<div dir="ltr">Hi Frank,<div><br></div><div>Sorry, that I can't really help you, but I did notice that the Erlang SSL usage example for upgrading a socket to TLS [1] says:</div><div><br></div><div><strong style="color:rgb(26,26,26);font-family:sans-serif;font-size:16px;background-color:rgb(254,254,254)">> Step 5:</strong><span style="color:rgb(26,26,26);font-family:sans-serif;font-size:16px;background-color:rgb(254,254,254)"> Ensure </span><span class="gmail-code" style="font-family:mono,Courier,monospace;background-color:rgb(243,243,243);color:rgb(26,26,26);font-size:16px">active</span><span style="color:rgb(26,26,26);font-family:sans-serif;font-size:16px;background-color:rgb(254,254,254)"> is set to </span><span class="gmail-code" style="font-family:mono,Courier,monospace;background-color:rgb(243,243,243);color:rgb(26,26,26);font-size:16px">false</span><span style="color:rgb(26,26,26);font-family:sans-serif;font-size:16px;background-color:rgb(254,254,254)"> before trying to upgrade a connection to an SSL connection, otherwise SSL handshake messages can be delivered to the wrong process</span><br></div><div><br></div><div>Your example seems to be using an active connection.</div><div><br></div><div>Maybe you could post a more complete, ready to run sample to get more feedback...</div><div><br></div><div>Regards</div><div>Andreas</div><div><br></div><div>1: <a href="http://erlang.org/doc/apps/ssl/using_ssl.html">http://erlang.org/doc/apps/ssl/using_ssl.html</a></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">Am Fr., 26. Apr. 2019 um 08:25 Uhr schrieb Frank Muller <<a href="mailto:frank.muller.erl@gmail.com">frank.muller.erl@gmail.com</a>>:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div><div dir="auto">Small typo in ssl_client/0:</div></div><div dir="auto"><span style="color:rgb(49,49,49);word-spacing:1px">______________________________</span><span style="color:rgb(49,49,49);word-spacing:1px">_</span><br style="color:rgb(49,49,49);word-spacing:1px"><span style="color:rgb(49,49,49);word-spacing:1px">tcp_client() -></span><br style="color:rgb(49,49,49);word-spacing:1px"><span style="color:rgb(49,49,49);word-spacing:1px"> {ok, TcpSock} = gen_tcp:connect("local_proxy_f</span><span style="color:rgb(49,49,49);word-spacing:1px">or_traffic_fitering", 12345, [ binary, {active, true}, {packet. 0} ]),</span><br style="color:rgb(49,49,49);word-spacing:1px"><span style="color:rgb(49,49,49);word-spacing:1px"> ok = gen_tcp:send(TcpSocket, <<"CONNECT…">>),</span><br style="color:rgb(49,49,49);word-spacing:1px"><span style="color:rgb(49,49,49);word-spacing:1px"> … got 200OK ...</span><br style="color:rgb(49,49,49);word-spacing:1px"><span style="color:rgb(49,49,49);word-spacing:1px"> TcpSocket.</span><br style="color:rgb(49,49,49);word-spacing:1px"><br style="color:rgb(49,49,49);word-spacing:1px"><span style="color:rgb(49,49,49);word-spacing:1px">ssl_client() -></span><br style="color:rgb(49,49,49);word-spacing:1px"><span style="color:rgb(49,49,49);word-spacing:1px"> TcpSocket = tcp_client(),</span><br style="color:rgb(49,49,49);word-spacing:1px"><span style="color:rgb(49,49,49);word-spacing:1px"> Opts = [ {verify, verify_none}, {cacertfile, "cacert.pem"}, {versions, ['tlsv1.2']} ],</span><br style="color:rgb(49,49,49);word-spacing:1px"><span style="color:rgb(49,49,49);word-spacing:1px"> {ok, Sock} = ssl:connect(TcpSocket, Opts),</span></div><div dir="auto"> Sock.<br style="color:rgb(49,49,49);word-spacing:1px"><br style="color:rgb(49,49,49);word-spacing:1px"><span style="color:rgb(49,49,49);word-spacing:1px">connect() -></span><br style="color:rgb(49,49,49);word-spacing:1px"><span style="color:rgb(49,49,49);word-spacing:1px"> SslSocket = ssl_client(),</span><br style="color:rgb(49,49,49);word-spacing:1px"><span style="color:rgb(49,49,49);word-spacing:1px"> ok = ssl:send("...some data...">>, SslSocket),</span><br style="color:rgb(49,49,49);word-spacing:1px"><span style="color:rgb(49,49,49);word-spacing:1px"> …</span><br style="color:rgb(49,49,49);word-spacing:1px"><span style="color:rgb(49,49,49);word-spacing:1px"> ok.</span><br style="color:rgb(49,49,49);word-spacing:1px"><span style="color:rgb(49,49,49);word-spacing:1px">______________________________</span><span style="color:rgb(49,49,49);word-spacing:1px">_</span><br></div><div dir="auto"><span style="color:rgb(49,49,49);word-spacing:1px"><br></span></div><div dir="auto"><span style="color:rgb(49,49,49);word-spacing:1px"><br></span></div><div><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><span style="color:rgb(49,49,49);word-spacing:1px">Hi guys</span><br style="color:rgb(49,49,49);word-spacing:1px"><br style="color:rgb(49,49,49);word-spacing:1px"><span style="color:rgb(49,49,49);word-spacing:1px">I’m trying to connect to a remote SSL server using a filtering Proxy in between.</span><br style="color:rgb(49,49,49);word-spacing:1px"><br style="color:rgb(49,49,49);word-spacing:1px"><span style="color:rgb(49,49,49);word-spacing:1px"><div dir="auto">First, I try to establish a normal TCP connection to this local Proxy using the CONNECT word.</div></span><br style="color:rgb(49,49,49);word-spacing:1px"><span style="color:rgb(49,49,49);word-spacing:1px">Second, I upgrade the TCP socket to SSL as in this snippet code:</span><br style="color:rgb(49,49,49);word-spacing:1px"><br style="color:rgb(49,49,49);word-spacing:1px"><span style="color:rgb(49,49,49);word-spacing:1px">______________________________</span><span style="color:rgb(49,49,49);word-spacing:1px">_</span><br style="color:rgb(49,49,49);word-spacing:1px"><span style="color:rgb(49,49,49);word-spacing:1px">tcp_client() -></span><br style="color:rgb(49,49,49);word-spacing:1px"><span style="color:rgb(49,49,49);word-spacing:1px"> {ok, TcpSock} = gen_tcp:connect("local_proxy_f</span><span style="color:rgb(49,49,49);word-spacing:1px"><div dir="auto">or_traffic_filtering", 12345, [ binary, {active,true}, {packet,0} ]),</div></span><br style="color:rgb(49,49,49);word-spacing:1px"><span style="color:rgb(49,49,49);word-spacing:1px"> ok = gen_tcp:send(TcpSocket, <<"CONNECT…">>),</span><br style="color:rgb(49,49,49);word-spacing:1px"><span style="color:rgb(49,49,49);word-spacing:1px"> … got 200OK ...</span><br style="color:rgb(49,49,49);word-spacing:1px"><span style="color:rgb(49,49,49);word-spacing:1px"> TcpSocket.</span><br style="color:rgb(49,49,49);word-spacing:1px"><br style="color:rgb(49,49,49);word-spacing:1px"><span style="color:rgb(49,49,49);word-spacing:1px">ssl_client() -></span><br style="color:rgb(49,49,49);word-spacing:1px"><span style="color:rgb(49,49,49);word-spacing:1px"> TcpSocket = tcp_client(),</span><br style="color:rgb(49,49,49);word-spacing:1px"><span style="color:rgb(49,49,49);word-spacing:1px"> Opts = [ {verify, verify_none}, {cacertfile, "cacert.pem"}, {versions, ['tlsv1.2']} ],</span><br style="color:rgb(49,49,49);word-spacing:1px"><span style="color:rgb(49,49,49);word-spacing:1px"> {ok, Sock} = ssl:connect(TcpSocket, Opts).</span><br style="color:rgb(49,49,49);word-spacing:1px"><br style="color:rgb(49,49,49);word-spacing:1px"><span style="color:rgb(49,49,49);word-spacing:1px">connect() -></span><br style="color:rgb(49,49,49);word-spacing:1px"><span style="color:rgb(49,49,49);word-spacing:1px"> SslSocket = ssl_client(),</span><br style="color:rgb(49,49,49);word-spacing:1px"><span style="color:rgb(49,49,49);word-spacing:1px"><div dir="auto"> ok = ssl:send(SslSocket, <<"...some data...">>),</div></span><span style="color:rgb(49,49,49);word-spacing:1px"> …</span><br style="color:rgb(49,49,49);word-spacing:1px"><span style="color:rgb(49,49,49);word-spacing:1px"> ok.</span><br style="color:rgb(49,49,49);word-spacing:1px"><span style="color:rgb(49,49,49);word-spacing:1px">______________________________</span><span style="color:rgb(49,49,49);word-spacing:1px">_</span><br style="color:rgb(49,49,49);word-spacing:1px"><br style="color:rgb(49,49,49);word-spacing:1px"><span style="color:rgb(49,49,49);word-spacing:1px"><div dir="auto">When i call the ssl:send/2, the remote SSL server (I’ve no control on this server) immediately closes the connection with {error, closed}.</div></span><span style="color:rgb(49,49,49);word-spacing:1px"> </span><br style="color:rgb(49,49,49);word-spacing:1px"><span style="color:rgb(49,49,49);word-spacing:1px">Furthermore, the SSL server claims I’m using SSL v1.3 (from the logs we've got).</span><br style="color:rgb(49,49,49);word-spacing:1px"><br style="color:rgb(49,49,49);word-spacing:1px"><span style="color:rgb(49,49,49);word-spacing:1px">Questions:</span><br style="color:rgb(49,49,49);word-spacing:1px"><span style="color:rgb(49,49,49);word-spacing:1px"><div dir="auto">a. is it the right way to establish an SSL connection via a proxy?</div></span><br style="color:rgb(49,49,49);word-spacing:1px"><span style="color:rgb(49,49,49);word-spacing:1px"><div dir="auto">b. how can I really ensure I’m using SSL v1.2 and not v1.3?</div></span><br style="color:rgb(49,49,49);word-spacing:1px"><br style="color:rgb(49,49,49);word-spacing:1px"><span style="color:rgb(49,49,49);word-spacing:1px"><div dir="auto">My config: Erlang 21.3.5, Ubuntu 18.04 LTS, Kernel 4.4.0-grs-64 on a very restricted environment: no sudo, no direct internet access</div></span><br style="color:rgb(49,49,49);word-spacing:1px"><span style="color:rgb(49,49,49);word-spacing:1px">/Frank</span><br style="color:rgb(49,49,49);word-spacing:1px">
</blockquote></div></div>
_______________________________________________<br>
erlang-questions mailing list<br>
<a href="mailto:erlang-questions@erlang.org" target="_blank">erlang-questions@erlang.org</a><br>
<a href="http://erlang.org/mailman/listinfo/erlang-questions" rel="noreferrer" target="_blank">http://erlang.org/mailman/listinfo/erlang-questions</a><br>
</blockquote></div><br clear="all"><div><br></div>-- <br><div dir="ltr" class="gmail_signature"><div dir="ltr"><span style="font-family:monospace,monospace">-- <br>Dipl.-Inform. Andreas Schultz<br><br>----------------------- enabling your networks ----------------------<br>Travelping GmbH Phone: +49-391-81 90 99 0<br>Roentgenstr. 13 Fax: +49-391-81 90 99 299<br>39108 Magdeburg Email: <a href="mailto:info@travelping.com" target="_blank">info@travelping.com</a><br>GERMANY Web: <a href="http://www.travelping.com" target="_blank">http://www.travelping.com</a><br><br></span><div><span style="font-family:monospace,monospace">Company Registration: Amtsgericht Stendal Reg No.: HRB 10578</span></div><span style="font-family:monospace,monospace">Geschaeftsfuehrer: Holger Winkelmann VAT ID No.: DE236673780<br>---------------------------------------------------------------------</span></div></div>