[erlang-questions] Fwd: SSL handshake fails

Ingela Andin ingela.andin@REDACTED
Wed Sep 24 22:34:12 CEST 2014 

---------- Forwarded message ----------
From: Ingela Andin <ingela.andin@REDACTED>
Date: 2014-09-24 14:14 GMT+02:00
Subject: Re: [erlang-questions] SSL handshake fails
To: Daniel Abrahamsson <daniel.abrahamsson@REDACTED>


Hi!

It will of course be included in the next open source release, and merged
to github maint
shortly.

Regards Ingela Erlang/OTP team - Ericsson AB


2014-09-24 11:43 GMT+02:00 Daniel Abrahamsson <daniel.abrahamsson@REDACTED
>:

> Got exactly the same error for some of our connections after
> upgrading from R16B03 to 17.3.
>
> Will this patch be included with the next stable release on the 17.x
> branch?
>
> //Daniel
>
> On Tue, Sep 23, 2014 at 2:29 PM, Ingela Andin <ingela.andin@REDACTED>
> wrote:
>
>> Hi!
>>
>> After some investigation I have concluded that the server may send an
>> SNI-extension, and that if it does so, it shall be empty.
>>
>> "In this event, the
>>    server SHALL include an extension of type "server_name" in the
>>    (extended) server hello.  The "extension_data" field of this
>>    extension SHALL be empty."
>>
>>
>> I do not really see the point in include an empty SNI-extension on the
>> server side, but as the RFC says so here comes a patch to handle it.
>>
>> diff --git a/lib/ssl/src/ssl_handshake.erl b/lib/ssl/src/ssl_handshake.erl
>> index 22673e4..eee33ef 100644
>> --- a/lib/ssl/src/ssl_handshake.erl
>> +++ b/lib/ssl/src/ssl_handshake.erl
>> @@ -1732,6 +1732,9 @@
>> dec_hello_extensions(<<?UINT16(?EC_POINT_FORMATS_EXT), ?UINT16(Len),
>>                              #ec_point_formats{ec_point_format_list =
>>                                            ECPointFormats}});
>>
>> +dec_hello_extensions(<<?UINT16(?SNI_EXT), ?UINT16(Len), Rest/binary>>,
>> Acc) when Len == 0 ->
>> +    dec_hello_extensions(Rest, Acc#hello_extensions{sni = ""}); %%
>> Server may send an empy SNI
>> +
>>  dec_hello_extensions(<<?UINT16(?SNI_EXT), ?UINT16(Len),
>>                  ExtData:Len/binary, Rest/binary>>, Acc) ->
>>      <<?UINT16(_), NameList/binary>> = ExtData,
>>
>>
>> Regards Ingela Erlang/OTP Team - Ericsson AB
>>
>>
>>
>> 2014-09-19 11:00 GMT+02:00 Iván Martínez <ivan.martinez@REDACTED>:
>>
>>> Hello all,
>>> I just hired a CentOS 7 server that came with very little software
>>> installed. I installed Erlang 17.3 from sources, attached is output of the
>>> configure step. Now I'm trying to install zotonic but it fails when trying
>>> to do a SSL handshake with github, see below:
>>>
>>> [ivan@REDACTED zotonic]$ make
>>> erl -noshell -s inets -s ssl \
>>>   -eval '{ok, saved_to_file} = httpc:request(get, {"
>>> https://github.com/rebar/rebar/wiki/rebar", []}, [], [{stream,
>>> "./rebar"}])' \
>>>   -s init stop
>>> {"init terminating in
>>> do_boot",{{badmatch,{error,{failed_connect,[{to_address,{"github.com",443}},{inet,[inet],{eoptions,{{{badmatch,<<0
>>> bytes>>},[{ssl_handshake,dec_hello_extensions,2,[{file,"ssl_handshake.erl"},{line,1737}]},{ssl_handshake,decode_handshake,3,[{file,"ssl_handshake.erl"},{line,926}]},{tls_handshake,get_tls_handshake_aux,3,[{file,"tls_handshake.erl"},{line,155}]},{tls_connection,next_state,4,[{file,"tls_connection.erl"},{line,433}]},{gen_fsm,handle_msg,7,[{file,"gen_fsm.erl"},{line,503}]},{proc_lib,init_p_do_apply,3,[{file,"proc_lib.erl"},{line,237}]}]},{gen_fsm,sync_send_all_state_event,[<0.54.0>,{start,infinity},infinity]}}}}]}}},[{erl_eval,expr,3,[]}]}}
>>>
>>> Crash dump was written to: erl_crash.dump
>>> init terminating in do_boot ()
>>> make: *** [rebar] Error 1
>>>
>>> I tried to do the handshake with openssl and apparently it works:
>>>
>>> [ivan@REDACTED zotonic]$ openssl s_client -host github.com -port 443
>>> CONNECTED(00000003)
>>> depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert
>>> High Assurance EV Root CA
>>> verify return:1
>>> depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert
>>> SHA2 Extended Validation Server CA
>>> verify return:1
>>> depth=0 businessCategory = Private Organization,
>>> 1.3.6.1.4.1.311.60.2.1.3 = US, 1.3.6.1.4.1.311.60.2.1.2 = Delaware,
>>> serialNumber = 5157550, street = 548 4th Street, postalCode = 94107, C =
>>> US, ST = California, L = San Francisco, O = "GitHub, Inc.", CN =
>>> github.com
>>> verify return:1
>>> ---
>>> Certificate chain
>>>  0 s:/businessCategory=Private
>>> Organization/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Delaware/serialNumber=5157550/street=548
>>> 4th Street/postalCode=94107/C=US/ST=California/L=San Francisco/O=GitHub,
>>> Inc./CN=github.com
>>>    i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 Extended
>>> Validation Server CA
>>>  1 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 Extended
>>> Validation Server CA
>>>    i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High
>>> Assurance EV Root CA
>>> ---
>>> Server certificate
>>> -----BEGIN CERTIFICATE-----
>>> MIIF4DCCBMigAwIBAgIQDACTENIG2+M3VTWAEY3chzANBgkqhkiG9w0BAQsFADB1
>>> ...
>>> XX4C2NesiZcLYbc2n7B9O+63M2k=
>>> -----END CERTIFICATE-----
>>> subject=/businessCategory=Private
>>> Organization/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Delaware/serialNumber=5157550/street=548
>>> 4th Street/postalCode=94107/C=US/ST=California/L=San Francisco/O=GitHub,
>>> Inc./CN=github.com
>>> issuer=/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2
>>> Extended Validation Server CA
>>> ---
>>> No client certificate CA names sent
>>> Server Temp Key: ECDH, prime256v1, 256 bits
>>> ---
>>> SSL handshake has read 3233 bytes and written 375 bytes
>>> ---
>>> New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
>>> Server public key is 2048 bit
>>> Secure Renegotiation IS supported
>>> Compression: NONE
>>> Expansion: NONE
>>> SSL-Session:
>>>     Protocol  : TLSv1.2
>>>     Cipher    : ECDHE-RSA-AES128-GCM-SHA256
>>>     Session-ID:
>>> DDEF6E78852287351EC5B20FFDD2578F8996E7226CB883A5F1A94325048B79C6
>>>     Session-ID-ctx:
>>>     Master-Key:
>>> D6C6283F463BFCD5A160E0CCE0CC8962CF944E5C98153040E4BC20466981B1622A5327C1E6BBED5F1751A049782908E5
>>>     Key-Arg   : None
>>>     Krb5 Principal: None
>>>     PSK identity: None
>>>     PSK identity hint: None
>>>     Start Time: 1411113552
>>>     Timeout   : 300 (sec)
>>>     Verify return code: 0 (ok)
>>> ---
>>> closed
>>>
>>> What can be wrong?. Thank you.
>>> Ivan
>>>
>>> _______________________________________________
>>> erlang-questions mailing list
>>> erlang-questions@REDACTED
>>> http://erlang.org/mailman/listinfo/erlang-questions
>>>
>>>
>>
>> _______________________________________________
>> erlang-questions mailing list
>> erlang-questions@REDACTED
>> http://erlang.org/mailman/listinfo/erlang-questions
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20140924/c86a01f1/attachment.htm>

More information about the erlang-questions mailing list