[erlang-questions] SSL handshake failure

Ingela Andin ingela.andin@REDACTED
Thu Dec 22 16:44:10 CET 2016


Hi!


Well maybe I did not understand the problem correctly then, I thought I had
found a potential problem but as I have nothing to test it against.  Can
you provide me with a site to test
against or maybe use tracing to  give me more info.  dbg:tracer().
dbg:p(all, [call]).  dbg:tpl(tls_handshake, get_tls_handshake, x).   Could
be a good way to start.rds


Regards Ingela


2016-12-22 16:29 GMT+01:00 Justin Wood <justin.k.wood@REDACTED>:

> Thank you for the patch Ingela. Unfortunately it did not fix my issue.
>
> If there is anything else I can provide to help figure this it, just let
> me know.
>
> On Thu, Dec 22, 2016 at 6:56 AM, Ingela Andin <ingela.andin@REDACTED>
> wrote:
>
>> Hi!
>>
>> I think this might be a timing bug. Can you try the following patch?
>>
>> Regards Ingela Erlang/OTP Team - Ericsson AB
>>
>> *diff --git a/lib/ssl/src/tls_connection.erl
>> b/lib/ssl/src/tls_connection.erl*
>>
>> *index 32991d3..e1f8e78 100644*
>>
>> *--- a/lib/ssl/src/tls_connection.erl*
>>
>> *+++ b/lib/ssl/src/tls_connection.erl*
>>
>> @@ -420,6 +420,7 @@ handle_common_event(internal, #alert{} = Alert,
>> StateName,
>>
>>  handle_common_event(internal,  #ssl_tls{type = ?HANDSHAKE, fragment =
>> Data},
>>
>>                     StateName, #state{protocol_buffers =
>>
>>                                           #protocol_buffers{tls_handshake_buffer
>> = Buf0} = Buffers,
>>
>> +                                      unprocessed_handshake_events =
>> NumUnprocessed,
>>
>>                                       negotiated_version = Version,
>>
>>                                       ssl_options = Options} = State0) ->
>>
>>      try
>>
>> @@ -432,7 +433,7 @@ handle_common_event(internal,  #ssl_tls{type =
>> ?HANDSHAKE, fragment = Data},
>>
>>             connection ->
>>
>>                 ssl_connection:hibernate_after(StateName, State, Events);
>>
>>             _ ->
>>
>> -               {next_state, StateName, State#state{unprocessed_handshake_events
>> = unprocessed_events(Events)}, Events}
>>
>> +               {next_state, StateName, State#state{unprocessed_handshake_events
>> = unprocessed_events(Events, NumUnprocessed)}, Events}
>>
>>         end
>>
>>      catch throw:#alert{} = Alert ->
>>
>>             ssl_connection:handle_own_alert(Alert, Version, StateName,
>> State0)
>>
>> @@ -615,8 +616,6 @@ next_event(StateName, Record, State, Actions) ->
>>
>>             {next_state, StateName, State, [{next_event, internal, Alert}
>> | Actions]}
>>
>>      end.
>>
>>
>>
>> -tls_handshake_events([]) ->
>>
>> -    throw(?ALERT_REC(?FATAL, ?HANDSHAKE_FAILURE, malformed_handshake));
>>
>>  tls_handshake_events(Packets) ->
>>
>>      lists:map(fun(Packet) ->
>>
>>                       {next_event, internal, {handshake, Packet}}
>>
>> @@ -727,8 +726,10 @@ gen_info(Event, StateName,
>> #state{negotiated_version = Version} = State) ->
>>
>>
>> malformed_handshake_data),
>>
>>                                             Version, StateName, State)
>>
>>      end.
>>
>> -
>>
>> -unprocessed_events(Events) ->
>>
>> +
>>
>> +unprocessed_events([], Unprocessed) ->
>>
>> +    Unprocessed;
>>
>> +unprocessed_events(Events, _) ->
>>
>>      %% The first handshake event will be processed immediately
>>
>>      %% as it is entered first in the event queue and
>>
>>      %% when it is processed there will be length(Events)-1
>>
>>
>>
>>
>> 2016-12-21 14:47 GMT+01:00 Justin Wood <justin.k.wood@REDACTED>:
>>
>>> After upgrading to Erlang OTP-19.2 and, in different requests, specified
>>> the version as one of tlsv1, tlsv1.1 or tlsv1.2. Every time I received the
>>> same error.
>>>
>>> I'm not sure if it is helpful at all, but I can replicate this on
>>> Windows, OSX 10.11 (El Capitan) and Ubuntu 14.04. I have not tried on other
>>> platforms.
>>>
>>> Is there any other information that I would be able to give that would
>>> be helpful?
>>>
>>> On Wed, Dec 21, 2016 at 3:38 AM, Technion <technion@REDACTED> wrote:
>>>
>>>> Hi Justin,
>>>>
>>>>
>>>> Is this earlier discussion relevant:
>>>>
>>>>
>>>> http://erlang.org/pipermail/erlang-questions/2016-November/090780.html
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> ------------------------------
>>>> *From:* erlang-questions-bounces@REDACTED <
>>>> erlang-questions-bounces@REDACTED> on behalf of Justin Wood <
>>>> justin.k.wood@REDACTED>
>>>> *Sent:* Wednesday, 21 December 2016 11:56 AM
>>>> *To:* erlang-questions@REDACTED
>>>> *Subject:* [erlang-questions] SSL handshake failure
>>>>
>>>> Hi there,
>>>>
>>>> I am attempting to use the ssl module in order to get a socket to a
>>>> remote server (MongoDB). I am using the following line of code (OTP 19)
>>>>
>>>> ssl:connect("my-server.net", 27017, [binary, {active, false}, {packet,
>>>> raw}], 5000).
>>>>
>>>> Whenever I use this, I get the following:
>>>>
>>>> =ERROR REPORT==== 20-Dec-2016::19:13:13 ===
>>>> SSL: certify: tls_connection.erl:603:Fatal error: handshake failure -
>>>> malformed_handshake
>>>> {error,{tls_alert,"handshake failure"}}
>>>>
>>>> Which lead me to look into erlang:get_stacktrace/0
>>>>
>>>> erlang:get_stacktrace().
>>>> [{tls_connection,start_fsm,8,
>>>>                  [{file,"tls_connection.erl"},{line,79}]},
>>>>  {ssl_connection,connect,8,
>>>>                  [{file,"ssl_connection.erl"},{line,84}]},
>>>>  {erl_eval,do_apply,6,[{file,"erl_eval.erl"},{line,674}]},
>>>>  {shell,exprs,7,[{file,"shell.erl"},{line,686}]},
>>>>  {shell,eval_exprs,7,[{file,"shell.erl"},{line,641}]},
>>>>  {shell,eval_loop,3,[{file,"shell.erl"},{line,626}]}]
>>>>
>>>> My problem is that the certificate that the server is using should be
>>>> legitimate. I can connect, without error, using other clients and languages.
>>>>
>>>> I took a look through Wireshark in order to try and figure out what is
>>>> going on and this is what I see.
>>>>
>>>> * The Client says hello and presents a list of cipher suites.
>>>> * The Server says hello and says that it wants to use
>>>> TLS_RSA_WITH_AES_256_GCM_SHA384 (This cipher is in the list that the
>>>> client sends)
>>>> * The Server sends the Client the certificates it is using (these both
>>>> appear to be signed by DigiCert).
>>>> * The Server sends an encrypted handshake message.
>>>> * The Client responds with a Fatal Alert stating a Handshake Failure.
>>>> * The Server sends another encrypted handshake message.
>>>>
>>>> I have verified that ssl:connect/4 is working fine as I can connect to
>>>> a number of different miscellaneous services (including a number of other
>>>> MongoDB instances).
>>>>
>>>> I was wondering if there is anything else I can do to try and figure
>>>> out why erlang does not allow this connection.
>>>>
>>>> Justin
>>>>
>>>
>>>
>>> _______________________________________________
>>> erlang-questions mailing list
>>> erlang-questions@REDACTED
>>> http://erlang.org/mailman/listinfo/erlang-questions
>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20161222/dbc6cc82/attachment.htm>


More information about the erlang-questions mailing list