<div dir="ltr"><div>No problem :) I will include it in OTP-21.1 except rsa_psk uses certs so I removed the last one again. <br></div><div>Have also tweaked the test cases so that this is test correctly.</div><div><br></div><div>Regards Ingela Erlang/OTP team - Ericsson AB<br></div><div><br><div class="gmail_quote"><div dir="ltr">Den tors 6 sep. 2018 kl 15:41 skrev Ingela Andin <<a href="mailto:ingela.andin@gmail.com">ingela.andin@gmail.com</a>>:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><span><br></span></div><div dir="ltr"><span><br></span></div><div><span>Humm ... I believe the this was broken by PR-1729, the solution feels familiar. I hope that the following patch covers all the cases. <br></span></div><div><span><br></span></div><div><span>diff --git a/lib/ssl/src/ssl_handshake.erl b/lib/ssl/src/ssl_handshake.erl<br>index 63996f5..4fbf463 100644<br>--- a/lib/ssl/src/ssl_handshake.erl<br>+++ b/lib/ssl/src/ssl_handshake.erl<br>@@ -1056,7 +1056,10 @@ select_curve(undefined, _, _) -><br> select_hashsign(_, _, KeyExAlgo, _, _Version) when KeyExAlgo == dh_anon;<br> KeyExAlgo == ecdh_anon;<br> KeyExAlgo == srp_anon;<br>- KeyExAlgo == psk -><br>+ KeyExAlgo == psk;<br>+ KeyExAlgo == dhe_psk;<br>+ KeyExAlgo == ecdhe_psk;<br>+ KeyExAlgo == rsa_psk -><br> {null, anon};<br> %% The signature_algorithms extension was introduced with TLS 1.2. Ignore it if we have<br> %% negotiated a lower version.<br><br></span></div><div><span><br></span></div><div><span>Regards Ingela Erlang/OTP team - Ericsson AB<br></span></div><div><span><br></span></div><div><span><br></span></div><div><span><br></span></div></div></div></div><br><div class="gmail_quote"><div dir="ltr">Den ons 5 sep. 2018 kl 23:00 skrev Oliver Bollmann <<a href="mailto:oliver.bollmann@t-online.de" target="_blank">oliver.bollmann@t-online.de</a>>:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF">
<p>This works with 20.2.2 but since 20.3(21.x) it doesn't!</p>
<p>Error in process <0.79.0> with exit value:<br>
{{badmatch,{error,{tls_alert,"handshake failure"}}},<br>
[{client_server,init_connect,1,[{file,"client_server.erl"},{line,37}]}]}<br>
</p>
<p>Any hints?</p>
<pre style="background-color:#ffffff;color:#000000;font-family:'Menlo';font-size:18.0pt">-module(client_server)<span style="color:#000080;font-weight:bold">.
</span><span style="color:#000080;font-weight:bold">
</span><span style="color:#808080;font-style:italic">%%% Purpose: Example of SSL client and server using psk.
</span><span style="color:#808080;font-style:italic">
</span>-export([start/<span style="color:#0000ff">0</span>, init_connect/<span style="color:#0000ff">1</span>])<span style="color:#000080;font-weight:bold">.
</span><span style="color:#000080;font-weight:bold">
</span>start() ->
<span style="color:#808080;font-style:italic">%% Start ssl application
</span><span style="color:#808080;font-style:italic"> </span>{ok, <span style="color:#660e7a">StartedApps</span>} = application:ensure_all_started(ssl),
<span style="color:#808080;font-style:italic">%% Let the current process be the server that listens and accepts
</span><span style="color:#808080;font-style:italic"> %% Listen
</span><span style="color:#808080;font-style:italic"> </span>{ok, <span style="color:#660e7a">LSock</span>} = ssl:listen(<span style="color:#0000ff">0</span>, mk_opts(listen)),
{ok, {<span style="color:#660e7a">_</span>, <span style="color:#660e7a">LPort</span>}} = ssl:sockname(<span style="color:#660e7a">LSock</span>),
io:fwrite(<span style="color:#008000;font-weight:bold">"Listen: port = ~w.~n"</span>, [<span style="color:#660e7a">LPort</span>]),
<span style="color:#808080;font-style:italic">%% Spawn the client process that connects to the server
</span><span style="color:#808080;font-style:italic"> </span>spawn(?<span style="color:#660e7a">MODULE</span>, init_connect, [<span style="color:#660e7a">LPort</span>]),
<span style="color:#808080;font-style:italic">%% Accept
</span><span style="color:#808080;font-style:italic"> </span>{ok, <span style="color:#660e7a">ASock</span>} = ssl:transport_accept(<span style="color:#660e7a">LSock</span>),
ok = ssl:ssl_accept(<span style="color:#660e7a">ASock</span>),
io:fwrite(<span style="color:#008000;font-weight:bold">"Accept: accepted.~n"</span>),
ssl:send(<span style="color:#660e7a">ASock</span>, <span style="color:#008000;font-weight:bold">"hello"</span>),
{error, closed} = ssl:recv(<span style="color:#660e7a">ASock</span>, <span style="color:#0000ff">0</span>),
io:fwrite(<span style="color:#008000;font-weight:bold">"Accept: detected closed.~n"</span>),
ssl:close(<span style="color:#660e7a">ASock</span>),
io:fwrite(<span style="color:#008000;font-weight:bold">"Listen: closing and terminating.~n"</span>),
ssl:close(<span style="color:#660e7a">LSock</span>),
lists:foreach(<span style="color:#000080;font-weight:bold">fun </span>application:stop/<span style="color:#0000ff">1</span>, lists:reverse(<span style="color:#660e7a">StartedApps</span>))<span style="color:#000080;font-weight:bold">.
</span><span style="color:#000080;font-weight:bold">
</span><span style="color:#000080;font-weight:bold">
</span><span style="color:#808080;font-style:italic">%% Client connect
</span>init_connect(<span style="color:#660e7a">LPort</span>) ->
{ok, <span style="color:#660e7a">Host</span>} = inet:gethostname(),
{ok, <span style="color:#660e7a">CSock</span>} = ssl:connect(<span style="color:#660e7a">Host</span>, <span style="color:#660e7a">LPort</span>, mk_opts(connect)),
io:fwrite(<span style="color:#008000;font-weight:bold">"Connect: connected.~n"</span>),
{ok, <span style="color:#660e7a">Data</span>} = ssl:recv(<span style="color:#660e7a">CSock</span>, <span style="color:#0000ff">0</span>),
io:fwrite(<span style="color:#008000;font-weight:bold">"Connect: got data: ~p~n"</span>, [<span style="color:#660e7a">Data</span>]),
io:fwrite(<span style="color:#008000;font-weight:bold">"Connect: closing and terminating.~n"</span>),
ssl:close(<span style="color:#660e7a">CSock</span>)<span style="color:#000080;font-weight:bold">.
</span><span style="color:#000080;font-weight:bold">
</span>mk_opts(listen) ->
mk_opts(<span style="color:#008000;font-weight:bold">"server"</span>);
mk_opts(connect) ->
mk_opts(<span style="color:#008000;font-weight:bold">"client"</span>);
mk_opts(<span style="color:#660e7a">Role</span>) ->
[{active, false},
{psk_identity,<span style="color:#660e7a">Role</span>},
{user_lookup_fun,{<span style="color:#000080;font-weight:bold">fun </span>lookup/<span style="color:#0000ff">3</span>,list_to_binary(<span style="color:#660e7a">Role</span>)}},
{versions,['tlsv1.2']},
{ciphers, [{dhe_psk,aes_256_gcm,null,sha384}
]}
]<span style="color:#000080;font-weight:bold">.
</span><span style="color:#000080;font-weight:bold">
</span>lookup(psk,<span style="color:#660e7a">_</span>,<span style="color:#660e7a">_</span>) -> {ok,<<<span style="color:#008000;font-weight:bold">"psk"</span>>>}<span style="color:#000080;font-weight:bold">.
</span><span style="color:#000080;font-weight:bold">
</span></pre>
<pre class="m_9204090375696203937m_-1586514026555526985moz-signature" cols="72">--
Grüße
Oliver Bollmann</pre>
</div>
_______________________________________________<br>
erlang-questions mailing list<br>
<a href="mailto:erlang-questions@erlang.org" target="_blank">erlang-questions@erlang.org</a><br>
<a href="http://erlang.org/mailman/listinfo/erlang-questions" rel="noreferrer" target="_blank">http://erlang.org/mailman/listinfo/erlang-questions</a><br>
</blockquote></div>
</blockquote></div></div></div>