[erlang-questions] iPhone unable to connect over SSL after upgrading to R16B01

Andrew Shu talklittle@REDACTED
Sun Jun 23 21:06:18 CEST 2013

THANK YOU for posting this! This being my first time using Cowboy HTTPS and 
secure websockets, I was going crazy trying to figure out why SSL wasn't 
working via Chromium on Linux, while curl seemed to handle the self-signed 
certificates okay. It wouldn't have occurred to me that it could be an 
Erlang bug.

After reverting to R16B, and removing all traces of R16B01, everything 
seems working.
I wasted a lot of time swapping out SSL certificates to no avail. I think 
sticking with R16B is the best, or only, solution for now.

I had been getting a Chromium gray error screen with 
"ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED". Not the usual "this certificate is 
not trusted" red screen.
Firefox choked too. Curl seemed ok, strangely enough.

Erlang shell was printing "SSL: certify: tls_connection.erl:2275:Fatal 
error: unknown ca" with some certificates. Swapping certs may have removed 
the error sometimes (I wasn't checking this carefully), but the Chromium 
error remained. A real CA-signed cert didn't help.

This was happening even with the Cowboy SSL example 
at https://github.com/extend/cowboy/tree/master/examples/ssl_hello_world

Again, thanks for indicating that this is an Erlang regression. R16B seems 
to work fine compared to R16B01.

On Friday, June 21, 2013 11:44:34 AM UTC-4, Ransom Richardson wrote:
>   Not sure if this is a known issue but I didn't see anything about it 
> when I searched.
>  After upgrading to R16B01 our iPhone client can no longer connect to the 
> service over SSL. The same build works fine when deployed on a machine 
> running R16B. 
>  If we specify
>  {ciphers, [{rsa,aes_256_cbc,sha256}]},
>  then it is able to connect successfully 
>  However, if we specify:
>  {ciphers, [{rsa,aes_256_cbc,sha256}, {ecdhe_rsa,aes_256_cbc,sha}]},
>  then the connection fails.
>  I didn't debug further, but did notice this following in 
> tls_handshake.erl, which seems like it might be related:
>     %% TODO: need to take supported Curves into Account when selecting 
> the CipherSuite....
>    %%       if whe have an ECDSA cert with an unsupported curve, we need 
> to drop ECDSA ciphers
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20130623/5c2a9e20/attachment.htm>

More information about the erlang-questions mailing list