[erlang-questions] SSL inconsistencies in expected return values of 'ssl:connect/2'
Andre Graf
andre.graf@REDACTED
Wed Oct 8 10:55:15 CEST 2014
On 10/08/2014 10:47 AM, Ingela Andin wrote:
> Hi!
>
> 2014-10-08 0:22 GMT+02:00 Andre Graf <andre.graf@REDACTED
> <mailto:andre.graf@REDACTED>>:
>
> Hi there,
>
> today I wrote a EUnit test suite that should check the SSL connection
> setup to an Erlang SSL server. Although the test cases are pretty
> simple
> and standard I stumbled upon various inconsistencies when testing
> against different OTP versions (R15B02, R16B03-1,OTP-17.3.1). I
> thought
> I share my findings.
>
> The different test cases are:
>
> 1. Connect No Client Auth (SUCCESS)
> 2. Connect No Client Auth (FAIL: wrong CA)
> 3. Connect Client Auth (SUCCESS)
> 4. Connect Client Auth (FAIL: no Client Cert provided)
> 5. Connect Client Auth (FAIL: Client Cert expired)
> 6. Connect Client Auth (FAIL: CRL check, Client Cert revoked)
> 7. Connect Client Auth (SUCCESS, CRL check)
>
> Inconsistencies in expected return of 'ssl:connect/2' in test case 2:
> - R15B02: {error,"unknown ca"}}
> - R16B03-1: {error,{tls_alert,"unknown ca"}}
> - OTP-17.3.1: {error,{tls_alert,"unknown ca"}}
>
>
> This is part of the documented potential incompatibility that we
> choose to do to to improve the quality of the error messages.
>
>
>
> Inconsistencies in expected return of 'ssl:connect/2' in test case 3:
> - R15B02: {ok, Sock}
> - R16B03-1: {ok, Sock}
> - OTP-17.3.1: {error,closed}
>
>
> Will try your test case when I get time. Seems strange.
>
>
>
> Inconsistencies in expected return of 'ssl:connect/2' in test case 4:
> - R15B02: {error,esslconnect}
> - R16B03-1: {error,{tls_alert,"handshake failure"}}
> - OTP-17.3.1: {error,{tls_alert,"handshake failure"}}
>
>
> This is also part of the documented potential incompatibility that we
> choose to do to to improve the quality of the error messages.
>
>
> Inconsistencies in expected return of 'ssl:connect/2' in test case 5:
> - R15B02: {error,"certificate expired"}
> - R16B03-1: {error,{tls_alert,"certificate expired"}}
> - OTP-17.3.1: {error,{tls_alert,"unknown ca"}}
>
> Will try your test case when I get time. Seems strange.
>
>
> Inconsistencies in expected return of 'ssl:connect/2' in test case 6:
> - R15B02: SSL handshake process crashes
> - R16B03-1: {error,{tls_alert,"certificate revoked"}}
> - OTP-17.3.1: {error,closed}
>
>
> Alas you can never depend on getting the correct error message an not
> {error,closed} as
> tcp does note have a delivery guarantee on application level, only on
> transport level.
> So ssl sends its alert and then closes the socket, and with bad timing
> the application may
> receive the socket close before it receives the error message data.
>
> Inconsistencies in expected return of 'ssl:connect/2' in test case 7:
> - R15B02: {ok, Socket}
> - R16B03-1: {ok, Socket}
> - OTP-17.3.1: {error,{tls_alert,"unknown ca"}}
>
>
> Will try your test case when I get time. Seems strange.
>
>
> Regards Ingela Erlang/OTP team - Ericsson AB
>
>
> No inconsistencies in test case 1. :)
>
> The code is available on https://github.com/dergraf/erlang_ssl_tester.
>
> Cheers,
> André
> _______________________________________________
> erlang-questions mailing list
> erlang-questions@REDACTED <mailto:erlang-questions@REDACTED>
> http://erlang.org/mailman/listinfo/erlang-questions
>
>
Hello Ingela,
Thanks for your reply. Please let me know if you need any help with the
test case. The tests should pass on R16B03-1, just run 'rebar eunit'.
Cheers,
André
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20141008/422e69bd/attachment.htm>
More information about the erlang-questions
mailing list