[erlang-questions] SSL connection problem

Ingela Andin ingela.andin@REDACTED
Mon Jun 8 15:08:37 CEST 2015


Hi!

Ok, the following patch should take away the crash and hopefully make it
possible negotiate a valid connection (without making things unsafe),
in the short perspective. In a longer perspective we probably will want to
add some kind of callbacks to let the application handle proprietary
algorithms in the certificate-request and in the client hello.  We will
also consider adding code for  ignoring valid but currently not specified
codes.


diff --git a/lib/ssl/src/ssl_cipher.erl b/lib/ssl/src/ssl_cipher.erl
index 3ed53b7..0039f24 100644
--- a/lib/ssl/src/ssl_cipher.erl
+++ b/lib/ssl/src/ssl_cipher.erl
@@ -1574,8 +1574,8 @@ hash_algorithm(?SHA224) -> sha224;
 hash_algorithm(?SHA256) -> sha256;
 hash_algorithm(?SHA384) -> sha384;
 hash_algorithm(?SHA512) -> sha512;
-hash_algorithm(Other) when is_integer(Other) -> Other.
-
+hash_algorithm(Other)  when is_integer(Other) andalso ((Other >= 224) and
(Other =< 255)) -> Other.
+
 sign_algorithm(anon)  -> ?ANON;
 sign_algorithm(rsa)   -> ?RSA;
 sign_algorithm(dsa)   -> ?DSA;
@@ -1584,7 +1584,7 @@ sign_algorithm(?ANON) -> anon;
 sign_algorithm(?RSA) -> rsa;
 sign_algorithm(?DSA) -> dsa;
 sign_algorithm(?ECDSA) -> ecdsa;
-sign_algorithm(Other) when is_integer(Other) -> Other.
+sign_algorithm(Other) when is_integer(Other) andalso ((Other >= 224) and
(Other =< 255)) -> Other.

 hash_size(null) ->
     0;

Regards Ingela Erlang/OTP Team - Ericsson AB

2015-06-08 12:20 GMT+02:00 Evgeny Khramtsov <xramtsov@REDACTED>:

> Mon, 8 Jun 2015 09:02:23 +0000 (UTC)
> Andreas Schultz <aschultz@REDACTED> wrote:
>
> > Also, the Apple server send the extension in question in an
> > "Certificate Request", with the actual value beeing: 0xEF 0xEF (in
> > decimal 239,239).
>
> In fact there are 3 undefined values in the request: 239, 238 and 237
> for both hash and signature algorithm. The complete sequence looks like
> this:
> [{sha512,rsa},
>  {sha512,dsa},
>  {sha512,ecdsa},
>  {239,239},
>  {sha384,rsa},
>  {sha384,dsa},
>  {sha384,ecdsa},
>  {sha256,rsa},
>  {sha256,dsa},
>  {sha256,ecdsa},
>  {238,238},
>  {237,237},
>  {sha224,rsa},
>  {sha224,dsa},
>  {sha224,ecdsa},
>  {sha,rsa},
>  {sha,dsa},
>  {sha,ecdsa}].
> _______________________________________________
> erlang-questions mailing list
> erlang-questions@REDACTED
> http://erlang.org/mailman/listinfo/erlang-questions
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20150608/4e1cb3eb/attachment.htm>


More information about the erlang-questions mailing list