<div dir="ltr"><div>Hi!<br><br>I traced my problem to sslv2_hello compatibility. I will give you something to try later today!<br><br><br></div>Regards Ingela Erlang/OTP team<br></div><div class="gmail_extra"><br><div class="gmail_quote">2018-05-04 10:05 GMT+02:00 Heinz N. Gies <span dir="ltr"><<a href="mailto:heinz@licenser.net" target="_blank">heinz@licenser.net</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div style="word-wrap:break-word;line-break:after-white-space">I’m having quite some trouble on the SSL front too. I’m giving it a try to move the riak_core code to R21 and the ssl test [1] fails.<div><br></div><div>If I use the original keys (in the repo under test/site1/2-…) I get a handshake failure.</div><div><br></div><div>Using those keys I get an handshake failure too:</div><div><br></div><div><div>openssl req -x509 -newkey rsa:4096 -keyout test/site1-key.pem -out test/site1-cert.pem -days 3650 -nodes -subj '/CN=US'</div><div>openssl req -x509 -newkey rsa:4096 -keyout test/site2-key.pem -out test/site2-cert.pem -days 3650 -nodes -subj '/CN=US’</div><div><br></div><div>DSA keys</div><div><br></div><div><div>openssl dsaparam -out dsaparams-site1.pem 1024</div><div>openssl dsaparam -out dsaparams-site2.pem 1024</div><div>openssl req -x509 -newkey dsa:dsaparams-site1.pem -keyout test/site1-key.pem -out test/site1-cert.pem -days 3650 -nodes -subj '/CN=US'</div><div>openssl req -x509 -newkey dsa:dsaparams-site2.pem -keyout test/site2-key.pem -out test/site2-cert.pem -days 3650 -nodes -subj '/CN=US’</div></div><div><br></div><div>Fail with:</div><div><br></div><div>{badmatch,</div><div>     {error,</div><div>         {options,</div><div>             {keyfile,"test/site1-key.pem"<wbr>,</div><div>                 {error,</div><div>                     {asn1,</div><div>                         {{wrong_tag,</div><div>                              {{expected,16},</div><div>                               {got,2,</div><div>                                   {2,</div><div>                                    <<74,130,213,43,78,73,39,24,<wbr>206,62,159,</div><div>                                      168,30,65,230,24,14,31,209,<wbr>192>>}}}},</div><div>                          [{'OTP-PUB-KEY',match_tags,2,</div><div>                               [{file,"OTP-PUB-KEY.erl"},{<wbr>line,20535}]},</div><div>                           {'OTP-PUB-KEY',dec_<wbr>DSAPrivateKey,2,</div><div>                               [{file,"OTP-PUB-KEY.erl"},{<wbr>line,1789}]},</div><div>                           {'OTP-PUB-KEY',decode,2,</div><div>                               [{file,"OTP-PUB-KEY.erl"},{<wbr>line,1103}]},</div><div>                           {public_key,der_decode,2,</div><div>                               [{file,"public_key.erl"},{<wbr>line,248}]},</div><div>                           {ssl_config,init_private_key,<wbr>5,</div><div>                               [{file,"ssl_config.erl"},{<wbr>line,114}]},</div><div>                           {ssl_config,init,2,</div><div>                               [{file,"ssl_config.erl"},{<wbr>line,38}]},</div><div>                           {ssl_connection,ssl_config,4,</div><div>                               [{file,"ssl_connection.erl"},<wbr>{line,571}]},</div><div>                           {tls_connection,init,1,</div><div>                               [{file,"tls_connection.erl"},</div><div>                                {line,116}]}]}}}}}}}</div><div><br></div><div><br></div><div>EC keys fail with a handshake failure too</div><div><br></div><div><div>openssl ecparam -out ecparams-site1.pem -name prime256v1</div><div>openssl ecparam -out ecparams-site2.pem -name prime256v1</div><div>openssl req -x509 -newkey ec:ecparams-site1.pem -keyout test/site1-key.pem -out test/site1-cert.pem -days 3650 -nodes -subj '/CN=US'</div><div>openssl req -x509 -newkey ec:ecparams-site2.pem -keyout test/site2-key.pem -out test/site2-cert.pem -days 3650 -nodes -subj '/CN=US'</div></div><div><br></div><div><br></div><div><a href="https://github.com/Kyorai/riak_core/blob/develop/src/riak_core_tcp_mon.erl#L450" target="_blank">https://github.com/Kyorai/<wbr>riak_core/blob/develop/src/<wbr>riak_core_tcp_mon.erl#L450</a><div><div class="h5"><br><div><br></div><div><br><div><br><blockquote type="cite"><div>On 4. May 2018, at 09:32, Ingela Andin <<a href="mailto:ingela.andin@gmail.com" target="_blank">ingela.andin@gmail.com</a>> wrote:</div><br class="m_-4340393888705181288Apple-interchange-newline"><div><div dir="ltr" style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none">Hi!<br><br><div><div class="gmail_extra"><br><div class="gmail_quote">2018-05-03 18:08 GMT+02:00 Loïc Hoguin<span class="m_-4340393888705181288Apple-converted-space"> </span><span dir="ltr"><<a href="mailto:essen@ninenines.eu" target="_blank">essen@ninenines.eu</a>></span>:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex">Hello,<span><br><br>On 05/03/2018 01:54 PM, Loïc Hoguin wrote:<br></span><span><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex">* SSL is broken. See [1] for example. I can see the same thing happening on 5 different Linux distributions (with different OpenSSL versions) and on OSX. A quick try in the shell is not much better:<br></blockquote><br></span></blockquote><div><br></div><div>Thank you for shouting, that is what the release candidate is for. So we can catch the problems early!<br></div><div><br><br> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex"><span></span>OK it's just a very misleading error message I think.<br></blockquote><div><br><br></div><div>Well that depends, this is not really an error message that you should get unless you have a buggy or malicious client. But of course now we might be getting it due to a bug and then<br></div><div>it could be misleading!<br></div><div><br> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex"><br>Switching my server's test keys from RSA to DSA fixes it so I think this issue is caused by:<br><br> <span class="m_-4340393888705181288Apple-converted-space"> </span>OTP-14769    Application(s): ssl<br><br>               For security reasons RSA-key exchange cipher suites are<br>               no longer supported by default<br></blockquote><div><br><br></div><div>I do not really suspect this change. RSA-certificates are still supported. Just cipher suites using RSA encryption/decryption in the key exchange process are not supported.<br></div><div>When you switched to a DSA-certificate an other cipher suite was picked that did not expose the problem.  If there had been no common cipher suites you would have got another error.<br></div><div><br> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex"><br>Still, it probably should provide a more helpful error message than this:<br><br>*** System report during acceptor_SUITE:ssl_echo/1 in ssl 2018-05-03 11:13:04.343 ***<br>=INFO REPORT==== 3-May-2018::11:13:04.342940 ===<br>TLS server: In state hello at tls_handshake.erl:130 generated SERVER ALERT: Fatal - Handshake Failure - malformed_handshake_data<br><br>*** System report during acceptor_SUITE:ssl_echo/1 in ssl 2018-05-03 11:13:04.348 ***<br>=INFO REPORT==== 3-May-2018::11:13:04.348265 ===<br>TLS client: In state hello received SERVER ALERT: Fatal - Handshake Failure<br><br>"malformed_handshake_data" sounds like the client would have sent a malformed handshake, ie bad data, when the actual issue seems to be that the certificate configured is no longer supported. The server generating an alert about its own certificate doesn't sound quite right either.<br><br>That being said I do not really know the intent so I'm guessing a bit. All I know for sure is that it's confusing.<br><br></blockquote><div><br><br></div><div>This error is consistent with one of the errors I am seeing in the nightly builds when running OpenSSL with only default parameters so I suspect something is off in combination<br></div><div>version negotiation and cipher suite selection checks. I am looking in to it!<br></div><div><br></div><div>Regards Ingela Erlang/OTP Team<span class="m_-4340393888705181288Apple-converted-space"> </span><br></div><div><br><br><br><br> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex">Cheers,<div class="m_-4340393888705181288HOEnZb"><div class="m_-4340393888705181288h5"><br><br>--<span class="m_-4340393888705181288Apple-converted-space"> </span><br>Loïc Hoguin<br><a href="https://ninenines.eu/" rel="noreferrer" target="_blank">https://ninenines.eu</a><br>______________________________<wbr>_________________<br>erlang-questions mailing list<br><a href="mailto:erlang-questions@erlang.org" target="_blank">erlang-questions@erlang.org</a><br><a href="http://erlang.org/mailman/listinfo/erlang-questions" rel="noreferrer" target="_blank">http://erlang.org/mailman/list<wbr>info/erlang-questions</a><br></div></div></blockquote></div><br></div></div></div><span style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none;float:none;display:inline!important">______________________________<wbr>_________________</span><br style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none"><span style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none;float:none;display:inline!important">erlang-questions mailing list</span><br style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none"><a href="mailto:erlang-questions@erlang.org" style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px" target="_blank">erlang-questions@erlang.org</a><br style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none"><a href="http://erlang.org/mailman/listinfo/erlang-questions" style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px" target="_blank">http://erlang.org/mailman/<wbr>listinfo/erlang-questions</a></div></blockquote></div><br></div></div></div></div></div></div></blockquote></div><br></div>