[erlang-questions] SSL handshake fails

Ben Murphy benmmurphy@REDACTED
Fri Sep 19 14:50:19 CEST 2014 

I think it is because it sends an empty server_name extension and otp
cannot handle it.

   A server that receives a client hello containing the "server_name"
   extension MAY use the information contained in the extension to guide
   its selection of an appropriate certificate to return to the client,
   and/or other aspects of security policy.  In this event, the server
   SHALL include an extension of type "server_name" in the (extended)
   server hello.  The "extension_data" field of this extension SHALL be
   empty.



On Fri, Sep 19, 2014 at 10:00 AM, Iván Martínez
<ivan.martinez@REDACTED> wrote:
> Hello all,
> I just hired a CentOS 7 server that came with very little software
> installed. I installed Erlang 17.3 from sources, attached is output of the
> configure step. Now I'm trying to install zotonic but it fails when trying
> to do a SSL handshake with github, see below:
>
> [ivan@REDACTED zotonic]$ make
> erl -noshell -s inets -s ssl \
>   -eval '{ok, saved_to_file} = httpc:request(get,
> {"https://github.com/rebar/rebar/wiki/rebar", []}, [], [{stream,
> "./rebar"}])' \
>   -s init stop
> {"init terminating in
> do_boot",{{badmatch,{error,{failed_connect,[{to_address,{"github.com",443}},{inet,[inet],{eoptions,{{{badmatch,<<0
> bytes>>},[{ssl_handshake,dec_hello_extensions,2,[{file,"ssl_handshake.erl"},{line,1737}]},{ssl_handshake,decode_handshake,3,[{file,"ssl_handshake.erl"},{line,926}]},{tls_handshake,get_tls_handshake_aux,3,[{file,"tls_handshake.erl"},{line,155}]},{tls_connection,next_state,4,[{file,"tls_connection.erl"},{line,433}]},{gen_fsm,handle_msg,7,[{file,"gen_fsm.erl"},{line,503}]},{proc_lib,init_p_do_apply,3,[{file,"proc_lib.erl"},{line,237}]}]},{gen_fsm,sync_send_all_state_event,[<0.54.0>,{start,infinity},infinity]}}}}]}}},[{erl_eval,expr,3,[]}]}}
>
> Crash dump was written to: erl_crash.dump
> init terminating in do_boot ()
> make: *** [rebar] Error 1
>
> I tried to do the handshake with openssl and apparently it works:
>
> [ivan@REDACTED zotonic]$ openssl s_client -host github.com -port 443
> CONNECTED(00000003)
> depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert High
> Assurance EV Root CA
> verify return:1
> depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert SHA2
> Extended Validation Server CA
> verify return:1
> depth=0 businessCategory = Private Organization, 1.3.6.1.4.1.311.60.2.1.3 =
> US, 1.3.6.1.4.1.311.60.2.1.2 = Delaware, serialNumber = 5157550, street =
> 548 4th Street, postalCode = 94107, C = US, ST = California, L = San
> Francisco, O = "GitHub, Inc.", CN = github.com
> verify return:1
> ---
> Certificate chain
>  0 s:/businessCategory=Private
> Organization/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Delaware/serialNumber=5157550/street=548
> 4th Street/postalCode=94107/C=US/ST=California/L=San Francisco/O=GitHub,
> Inc./CN=github.com
>    i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 Extended
> Validation Server CA
>  1 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 Extended
> Validation Server CA
>    i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV
> Root CA
> ---
> Server certificate
> -----BEGIN CERTIFICATE-----
> MIIF4DCCBMigAwIBAgIQDACTENIG2+M3VTWAEY3chzANBgkqhkiG9w0BAQsFADB1
> ...
> XX4C2NesiZcLYbc2n7B9O+63M2k=
> -----END CERTIFICATE-----
> subject=/businessCategory=Private
> Organization/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Delaware/serialNumber=5157550/street=548
> 4th Street/postalCode=94107/C=US/ST=California/L=San Francisco/O=GitHub,
> Inc./CN=github.com
> issuer=/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 Extended
> Validation Server CA
> ---
> No client certificate CA names sent
> Server Temp Key: ECDH, prime256v1, 256 bits
> ---
> SSL handshake has read 3233 bytes and written 375 bytes
> ---
> New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
> Server public key is 2048 bit
> Secure Renegotiation IS supported
> Compression: NONE
> Expansion: NONE
> SSL-Session:
>     Protocol  : TLSv1.2
>     Cipher    : ECDHE-RSA-AES128-GCM-SHA256
>     Session-ID:
> DDEF6E78852287351EC5B20FFDD2578F8996E7226CB883A5F1A94325048B79C6
>     Session-ID-ctx:
>     Master-Key:
> D6C6283F463BFCD5A160E0CCE0CC8962CF944E5C98153040E4BC20466981B1622A5327C1E6BBED5F1751A049782908E5
>     Key-Arg   : None
>     Krb5 Principal: None
>     PSK identity: None
>     PSK identity hint: None
>     Start Time: 1411113552
>     Timeout   : 300 (sec)
>     Verify return code: 0 (ok)
> ---
> closed
>
> What can be wrong?. Thank you.
> Ivan
>
> _______________________________________________
> erlang-questions mailing list
> erlang-questions@REDACTED
> http://erlang.org/mailman/listinfo/erlang-questions
>

More information about the erlang-questions mailing list