=""><br class=""></div><div class="">{badmatch,</div><div class=""> {error,</div><div class=""> {options,</div><div class=""> {keyfile,"test/site1-key.pem",</div><div class=""> {error,</div><div class=""> {asn1,</div><div class=""> {{wrong_tag,</div><div class=""> {{expected,16},</div><div class=""> {got,2,</div><div class=""> {2,</div><div class=""> <<74,130,213,43,78,73,39,24,206,62,159,</div><div class=""> 168,30,65,230,24,14,31,209,192>>}}}},</div><div class=""> [{'OTP-PUB-KEY',match_tags,2,</div><div class=""> [{file,"OTP-PUB-KEY.erl"},{line,20535}]},</div><div class=""> {'OTP-PUB-KEY',dec_DSAPrivateKey,2,</div><div class=""> [{file,"OTP-PUB-KEY.erl"},{line,1789}]},</div><div class=""> {'OTP-PUB-KEY',decode,2,</div><div class=""> [{file,"OTP-PUB-KEY.erl"},{line,1103}]},</div><div class=""> {public_key,der_decode,2,</div><div class=""> [{file,"public_key.erl"},{line,248}]},</div><div class=""> {ssl_config,init_private_key,5,</div><div class=""> [{file,"ssl_config.erl"},{line,114}]},</div><div class=""> {ssl_config,init,2,</div><div class=""> [{file,"ssl_config.erl"},{line,38}]},</div><div class=""> {ssl_connection,ssl_config,4,</div><div class=""> [{file,"ssl_connection.erl"},{line,571}]},</div><div class=""> {tls_connection,init,1,</div><div class=""> [{file,"tls_connection.erl"},</div><div class=""> {line,116}]}]}}}}}}}</div><div class=""><br class=""></div><div class=""><br class=""></div><div class="">EC keys fail with a handshake failure too</div><div class=""><br class=""></div><div class=""><div class="">openssl ecparam -out ecparams-site1.pem -name prime256v1</div><div class="">openssl ecparam -out ecparams-site2.pem -name prime256v1</div><div class="">openssl req -x509 -newkey ec:ecparams-site1.pem -keyout test/site1-key.pem -out test/site1-cert.pem -days 3650 -nodes -subj '/CN=US'</div><div class="">openssl req -x509 -newkey ec:ecparams-site2.pem -keyout test/site2-key.pem -out test/site2-cert.pem -days 3650 -nodes -subj '/CN=US'</div></div><div class=""><br class=""></div><div class=""><br class=""></div><div class=""><a href="https://github.com/Kyorai/riak_core/blob/develop/src/riak_core_tcp_mon.erl#L450" class="">https://github.com/Kyorai/riak_core/blob/develop/src/riak_core_tcp_mon.erl#L450</a><br class=""><div class=""><br class=""></div><div class=""><br class=""><div><br class=""><blockquote type="cite" class=""><div class="">On 4. May 2018, at 09:32, Ingela Andin <<a href="mailto:ingela.andin@gmail.com" class="">ingela.andin@gmail.com</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><div dir="ltr" style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;" class="">Hi!<br class=""><br class=""><div class=""><div class="gmail_extra"><br class=""><div class="gmail_quote">2018-05-03 18:08 GMT+02:00 Loïc Hoguin<span class="Apple-converted-space"> </span><span dir="ltr" class=""><<a href="mailto:essen@ninenines.eu" target="_blank" class="">essen@ninenines.eu</a>></span>:<br class=""><blockquote class="gmail_quote" style="margin: 0px 0px 0px 0.8ex; border-left-width: 1px; border-left-style: solid; border-left-color: rgb(204, 204, 204); padding-left: 1ex;">Hello,<span class=""><br class=""><br class="">On 05/03/2018 01:54 PM, Loïc Hoguin wrote:<br class=""></span><span class=""><blockquote class="gmail_quote" style="margin: 0px 0px 0px 0.8ex; border-left-width: 1px; border-left-style: solid; border-left-color: rgb(204, 204, 204); padding-left: 1ex;">* SSL is broken. See [1] for example. I can see the same thing happening on 5 different Linux distributions (with different OpenSSL versions) and on OSX. A quick try in the shell is not much better:<br class=""></blockquote><br class=""></span></blockquote><div class=""><br class=""></div><div class="">Thank you for shouting, that is what the release candidate is for. So we can catch the problems early!<br class=""></div><div class=""><br class=""><br class=""> </div><blockquote class="gmail_quote" style="margin: 0px 0px 0px 0.8ex; border-left-width: 1px; border-left-style: solid; border-left-color: rgb(204, 204, 204); padding-left: 1ex;"><span class=""></span>OK it's just a very misleading error message I think.<br class=""></blockquote><div class=""><br class=""><br class=""></div><div class="">Well that depends, this is not really an error message that you should get unless you have a buggy or malicious client. But of course now we might be getting it due to a bug and then<br class=""></div><div class="">it could be misleading!<br class=""></div><div class=""><br class=""> </div><blockquote class="gmail_quote" style="margin: 0px 0px 0px 0.8ex; border-left-width: 1px; border-left-style: solid; border-left-color: rgb(204, 204, 204); padding-left: 1ex;"><br class="">Switching my server's test keys from RSA to DSA fixes it so I think this issue is caused by:<br class=""><br class=""> <span class="Apple-converted-space"> </span>OTP-14769 Application(s): ssl<br class=""><br class=""> For security reasons RSA-key exchange cipher suites are<br class=""> no longer supported by default<br class=""></blockquote><div class=""><br class=""><br class=""></div><div class="">I do not really suspect this change. RSA-certificates are still supported. Just cipher suites using RSA encryption/decryption in the key exchange process are not supported.<br class=""></div><div class="">When you switched to a DSA-certificate an other cipher suite was picked that did not expose the problem. If there had been no common cipher suites you would have got another error.<br class=""></div><div class=""><br class=""> </div><blockquote class="gmail_quote" style="margin: 0px 0px 0px 0.8ex; border-left-width: 1px; border-left-style: solid; border-left-color: rgb(204, 204, 204); padding-left: 1ex;"><br class="">Still, it probably should provide a more helpful error message than this:<br class=""><br class="">*** System report during acceptor_SUITE:ssl_echo/1 in ssl 2018-05-03 11:13:04.343 ***<br class="">=INFO REPORT==== 3-May-2018::11:13:04.342940 ===<br class="">TLS server: In state hello at tls_handshake.erl:130 generated SERVER ALERT: Fatal - Handshake Failure - malformed_handshake_data<br class=""><br class="">*** System report during acceptor_SUITE:ssl_echo/1 in ssl 2018-05-03 11:13:04.348 ***<br class="">=INFO REPORT==== 3-May-2018::11:13:04.348265 ===<br class="">TLS client: In state hello received SERVER ALERT: Fatal - Handshake Failure<br class=""><br class="">"malformed_handshake_data" sounds like the client would have sent a malformed handshake, ie bad data, when the actual issue seems to be that the certificate configured is no longer supported. The server generating an alert about its own certificate doesn't sound quite right either.<br class=""><br class="">That being said I do not really know the intent so I'm guessing a bit. All I know for sure is that it's confusing.<br class=""><br class=""></blockquote><div class=""><br class=""><br class=""></div><div class="">This error is consistent with one of the errors I am seeing in the nightly builds when running OpenSSL with only default parameters so I suspect something is off in combination<br class=""></div><div class="">version negotiation and cipher suite selection checks. I am looking in to it!<br class=""></div><div class=""><br class=""></div><div class="">Regards Ingela Erlang/OTP Team<span class="Apple-converted-space"> </span><br class=""></div><div class=""><br class=""><br class=""><br class=""><br class=""> </div><blockquote class="gmail_quote" style="margin: 0px 0px 0px 0.8ex; border-left-width: 1px; border-left-style: solid; border-left-color: rgb(204, 204, 204); padding-left: 1ex;">Cheers,<div class="HOEnZb"><div class="h5"><br class=""><br class="">--<span class="Apple-converted-space"> </span><br class="">Loïc Hoguin<br class=""><a href="https://ninenines.eu/" rel="noreferrer" target="_blank" class="">https://ninenines.eu</a><br class="">______________________________<wbr class="">_________________<br class="">erlang-questions mailing list<br class=""><a href="mailto:erlang-questions@erlang.org" target="_blank" class="">erlang-questions@erlang.org</a><br class=""><a href="http://erlang.org/mailman/listinfo/erlang-questions" rel="noreferrer" target="_blank" class="">http://erlang.org/mailman/list<wbr class="">info/erlang-questions</a><br class=""></div></div></blockquote></div><br class=""></div></div></div><span style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; float: none; display: inline !important;" class="">_______________________________________________</span><br style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;" class=""><span style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; float: none; display: inline !important;" class="">erlang-questions mailing list</span><br style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;" class=""><a href="mailto:erlang-questions@erlang.org" style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px;" class="">erlang-questions@erlang.org</a><br style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;" class=""><a href="http://erlang.org/mailman/listinfo/erlang-questions" style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px;" class="">http://erlang.org/mailman/listinfo/erlang-questions</a></div></blockquote></div><br class=""></div></div></div></body></html>