[erlang-questions] iPhone unable to connect over SSL after upgrading to R16B01

Ingela Andin ingela.andin@REDACTED
Mon Jun 24 09:00:05 CEST 2013


Hi!

Thank you for the example, I will try to reproduce the problem and fix it.
A workaround is to specify
the cipher suites to:

{ciphers, [{dhe_rsa,aes_256_cbc,sha256},
 {dhe_dss,aes_256_cbc,sha256},
 {rsa,aes_256_cbc,sha256},
 {dhe_rsa,aes_128_cbc,sha256},
 {dhe_dss,aes_128_cbc,sha256},
 {rsa,aes_128_cbc,sha256},
 {dhe_rsa,aes_256_cbc,sha},
 {dhe_dss,aes_256_cbc,sha},
 {rsa,aes_256_cbc,sha},
 {dhe_rsa,'3des_ede_cbc',sha},
 {dhe_dss,'3des_ede_cbc',sha},
 {rsa,'3des_ede_cbc',sha},
 {dhe_rsa,aes_128_cbc,sha},
 {dhe_dss,aes_128_cbc,sha},
 {rsa,aes_128_cbc,sha},
 {rsa,rc4_128,sha},
 {rsa,rc4_128,md5},
 {dhe_rsa,des_cbc,sha},
 {rsa,des_cbc,sha}]}

so that elliptic-curve ciphers will not be negotiated.  The elliptic curve
support in R16B01 is limited to
named elliptic curves and, the TODO spotted seems like a likely candidate
for the problem,  I am so sorry
we missed that when integrating the Elliptic curve contribution.  Anyhow
maybe the fix will be supporting all
type of curves instead of doing the "TODO" I do not think there is so much
work left to do that.

Regards Ingela Erlang/OTP team - Ericsson  AB




2013/6/23 Andrew Shu <talklittle@REDACTED>

> THANK YOU for posting this! This being my first time using Cowboy HTTPS
> and secure websockets, I was going crazy trying to figure out why SSL
> wasn't working via Chromium on Linux, while curl seemed to handle the
> self-signed certificates okay. It wouldn't have occurred to me that it
> could be an Erlang bug.
>
> After reverting to R16B, and removing all traces of R16B01, everything
> seems working.
> I wasted a lot of time swapping out SSL certificates to no avail. I think
> sticking with R16B is the best, or only, solution for now.
>
> I had been getting a Chromium gray error screen with
> "ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED". Not the usual "this certificate is
> not trusted" red screen.
> Firefox choked too. Curl seemed ok, strangely enough.
>
> Erlang shell was printing "SSL: certify: tls_connection.erl:2275:Fatal
> error: unknown ca" with some certificates. Swapping certs may have removed
> the error sometimes (I wasn't checking this carefully), but the Chromium
> error remained. A real CA-signed cert didn't help.
>
> This was happening even with the Cowboy SSL example at
> https://github.com/extend/cowboy/tree/master/examples/ssl_hello_world
>
> Again, thanks for indicating that this is an Erlang regression. R16B seems
> to work fine compared to R16B01.
>
>
> On Friday, June 21, 2013 11:44:34 AM UTC-4, Ransom Richardson wrote:
>>
>>   Not sure if this is a known issue but I didn't see anything about it
>> when I searched.
>>
>>  After upgrading to R16B01 our iPhone client can no longer connect to
>> the service over SSL. The same build works fine when deployed on a machine
>> running R16B.
>>
>>  If we specify
>>
>>  {ciphers, [{rsa,aes_256_cbc,sha256}]},
>>
>>  then it is able to connect successfully
>>
>>  However, if we specify:
>>
>>  {ciphers, [{rsa,aes_256_cbc,sha256}, {ecdhe_rsa,aes_256_cbc,sha}]},
>>
>>  then the connection fails.
>>
>>  I didn't debug further, but did notice this following in
>> tls_handshake.erl, which seems like it might be related:
>>
>>     %% TODO: need to take supported Curves into Account when selecting
>> the CipherSuite....
>>    %%       if whe have an ECDSA cert with an unsupported curve, we need
>> to drop ECDSA ciphers
>>
>>
> _______________________________________________
> erlang-questions mailing list
> erlang-questions@REDACTED
> http://erlang.org/mailman/listinfo/erlang-questions
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20130624/129dae8a/attachment.htm>


More information about the erlang-questions mailing list