[erlang-questions] SSL handshake fails

Ingela Andin ingela.andin@REDACTED
Tue Sep 23 14:29:01 CEST 2014 

Hi!

After some investigation I have concluded that the server may send an
SNI-extension, and that if it does so, it shall be empty.

"In this event, the
   server SHALL include an extension of type "server_name" in the
   (extended) server hello.  The "extension_data" field of this
   extension SHALL be empty."


I do not really see the point in include an empty SNI-extension on the
server side, but as the RFC says so here comes a patch to handle it.

diff --git a/lib/ssl/src/ssl_handshake.erl b/lib/ssl/src/ssl_handshake.erl
index 22673e4..eee33ef 100644
--- a/lib/ssl/src/ssl_handshake.erl
+++ b/lib/ssl/src/ssl_handshake.erl
@@ -1732,6 +1732,9 @@
dec_hello_extensions(<<?UINT16(?EC_POINT_FORMATS_EXT), ?UINT16(Len),
                             #ec_point_formats{ec_point_format_list =
                                           ECPointFormats}});

+dec_hello_extensions(<<?UINT16(?SNI_EXT), ?UINT16(Len), Rest/binary>>,
Acc) when Len == 0 ->
+    dec_hello_extensions(Rest, Acc#hello_extensions{sni = ""}); %% Server
may send an empy SNI
+
 dec_hello_extensions(<<?UINT16(?SNI_EXT), ?UINT16(Len),
                 ExtData:Len/binary, Rest/binary>>, Acc) ->
     <<?UINT16(_), NameList/binary>> = ExtData,


Regards Ingela Erlang/OTP Team - Ericsson AB



2014-09-19 11:00 GMT+02:00 Iván Martínez <ivan.martinez@REDACTED>:

> Hello all,
> I just hired a CentOS 7 server that came with very little software
> installed. I installed Erlang 17.3 from sources, attached is output of the
> configure step. Now I'm trying to install zotonic but it fails when trying
> to do a SSL handshake with github, see below:
>
> [ivan@REDACTED zotonic]$ make
> erl -noshell -s inets -s ssl \
>   -eval '{ok, saved_to_file} = httpc:request(get, {"
> https://github.com/rebar/rebar/wiki/rebar", []}, [], [{stream,
> "./rebar"}])' \
>   -s init stop
> {"init terminating in
> do_boot",{{badmatch,{error,{failed_connect,[{to_address,{"github.com",443}},{inet,[inet],{eoptions,{{{badmatch,<<0
> bytes>>},[{ssl_handshake,dec_hello_extensions,2,[{file,"ssl_handshake.erl"},{line,1737}]},{ssl_handshake,decode_handshake,3,[{file,"ssl_handshake.erl"},{line,926}]},{tls_handshake,get_tls_handshake_aux,3,[{file,"tls_handshake.erl"},{line,155}]},{tls_connection,next_state,4,[{file,"tls_connection.erl"},{line,433}]},{gen_fsm,handle_msg,7,[{file,"gen_fsm.erl"},{line,503}]},{proc_lib,init_p_do_apply,3,[{file,"proc_lib.erl"},{line,237}]}]},{gen_fsm,sync_send_all_state_event,[<0.54.0>,{start,infinity},infinity]}}}}]}}},[{erl_eval,expr,3,[]}]}}
>
> Crash dump was written to: erl_crash.dump
> init terminating in do_boot ()
> make: *** [rebar] Error 1
>
> I tried to do the handshake with openssl and apparently it works:
>
> [ivan@REDACTED zotonic]$ openssl s_client -host github.com -port 443
> CONNECTED(00000003)
> depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert
> High Assurance EV Root CA
> verify return:1
> depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert
> SHA2 Extended Validation Server CA
> verify return:1
> depth=0 businessCategory = Private Organization, 1.3.6.1.4.1.311.60.2.1.3
> = US, 1.3.6.1.4.1.311.60.2.1.2 = Delaware, serialNumber = 5157550, street =
> 548 4th Street, postalCode = 94107, C = US, ST = California, L = San
> Francisco, O = "GitHub, Inc.", CN = github.com
> verify return:1
> ---
> Certificate chain
>  0 s:/businessCategory=Private
> Organization/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Delaware/serialNumber=5157550/street=548
> 4th Street/postalCode=94107/C=US/ST=California/L=San Francisco/O=GitHub,
> Inc./CN=github.com
>    i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 Extended
> Validation Server CA
>  1 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 Extended
> Validation Server CA
>    i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance
> EV Root CA
> ---
> Server certificate
> -----BEGIN CERTIFICATE-----
> MIIF4DCCBMigAwIBAgIQDACTENIG2+M3VTWAEY3chzANBgkqhkiG9w0BAQsFADB1
> ...
> XX4C2NesiZcLYbc2n7B9O+63M2k=
> -----END CERTIFICATE-----
> subject=/businessCategory=Private
> Organization/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Delaware/serialNumber=5157550/street=548
> 4th Street/postalCode=94107/C=US/ST=California/L=San Francisco/O=GitHub,
> Inc./CN=github.com
> issuer=/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 Extended
> Validation Server CA
> ---
> No client certificate CA names sent
> Server Temp Key: ECDH, prime256v1, 256 bits
> ---
> SSL handshake has read 3233 bytes and written 375 bytes
> ---
> New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
> Server public key is 2048 bit
> Secure Renegotiation IS supported
> Compression: NONE
> Expansion: NONE
> SSL-Session:
>     Protocol  : TLSv1.2
>     Cipher    : ECDHE-RSA-AES128-GCM-SHA256
>     Session-ID:
> DDEF6E78852287351EC5B20FFDD2578F8996E7226CB883A5F1A94325048B79C6
>     Session-ID-ctx:
>     Master-Key:
> D6C6283F463BFCD5A160E0CCE0CC8962CF944E5C98153040E4BC20466981B1622A5327C1E6BBED5F1751A049782908E5
>     Key-Arg   : None
>     Krb5 Principal: None
>     PSK identity: None
>     PSK identity hint: None
>     Start Time: 1411113552
>     Timeout   : 300 (sec)
>     Verify return code: 0 (ok)
> ---
> closed
>
> What can be wrong?. Thank you.
> Ivan
>
> _______________________________________________
> erlang-questions mailing list
> erlang-questions@REDACTED
> http://erlang.org/mailman/listinfo/erlang-questions
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20140923/80ac1238/attachment.htm>

More information about the erlang-questions mailing list