[erlang-questions] SSL connection problem
Andreas Schultz
aschultz@REDACTED
Mon Jun 8 11:02:23 CEST 2015
Hi,
----- On 8 Jun, 2015, at 10:30, Ingela Andin ingela.andin@REDACTED wrote:
> I think the following patch would solve the problem, in a good way.
>
> I am not sure why they send an invalid value instead of no value, but this way
> invalid values will be ignored and ssl will fallback to default values if there
> are no valid values in the extension.
Some more context on this, RFC 5246, Section 7.4.1.4.1. has this to say about
unknown values:
Note: this extension is not meaningful for TLS versions prior to 1.2.
Clients MUST NOT offer it if they are offering prior versions.
However, even if clients do offer it, the rules specified in [TLSEXT]
require servers to ignore extensions they do not understand.
Also, the Apple server send the extension in question in an "Certificate Request",
with the actual value beeing: 0xEF 0xEF (in decimal 239,239). IANA's TLS extension
registry (http://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml)
defines the range 224-255 for SignatureAlgorithm and HashAlgorithm as
"Reserved for Private Use". So it is perfectly valid for the server to send those.
Andreas
> diff --git a/lib/ssl/src/ssl_cipher.erl
> b/lib/ssl/src/ssl_cipher.erl
> index 8584e56..fd101ef 100644
> --- a/lib/ssl/src/ssl_cipher.erl
> +++ b/lib/ssl/src/ssl_cipher.erl
> @@ -1573,8 +1573,9 @@ hash_algorithm(?SHA) -> sha;
> hash_algorithm(?SHA224) -> sha224;
> hash_algorithm(?SHA256) -> sha256;
> hash_algorithm(?SHA384) -> sha384;
> -hash_algorithm(?SHA512) -> sha512.
> -
> +hash_algorithm(?SHA512) -> sha512;
> +hash_algorithm(_) -> undefined.
> +
> sign_algorithm(anon) -> ?ANON;
> sign_algorithm(rsa) -> ?RSA;
> sign_algorithm(dsa) -> ?DSA;
> @@ -1582,7 +1583,8 @@ sign_algorithm(ecdsa) -> ?ECDSA;
> sign_algorithm(?ANON) -> anon;
> sign_algorithm(?RSA) -> rsa;
> sign_algorithm(?DSA) -> dsa;
> -sign_algorithm(?ECDSA) -> ecdsa.
> +sign_algorithm(?ECDSA) -> ecdsa;
> +sign_algorithm(_) -> undefined.
>
> hash_size(null) ->
> 0;
> diff --git a/lib/ssl/src/ssl_handshake.erl b/lib/ssl/src/ssl_handshake.erl
> index 12a17cb..32da478 100644
> --- a/lib/ssl/src/ssl_handshake.erl
> +++ b/lib/ssl/src/ssl_handshake.erl
> @@ -587,7 +587,11 @@ select_hashsign(#hash_sign_algos{hash_sign_algos =
> HashSigns}, Cert, {Major, Min
> #'OTPCertificate'{tbsCertificate = TBSCert} =public_key:pkix_decode_cert(Cert,
> otp),
> #'OTPSubjectPublicKeyInfo'{algorithm = {_,Algo, _}} =
> TBSCert#'OTPTBSCertificate'.subjectPublicKeyInfo,
> DefaultHashSign = {_, Sign} = select_hashsign_algs(undefined, Algo, Version),
> - case lists:filter(fun({sha, dsa}) ->
> + case lists:filter(fun({_, undefined}) -> %% ignore invalid extension signature
> values
> + false;
> + ({undefined, _}) -> %% ignore invalid extension hash values
> + false;
> + ({sha, dsa}) ->
> true;
> ({_, dsa}) ->
> false;
>
> Regards Ingela Erlang/OTP team - Ericsson AB
>
>
>
>
> 2015-06-07 17:12 GMT+02:00 Denis Justinek < denis.justinek@REDACTED > :
>
>
>
> Hello!
>
> For the last few days I stared experiencing problems when connecting to Apple
> Push Notification Service (APNS) with
> Erlangs SSL.
>
> When trying to connect I encounter the following error:
>
> ** exception exit: {{function_clause,[{ssl_cipher,hash_algorithm,"ï",
> [{file,"ssl_cipher.erl"},{line,1196}]},
> {ssl_handshake,'-decode_handshake/3-lc$^0/1-0-',1,
> [{file,"ssl_handshake.erl"},{line,945}]},
> {ssl_handshake,'-decode_handshake/3-lc$^0/1-0-',1,
> [{file,"ssl_handshake.erl"},{line,946}]},
> {ssl_handshake,decode_handshake,3,
> [{file,"ssl_handshake.erl"},{line,945}]},
> {tls_handshake,get_tls_handshake_aux,3,
> [{file,"tls_handshake.erl"},{line,155}]},
> {tls_connection,next_state,4,
> [{file,"tls_connection.erl"},{line,433}]},
> {tls_connection,next_state,4,
> [{file,"tls_connection.erl"},{line,437}]},
> {gen_fsm,handle_msg,7,[{file,"gen_fsm.erl"},{line,503}]}]},
> {gen_fsm,sync_send_all_state_event,
> [<0.1221.0>,{start,1000},infinity]}}
> in function gen_fsm:sync_send_all_state_event/3 (gen_fsm.erl, line 242)
> in call from ssl_connection:sync_send_all_state_event/2 (ssl_connection.erl,
> line 1654)
> in call from ssl_connection:handshake/2 (ssl_connection.erl, line 101)
> in call from tls_connection:start_fsm/8 (tls_connection.erl, line 81)
> in call from ssl_connection:connect/8 (ssl_connection.erl, line 71)
> 16:53:13.961 <0.1221.0> Undefined Undefined [error] gen_fsm <0.1221.0> in state
> certify terminated with reason: no function clause matching
> ssl_cipher:hash_algorithm(239) line 1196
> 16:53:13.964 <0.1221.0> Undefined Undefined [error] CRASH REPORT Process
> <0.1221.0> with 0 neighbours exited with reason: no function clause matching
> ssl_cipher:hash_algorithm(239) line 1196 in gen_fsm:terminate/7 line 611
> 16:53:13.965 <0.174.0> Undefined Undefined [error] Supervisor tls_connection_sup
> had child undefined started with {tls_connection,start_link,undefined} at
> <0.1221.0> exit with reason no function clause matching
> ssl_cipher:hash_algorithm(239) line 1196 in context child_terminated
>
> Steps to reproduce (you need an APNS certificate for this):
>
> application:ensure_all_started(ssl).
> Address = " gateway.sandbox.push.apple.com ".
> Port = 2195.
> Cert = "cert.pem".
> CertPass = "*****".
> Options1 = [{certfile,Cert},{password,CertPass},{mode,binary}].
> Timeout = 1000.
> {ok,Socket} = ssl:connect(Address, Port, Options1, Timeout).
>
> If we try to connect with the same certificate by using OpenSSL from command
> line (s_client) if works fine with no errors.
>
> Terminal command: openssl s_client -connect gateway.sandbox.push.apple.com:2195
> -cert cert.pem -debug
> Enter pass phrase for cert.pem:
> CONNECTED(00000003)
> ...
> Certificate chain
> 0 s:/C=US/ST=California/L=Cupertino/O=Apple Inc./CN=
> gateway.sandbox.push.apple.com
> i:/C=US/O=Entrust, Inc./OU= www.entrust.net/rpa is incorporated by
> reference/OU=(c) 2009 Entrust, Inc./CN=Entrust Certification Authority - L1C
> 1 s:/C=US/O=Entrust, Inc./OU= www.entrust.net/rpa is incorporated by
> reference/OU=(c) 2009 Entrust, Inc./CN=Entrust Certification Authority - L1C
> i:/O=Entrust.net/OU= www.entrust.net/CPS_2048 incorp. by ref. (limits
> liab.)/OU=(c) 1999 Entrust.net Limited/CN=Entrust.net Certification Authority
> (2048)
> ---
> ...
> subject=/C=US/ST=California/L=Cupertino/O=Apple Inc./CN=
> gateway.sandbox.push.apple.com
> issuer=/C=US/O=Entrust, Inc./OU= www.entrust.net/rpa is incorporated by
> reference/OU=(c) 2009 Entrust, Inc./CN=Entrust Certification Authority - L1C
> ---
> No client certificate CA names sent
> ---
> SSL handshake has read 2760 bytes and written 2363 bytes
> ---
> New, TLSv1/SSLv3, Cipher is AES256-SHA
> Server public key is 2048 bit
> Secure Renegotiation IS supported
> Compression: NONE
> Expansion: NONE
> SSL-Session:
> Protocol : TLSv1
> Cipher : AES256-SHA
> Session-ID:
> Session-ID-ctx:
> Master-Key: ...
> Key-Arg : None
> Start Time: 1433689177
> Timeout : 300 (sec)
> Verify return code: 0 (ok)
> ---
>
> Is this an issue with Erlang SSL module? How can it be mitigated?
>
> This can be reproduced on OSX and Linux - Erlang 17.4.
>
> With regards,
> Denis
>
> _______________________________________________
> erlang-questions mailing list
> erlang-questions@REDACTED
> http://erlang.org/mailman/listinfo/erlang-questions
>
>
>
> _______________________________________________
> erlang-questions mailing list
> erlang-questions@REDACTED
> http://erlang.org/mailman/listinfo/erlang-questions
--
--
Dipl. Inform.
Andreas Schultz
email: as@REDACTED
phone: +49-391-819099-224
mobil: +49-170-2226073
------------------- enabling your networks -------------------
Travelping GmbH phone: +49-391-819099229
Roentgenstr. 13 fax: +49-391-819099299
D-39108 Magdeburg email: info@REDACTED
GERMANY web: http://www.travelping.com
Company Registration: Amtsgericht Stendal Reg No.: HRB 10578
Geschaeftsfuehrer: Holger Winkelmann | VAT ID No.: DE236673780
--------------------------------------------------------------
More information about the erlang-questions
mailing list