<div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><span><br></span></div><div dir="ltr"><span><br></span></div><div><span>Humm ... I believe  the this was broken by PR-1729, the solution feels familiar. I hope that the following patch covers all the cases.  <br></span></div><div><span><br></span></div><div><span>diff --git a/lib/ssl/src/ssl_handshake.erl b/lib/ssl/src/ssl_handshake.erl<br>index 63996f5..4fbf463 100644<br>--- a/lib/ssl/src/ssl_handshake.erl<br>+++ b/lib/ssl/src/ssl_handshake.erl<br>@@ -1056,7 +1056,10 @@ select_curve(undefined, _, _) -><br> select_hashsign(_, _, KeyExAlgo, _, _Version) when KeyExAlgo == dh_anon;<br>                                                    KeyExAlgo == ecdh_anon;<br>                                                    KeyExAlgo == srp_anon;<br>-                                                   KeyExAlgo == psk -><br>+                                                   KeyExAlgo == psk;<br>+                                                   KeyExAlgo == dhe_psk;<br>+                                                   KeyExAlgo == ecdhe_psk;<br>+                                                   KeyExAlgo == rsa_psk -><br>     {null, anon};<br> %% The signature_algorithms extension was introduced with TLS 1.2. Ignore it if we have<br> %% negotiated a lower version.<br><br></span></div><div><span><br></span></div><div><span>Regards Ingela Erlang/OTP team - Ericsson AB<br></span></div><div><span><br></span></div><div><span><br></span></div><div><span><br></span></div></div></div></div><br><div class="gmail_quote"><div dir="ltr">Den ons 5 sep. 2018 kl 23:00 skrev Oliver Bollmann <<a href="mailto:oliver.bollmann@t-online.de">oliver.bollmann@t-online.de</a>>:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">

  <div text="#000000" bgcolor="#FFFFFF">

    <p>This works with 20.2.2 but since 20.3(21.x) it doesn't!</p>

    <p>Error in process <0.79.0> with exit value:<br>

      {{badmatch,{error,{tls_alert,"handshake failure"}}},<br>

 [{client_server,init_connect,1,[{file,"client_server.erl"},{line,37}]}]}<br>

    </p>

    <p>Any hints?</p>

<pre style="background-color:#ffffff;color:#000000;font-family:'Menlo';font-size:18.0pt">-module(client_server)<span style="color:#000080;font-weight:bold">.

</span><span style="color:#000080;font-weight:bold">

<span style="color:#808080;font-style:italic">%%% Purpose: Example of SSL client and server using psk.

</span><span style="color:#808080;font-style:italic">

-export([start/<span style="color:#0000ff">0, init_connect/<span style="color:#0000ff">1])<span style="color:#000080;font-weight:bold">.

</span><span style="color:#000080;font-weight:bold">

</span>start() ->

  <span style="color:#808080;font-style:italic">%% Start ssl application

</span><span style="color:#808080;font-style:italic">  </span>{ok, <span style="color:#660e7a">StartedApps</span>} = application:ensure_all_started(ssl),

  <span style="color:#808080;font-style:italic">%% Let the current process be the server that listens and accepts

</span><span style="color:#808080;font-style:italic">  %% Listen

</span><span style="color:#808080;font-style:italic">  </span>{ok, <span style="color:#660e7a">LSock</span>} = ssl:listen(<span style="color:#0000ff">0</span>, mk_opts(listen)),

  {ok, {<span style="color:#660e7a">_</span>, <span style="color:#660e7a">LPort</span>}} = ssl:sockname(<span style="color:#660e7a">LSock</span>),

  io:fwrite(<span style="color:#008000;font-weight:bold">"Listen: port = ~w.~n"</span>, [<span style="color:#660e7a">LPort</span>]),

  <span style="color:#808080;font-style:italic">%% Spawn the client process that connects to the server

</span><span style="color:#808080;font-style:italic">  </span>spawn(?<span style="color:#660e7a">MODULE</span>, init_connect, [<span style="color:#660e7a">LPort</span>]),

  <span style="color:#808080;font-style:italic">%% Accept

</span><span style="color:#808080;font-style:italic">  </span>{ok, <span style="color:#660e7a">ASock</span>} = ssl:transport_accept(<span style="color:#660e7a">LSock</span>),

  ok = ssl:ssl_accept(<span style="color:#660e7a">ASock</span>),

  io:fwrite(<span style="color:#008000;font-weight:bold">"Accept: accepted.~n"</span>),

  ssl:send(<span style="color:#660e7a">ASock</span>, <span style="color:#008000;font-weight:bold">"hello"</span>),

  {error, closed} = ssl:recv(<span style="color:#660e7a">ASock</span>, <span style="color:#0000ff">0</span>),

  io:fwrite(<span style="color:#008000;font-weight:bold">"Accept: detected closed.~n"</span>),

  ssl:close(<span style="color:#660e7a">ASock</span>),

  io:fwrite(<span style="color:#008000;font-weight:bold">"Listen: closing and terminating.~n"</span>),

  ssl:close(<span style="color:#660e7a">LSock</span>),

lists:foreach(<span style="color:#000080;font-weight:bold">fun application:stop/<span style="color:#0000ff">1, lists:reverse(<span style="color:#660e7a">StartedApps))<span style="color:#000080;font-weight:bold">.

</span><span style="color:#000080;font-weight:bold">

</span><span style="color:#000080;font-weight:bold">

</span><span style="color:#808080;font-style:italic">%% Client connect

</span>init_connect(<span style="color:#660e7a">LPort</span>) ->

  {ok, <span style="color:#660e7a">Host</span>} = inet:gethostname(),

  {ok, <span style="color:#660e7a">CSock</span>} = ssl:connect(<span style="color:#660e7a">Host</span>, <span style="color:#660e7a">LPort</span>, mk_opts(connect)),

  io:fwrite(<span style="color:#008000;font-weight:bold">"Connect: connected.~n"</span>),

  {ok, <span style="color:#660e7a">Data</span>} = ssl:recv(<span style="color:#660e7a">CSock</span>, <span style="color:#0000ff">0</span>),

  io:fwrite(<span style="color:#008000;font-weight:bold">"Connect: got data: ~p~n"</span>, [<span style="color:#660e7a">Data</span>]),

  io:fwrite(<span style="color:#008000;font-weight:bold">"Connect: closing and terminating.~n"</span>),

ssl:close(<span style="color:#660e7a">CSock)<span style="color:#000080;font-weight:bold">.

</span><span style="color:#000080;font-weight:bold">

</span>mk_opts(listen) ->

  mk_opts(<span style="color:#008000;font-weight:bold">"server"</span>);

mk_opts(connect) ->

  mk_opts(<span style="color:#008000;font-weight:bold">"client"</span>);

mk_opts(<span style="color:#660e7a">Role</span>) ->

  [{active, false},

    {psk_identity,<span style="color:#660e7a">Role</span>},

    {user_lookup_fun,{<span style="color:#000080;font-weight:bold">fun </span>lookup/<span style="color:#0000ff">3</span>,list_to_binary(<span style="color:#660e7a">Role</span>)}},

    {versions,['tlsv1.2']},

    {ciphers, [{dhe_psk,aes_256_gcm,null,sha384}

    ]}

]<span style="color:#000080;font-weight:bold">.

</span><span style="color:#000080;font-weight:bold">

lookup(psk,<span style="color:#660e7a">_,<span style="color:#660e7a">_) -> {ok,<<<span style="color:#008000;font-weight:bold">"psk">>}<span style="color:#000080;font-weight:bold">.

</span><span style="color:#000080;font-weight:bold">

</span></pre>

    <pre class="m_-1586514026555526985moz-signature" cols="72">-- 

Grüße

Oliver Bollmann</pre>

  </div>

_______________________________________________<br>

erlang-questions mailing list<br>

<a href="mailto:erlang-questions@erlang.org" target="_blank">erlang-questions@erlang.org</a><br>

<a href="http://erlang.org/mailman/listinfo/erlang-questions" rel="noreferrer" target="_blank">http://erlang.org/mailman/listinfo/erlang-questions</a><br>

</blockquote></div>