[erlang-questions] SSL connection problem
Alexander Petrovsky
askjuise@REDACTED
Sun Jun 7 23:15:19 CEST 2015
Hi!
Maybe it can help -
https://blog.process-one.net/apple-increasing-security-of-push-service-ahead-of-wwdc/
воскресенье, 7 июня 2015 г. пользователь Guilherme Andrade написал:
>
> On 07-06-2015 16:12, Denis Justinek wrote:
>
> Hello!
>
> For the last few days I stared experiencing problems when connecting to
> Apple Push Notification Service (APNS) with
> Erlangs SSL.
>
>
> Yeah, I've been getting this too, albeit only on the sandbox endpoint;
> R16B03-1 here.
>
> It's rather weird; the TLS 1.2 spec[1] lists the following hashing
> algorithms:
>
> enum {
> none(0), md5(1), sha1(2), sha224(3), sha256(4), sha384(5),
> sha512(6), (255)
> } HashAlgorithm;
>
> 239 being 0xEF, it's a rather suspicious bitmask, so I would go with
> either 1) handshake message being wrongly decoded or 2) something fishy
> on the their end.
>
>
>
> [1]: https://www.ietf.org/rfc/rfc5246.txt
>
>
>
> When trying to connect I encounter the following error:
>
> ** exception exit: {{function_clause,[{ssl_cipher,hash_algorithm,"ï",
>
> [{file,"ssl_cipher.erl"},{line,1196}]},
>
> {ssl_handshake,'-decode_handshake/3-lc$^0/1-0-',1,
>
> [{file,"ssl_handshake.erl"},{line,945}]},
>
> {ssl_handshake,'-decode_handshake/3-lc$^0/1-0-',1,
>
> [{file,"ssl_handshake.erl"},{line,946}]},
> {ssl_handshake,decode_handshake,3,
>
> [{file,"ssl_handshake.erl"},{line,945}]},
>
> {tls_handshake,get_tls_handshake_aux,3,
>
> [{file,"tls_handshake.erl"},{line,155}]},
> {tls_connection,next_state,4,
>
> [{file,"tls_connection.erl"},{line,433}]},
> {tls_connection,next_state,4,
>
> [{file,"tls_connection.erl"},{line,437}]},
>
> {gen_fsm,handle_msg,7,[{file,"gen_fsm.erl"},{line,503}]}]},
> {gen_fsm,sync_send_all_state_event,
> [<0.1221.0>,{start,1000},infinity]}}
> in function gen_fsm:sync_send_all_state_event/3 (gen_fsm.erl, line
> 242)
> in call from ssl_connection:sync_send_all_state_event/2
> (ssl_connection.erl, line 1654)
> in call from ssl_connection:handshake/2 (ssl_connection.erl, line 101)
> in call from tls_connection:start_fsm/8 (tls_connection.erl, line 81)
> in call from ssl_connection:connect/8 (ssl_connection.erl, line 71)
> 16:53:13.961 <0.1221.0> Undefined Undefined [error] gen_fsm <0.1221.0> in
> state certify terminated with reason: no function clause matching
> ssl_cipher:hash_algorithm(239) line 1196
> 16:53:13.964 <0.1221.0> Undefined Undefined [error] CRASH REPORT Process
> <0.1221.0> with 0 neighbours exited with reason: no function clause
> matching ssl_cipher:hash_algorithm(239) line 1196 in gen_fsm:terminate/7
> line 611
> 16:53:13.965 <0.174.0> Undefined Undefined [error] Supervisor
> tls_connection_sup had child undefined started with
> {tls_connection,start_link,undefined} at <0.1221.0> exit with reason no
> function clause matching ssl_cipher:hash_algorithm(239) line 1196 in
> context child_terminated
>
> Steps to reproduce (you need an APNS certificate for this):
>
> application:ensure_all_started(ssl).
> Address = "gateway.sandbox.push.apple.com".
> Port = 2195.
> Cert = "cert.pem".
> CertPass = "*****".
> Options1 = [{certfile,Cert},{password,CertPass},{mode,binary}].
> Timeout = 1000.
> {ok,Socket} = ssl:connect(Address, Port, Options1, Timeout).
>
> If we try to connect with the same certificate by using OpenSSL from
> command line (s_client) if works fine with no errors.
>
> Terminal command: openssl s_client -connect
> gateway.sandbox.push.apple.com:2195 -cert cert.pem -debug
> Enter pass phrase for cert.pem:
> CONNECTED(00000003)
> ...
> Certificate chain
> 0 s:/C=US/ST=California/L=Cupertino/O=Apple Inc./CN=
> gateway.sandbox.push.apple.com
> i:/C=US/O=Entrust, Inc./OU=www.entrust.net/rpa is incorporated by
> reference/OU=(c) 2009 Entrust, Inc./CN=Entrust Certification Authority - L1C
> 1 s:/C=US/O=Entrust, Inc./OU=www.entrust.net/rpa is incorporated by
> reference/OU=(c) 2009 Entrust, Inc./CN=Entrust Certification Authority - L1C
> i:/O=Entrust.net/OU=www.entrust.net/CPS_2048 incorp. by ref.
> (limits liab.)/OU=(c) 1999 Entrust.net Limited/CN=Entrust.net Certification
> Authority (2048)
> ---
> ...
> subject=/C=US/ST=California/L=Cupertino/O=Apple Inc./CN=
> gateway.sandbox.push.apple.com
> issuer=/C=US/O=Entrust, Inc./OU=www.entrust.net/rpa is incorporated
> by reference/OU=(c) 2009 Entrust, Inc./CN=Entrust Certification Authority -
> L1C
> ---
> No client certificate CA names sent
> ---
> SSL handshake has read 2760 bytes and written 2363 bytes
> ---
> New, TLSv1/SSLv3, Cipher is AES256-SHA
> Server public key is 2048 bit
> Secure Renegotiation IS supported
> Compression: NONE
> Expansion: NONE
> SSL-Session:
> Protocol : TLSv1
> Cipher : AES256-SHA
> Session-ID:
> Session-ID-ctx:
> Master-Key: ...
> Key-Arg : None
> Start Time: 1433689177
> Timeout : 300 (sec)
> Verify return code: 0 (ok)
> ---
>
> Is this an issue with Erlang SSL module? How can it be mitigated?
>
> This can be reproduced on OSX and Linux - Erlang 17.4.
>
> With regards,
> Denis
>
>
> _______________________________________________
> erlang-questions mailing listerlang-questions@REDACTED <javascript:_e(%7B%7D,'cvml','erlang-questions@REDACTED');>http://erlang.org/mailman/listinfo/erlang-questions
>
>
> --
> Guilherme
> https://www.gandrade.net/
> PGP: 0x602B2AD8 / B348 C976 CCE1 A02A 017E 4649 7A6E B621 602B 2AD8
>
>
--
Петровский Александр / Alexander Petrovsky,
Skype: askjuise
Phone: +7 914 8 820 815
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20150608/2bf80156/attachment.htm>
More information about the erlang-questions
mailing list