[erlang-questions] SSL connection problem
Guilherme Andrade
g@REDACTED
Sun Jun 7 23:28:02 CEST 2015
On 07-06-2015 22:15, Alexander Petrovsky wrote:
> Hi!
>
> Maybe it can help
> - https://blog.process-one.net/apple-increasing-security-of-push-service-ahead-of-wwdc/
Thank you, very enlightening. It doesn't feel quite safe to fallback to
'null' / 'anon', though? Hmm...
>
> воскресенье, 7 июня 2015 г. пользователь Guilherme Andrade написал:
>
>
> On 07-06-2015 16:12, Denis Justinek wrote:
>> Hello!
>>
>> For the last few days I stared experiencing problems when
>> connecting to Apple Push Notification Service (APNS) with
>> Erlangs SSL.
>
> Yeah, I've been getting this too, albeit only on the sandbox
> endpoint; R16B03-1 here.
>
> It's rather weird; the TLS 1.2 spec[1] lists the following hashing
> algorithms:
>
> enum {
> none(0), md5(1), sha1(2), sha224(3), sha256(4), sha384(5),
> sha512(6), (255)
> } HashAlgorithm;
>
> 239 being 0xEF, it's a rather suspicious bitmask, so I would go with
> either 1) handshake message being wrongly decoded or 2) something fishy
> on the their end.
>
>
>
> [1]: https://www.ietf.org/rfc/rfc5246.txt
>
>
>>
>> When trying to connect I encounter the following error:
>>
>> ** exception exit: {{function_clause,[{ssl_cipher,hash_algorithm,"ï",
>>
>> [{file,"ssl_cipher.erl"},{line,1196}]},
>>
>> {ssl_handshake,'-decode_handshake/3-lc$^0/1-0-',1,
>>
>> [{file,"ssl_handshake.erl"},{line,945}]},
>>
>> {ssl_handshake,'-decode_handshake/3-lc$^0/1-0-',1,
>>
>> [{file,"ssl_handshake.erl"},{line,946}]},
>>
>> {ssl_handshake,decode_handshake,3,
>>
>> [{file,"ssl_handshake.erl"},{line,945}]},
>>
>> {tls_handshake,get_tls_handshake_aux,3,
>>
>> [{file,"tls_handshake.erl"},{line,155}]},
>> {tls_connection,next_state,4,
>>
>> [{file,"tls_connection.erl"},{line,433}]},
>> {tls_connection,next_state,4,
>>
>> [{file,"tls_connection.erl"},{line,437}]},
>>
>> {gen_fsm,handle_msg,7,[{file,"gen_fsm.erl"},{line,503}]}]},
>> {gen_fsm,sync_send_all_state_event,
>> [<0.1221.0>,{start,1000},infinity]}}
>> in function gen_fsm:sync_send_all_state_event/3
>> (gen_fsm.erl, line 242)
>> in call from ssl_connection:sync_send_all_state_event/2
>> (ssl_connection.erl, line 1654)
>> in call from ssl_connection:handshake/2 (ssl_connection.erl,
>> line 101)
>> in call from tls_connection:start_fsm/8 (tls_connection.erl,
>> line 81)
>> in call from ssl_connection:connect/8 (ssl_connection.erl,
>> line 71)
>> 16:53:13.961 <0.1221.0> Undefined Undefined [error] gen_fsm
>> <0.1221.0> in state certify terminated with reason: no function
>> clause matching ssl_cipher:hash_algorithm(239) line 1196
>> 16:53:13.964 <0.1221.0> Undefined Undefined [error] CRASH REPORT
>> Process <0.1221.0> with 0 neighbours exited with reason: no
>> function clause matching ssl_cipher:hash_algorithm(239) line 1196
>> in gen_fsm:terminate/7 line 611
>> 16:53:13.965 <0.174.0> Undefined Undefined [error] Supervisor
>> tls_connection_sup had child undefined started with
>> {tls_connection,start_link,undefined} at <0.1221.0> exit with
>> reason no function clause matching ssl_cipher:hash_algorithm(239)
>> line 1196 in context child_terminated
>>
>> Steps to reproduce (you need an APNS certificate for this):
>>
>> application:ensure_all_started(ssl).
>> Address = "gateway.sandbox.push.apple.com
>> <http://gateway.sandbox.push.apple.com>".
>> Port = 2195.
>> Cert = "cert.pem".
>> CertPass = "*****".
>> Options1 = [{certfile,Cert},{password,CertPass},{mode,binary}].
>> Timeout = 1000.
>> {ok,Socket} = ssl:connect(Address, Port, Options1, Timeout).
>>
>> If we try to connect with the same certificate by using OpenSSL
>> from command line (s_client) if works fine with no errors.
>>
>> Terminal command: openssl s_client -connect
>> gateway.sandbox.push.apple.com:2195
>> <http://gateway.sandbox.push.apple.com:2195> -cert cert.pem -debug
>> Enter pass phrase for cert.pem:
>> CONNECTED(00000003)
>> ...
>> Certificate chain
>> 0 s:/C=US/ST=California/L=Cupertino/O=Apple
>> Inc./CN=gateway.sandbox.push.apple.com
>> <http://gateway.sandbox.push.apple.com>
>> i:/C=US/O=Entrust, Inc./OU=www.entrust.net/rpa
>> <http://www.entrust.net/rpa> is incorporated by reference/OU=(c)
>> 2009 Entrust, Inc./CN=Entrust Certification Authority - L1C
>> 1 s:/C=US/O=Entrust, Inc./OU=www.entrust.net/rpa
>> <http://www.entrust.net/rpa> is incorporated by reference/OU=(c)
>> 2009 Entrust, Inc./CN=Entrust Certification Authority - L1C
>> i:/O=Entrust.net/OU=www.entrust.net/CPS_2048
>> <http://www.entrust.net/CPS_2048> incorp. by ref. (limits
>> liab.)/OU=(c) 1999 Entrust.net Limited/CN=Entrust.net
>> Certification Authority (2048)
>> ---
>> ...
>> subject=/C=US/ST=California/L=Cupertino/O=Apple
>> Inc./CN=gateway.sandbox.push.apple.com
>> <http://gateway.sandbox.push.apple.com>
>> issuer=/C=US/O=Entrust, Inc./OU=www.entrust.net/rpa
>> <http://www.entrust.net/rpa> is incorporated by reference/OU=(c)
>> 2009 Entrust, Inc./CN=Entrust Certification Authority - L1C
>> ---
>> No client certificate CA names sent
>> ---
>> SSL handshake has read 2760 bytes and written 2363 bytes
>> ---
>> New, TLSv1/SSLv3, Cipher is AES256-SHA
>> Server public key is 2048 bit
>> Secure Renegotiation IS supported
>> Compression: NONE
>> Expansion: NONE
>> SSL-Session:
>> Protocol : TLSv1
>> Cipher : AES256-SHA
>> Session-ID:
>> Session-ID-ctx:
>> Master-Key: ...
>> Key-Arg : None
>> Start Time: 1433689177
>> Timeout : 300 (sec)
>> Verify return code: 0 (ok)
>> ---
>>
>> Is this an issue with Erlang SSL module? How can it be mitigated?
>>
>> This can be reproduced on OSX and Linux - Erlang 17.4.
>>
>> With regards,
>> Denis
>>
>>
>> _______________________________________________
>> erlang-questions mailing list
>> erlang-questions@REDACTED <javascript:_e(%7B%7D,'cvml','erlang-questions@REDACTED');>
>> http://erlang.org/mailman/listinfo/erlang-questions
>
> --
> Guilherme
>
> https://www.gandrade.net/
> PGP: 0x602B2AD8 / B348 C976 CCE1 A02A 017E 4649 7A6E B621 602B 2AD8
>
>
>
> --
> Петровский Александр / Alexander Petrovsky,
>
> Skype: askjuise
> Phone: +7 914 8 820 815
>
>
--
Guilherme
https://www.gandrade.net/
PGP: 0x602B2AD8 / B348 C976 CCE1 A02A 017E 4649 7A6E B621 602B 2AD8
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20150607/cb57cc42/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20150607/cb57cc42/attachment.bin>
More information about the erlang-questions
mailing list