[erlang-questions] SSL connection problem

Yannis Juglaret yjuglaret@REDACTED
Mon Jun 8 09:24:44 CEST 2015


Doesn't feel safe indeed. Failure is not a big deal in an Erlang 
architecture, and there is probably is nothing better to do than failing 
in this case as you explained in your previous message. So it seems a 
better idea to just report this, and try to get more information on the 
origin of the problem.

-- Yannis

Le 07/06/2015 23:28, Guilherme Andrade a écrit :
>
>
> On 07-06-2015 22:15, Alexander Petrovsky wrote:
>> Hi!
>>
>> Maybe it can help -
>> https://blog.process-one.net/apple-increasing-security-of-push-service-ahead-of-wwdc/
>
> Thank you, very enlightening. It doesn't feel quite safe to fallback to
> 'null' / 'anon', though? Hmm...
>
>
>>
>> воскресенье, 7 июня 2015 г. пользователь Guilherme Andrade написал:
>>
>>
>>     On 07-06-2015 16:12, Denis Justinek wrote:
>>>     Hello!
>>>
>>>     For the last few days I stared experiencing problems when
>>>     connecting to Apple Push Notification Service (APNS) with
>>>     Erlangs SSL.
>>
>>     Yeah, I've been getting this too, albeit only on the sandbox
>>     endpoint; R16B03-1 here.
>>
>>     It's rather weird; the TLS 1.2 spec[1] lists the following hashing
>>     algorithms:
>>
>>            enum {
>>                none(0), md5(1), sha1(2), sha224(3), sha256(4), sha384(5),
>>                sha512(6), (255)
>>            } HashAlgorithm;
>>
>>     239 being 0xEF, it's a rather suspicious bitmask, so I would go with
>>     either 1) handshake message being wrongly decoded or 2) something fishy
>>     on the their end.
>>
>>
>>
>>     [1]:https://www.ietf.org/rfc/rfc5246.txt
>>
>>
>>>
>>>     When trying to connect I encounter the following error:
>>>
>>>     ** exception exit: {{function_clause,[{ssl_cipher,hash_algorithm,"ï",
>>>     [{file,"ssl_cipher.erl"},{line,1196}]},
>>>     {ssl_handshake,'-decode_handshake/3-lc$^0/1-0-',1,
>>>     [{file,"ssl_handshake.erl"},{line,945}]},
>>>     {ssl_handshake,'-decode_handshake/3-lc$^0/1-0-',1,
>>>     [{file,"ssl_handshake.erl"},{line,946}]},
>>>     {ssl_handshake,decode_handshake,3,
>>>     [{file,"ssl_handshake.erl"},{line,945}]},
>>>     {tls_handshake,get_tls_handshake_aux,3,
>>>     [{file,"tls_handshake.erl"},{line,155}]},
>>>     {tls_connection,next_state,4,
>>>     [{file,"tls_connection.erl"},{line,433}]},
>>>     {tls_connection,next_state,4,
>>>     [{file,"tls_connection.erl"},{line,437}]},
>>>     {gen_fsm,handle_msg,7,[{file,"gen_fsm.erl"},{line,503}]}]},
>>>     {gen_fsm,sync_send_all_state_event,
>>>     [<0.1221.0>,{start,1000},infinity]}}
>>>          in function  gen_fsm:sync_send_all_state_event/3
>>>     (gen_fsm.erl, line 242)
>>>          in call from ssl_connection:sync_send_all_state_event/2
>>>     (ssl_connection.erl, line 1654)
>>>          in call from ssl_connection:handshake/2 (ssl_connection.erl,
>>>     line 101)
>>>          in call from tls_connection:start_fsm/8 (tls_connection.erl,
>>>     line 81)
>>>          in call from ssl_connection:connect/8 (ssl_connection.erl,
>>>     line 71)
>>>     16:53:13.961 <0.1221.0> Undefined Undefined [error] gen_fsm
>>>     <0.1221.0> in state certify terminated with reason: no function
>>>     clause matching ssl_cipher:hash_algorithm(239) line 1196
>>>     16:53:13.964 <0.1221.0> Undefined Undefined [error] CRASH REPORT
>>>     Process <0.1221.0> with 0 neighbours exited with reason: no
>>>     function clause matching ssl_cipher:hash_algorithm(239) line 1196
>>>     in gen_fsm:terminate/7 line 611
>>>     16:53:13.965 <0.174.0> Undefined Undefined [error] Supervisor
>>>     tls_connection_sup had child undefined started with
>>>     {tls_connection,start_link,undefined} at <0.1221.0> exit with
>>>     reason no function clause matching ssl_cipher:hash_algorithm(239)
>>>     line 1196 in context child_terminated
>>>
>>>     Steps to reproduce (you need an APNS certificate for this):
>>>
>>>         application:ensure_all_started(ssl).
>>>         Address = "gateway.sandbox.push.apple.com
>>>     <http://gateway.sandbox.push.apple.com>".
>>>         Port = 2195.
>>>         Cert = "cert.pem".
>>>         CertPass = "*****".
>>>         Options1 = [{certfile,Cert},{password,CertPass},{mode,binary}].
>>>         Timeout = 1000.
>>>         {ok,Socket} = ssl:connect(Address, Port, Options1, Timeout).
>>>
>>>     If we try to connect with the same certificate by using OpenSSL
>>>     from command line (s_client) if works fine with no errors.
>>>
>>>         Terminal command: openssl s_client -connect
>>>     gateway.sandbox.push.apple.com:2195
>>>     <http://gateway.sandbox.push.apple.com:2195> -cert cert.pem -debug
>>>         Enter pass phrase for cert.pem:
>>>         CONNECTED(00000003)
>>>         ...
>>>         Certificate chain
>>>          0 s:/C=US/ST=California/L=Cupertino/O=Apple
>>>     Inc./CN=gateway.sandbox.push.apple.com
>>>     <http://gateway.sandbox.push.apple.com>
>>>            i:/C=US/O=Entrust, Inc./OU=www.entrust.net/rpa
>>>     <http://www.entrust.net/rpa> is incorporated by reference/OU=(c)
>>>     2009 Entrust, Inc./CN=Entrust Certification Authority - L1C
>>>          1 s:/C=US/O=Entrust, Inc./OU=www.entrust.net/rpa
>>>     <http://www.entrust.net/rpa> is incorporated by reference/OU=(c)
>>>     2009 Entrust, Inc./CN=Entrust Certification Authority - L1C
>>>            i:/O=Entrust.net/OU=www.entrust.net/CPS_2048
>>>     <http://www.entrust.net/CPS_2048> incorp. by ref. (limits
>>>     liab.)/OU=(c) 1999 Entrust.net Limited/CN=Entrust.net
>>>     Certification Authority (2048)
>>>         ---
>>>         ...
>>>         subject=/C=US/ST=California/L=Cupertino/O=Apple
>>>     Inc./CN=gateway.sandbox.push.apple.com
>>>     <http://gateway.sandbox.push.apple.com>
>>>         issuer=/C=US/O=Entrust, Inc./OU=www.entrust.net/rpa
>>>     <http://www.entrust.net/rpa> is incorporated by reference/OU=(c)
>>>     2009 Entrust, Inc./CN=Entrust Certification Authority - L1C
>>>         ---
>>>         No client certificate CA names sent
>>>         ---
>>>         SSL handshake has read 2760 bytes and written 2363 bytes
>>>         ---
>>>         New, TLSv1/SSLv3, Cipher is AES256-SHA
>>>         Server public key is 2048 bit
>>>         Secure Renegotiation IS supported
>>>         Compression: NONE
>>>         Expansion: NONE
>>>         SSL-Session:
>>>             Protocol  : TLSv1
>>>             Cipher    : AES256-SHA
>>>             Session-ID:
>>>             Session-ID-ctx:
>>>             Master-Key: ...
>>>             Key-Arg   : None
>>>             Start Time: 1433689177
>>>             Timeout   : 300 (sec)
>>>             Verify return code: 0 (ok)
>>>     ---
>>>
>>>     Is this an issue with Erlang SSL module? How can it be mitigated?
>>>
>>>     This can be reproduced on OSX and Linux - Erlang 17.4.
>>>
>>>     With regards,
>>>         Denis
>>>
>>>
>>>     _______________________________________________
>>>     erlang-questions mailing list
>>>     erlang-questions@REDACTED  <javascript:_e(%7B%7D,'cvml','erlang-questions@REDACTED');>
>>>     http://erlang.org/mailman/listinfo/erlang-questions
>>
>>     --
>>     Guilherme
>>
>>     https://www.gandrade.net/
>>     PGP: 0x602B2AD8 / B348 C976 CCE1 A02A 017E 4649 7A6E B621 602B 2AD8
>>
>>
>>
>> --
>> Петровский Александр / Alexander Petrovsky,
>>
>> Skype: askjuise
>> Phone: +7 914 8 820 815
>>
>>
>
> --
> Guilherme
>
> https://www.gandrade.net/
> PGP: 0x602B2AD8 / B348 C976 CCE1 A02A 017E 4649 7A6E B621 602B 2AD8
>
>
>
> _______________________________________________
> erlang-questions mailing list
> erlang-questions@REDACTED
> http://erlang.org/mailman/listinfo/erlang-questions
>



More information about the erlang-questions mailing list