[erlang-questions] SSL handshake failure
Justin Wood
justin.k.wood@REDACTED
Thu Dec 22 16:29:11 CET 2016
Thank you for the patch Ingela. Unfortunately it did not fix my issue.
If there is anything else I can provide to help figure this it, just let me
know.
On Thu, Dec 22, 2016 at 6:56 AM, Ingela Andin <ingela.andin@REDACTED>
wrote:
> Hi!
>
> I think this might be a timing bug. Can you try the following patch?
>
> Regards Ingela Erlang/OTP Team - Ericsson AB
>
> *diff --git a/lib/ssl/src/tls_connection.erl
> b/lib/ssl/src/tls_connection.erl*
>
> *index 32991d3..e1f8e78 100644*
>
> *--- a/lib/ssl/src/tls_connection.erl*
>
> *+++ b/lib/ssl/src/tls_connection.erl*
>
> @@ -420,6 +420,7 @@ handle_common_event(internal, #alert{} = Alert,
> StateName,
>
> handle_common_event(internal, #ssl_tls{type = ?HANDSHAKE, fragment =
> Data},
>
> StateName, #state{protocol_buffers =
>
> #protocol_buffers{tls_handshake_buffer
> = Buf0} = Buffers,
>
> + unprocessed_handshake_events =
> NumUnprocessed,
>
> negotiated_version = Version,
>
> ssl_options = Options} = State0) ->
>
> try
>
> @@ -432,7 +433,7 @@ handle_common_event(internal, #ssl_tls{type =
> ?HANDSHAKE, fragment = Data},
>
> connection ->
>
> ssl_connection:hibernate_after(StateName, State, Events);
>
> _ ->
>
> - {next_state, StateName, State#state{unprocessed_handshake_events
> = unprocessed_events(Events)}, Events}
>
> + {next_state, StateName, State#state{unprocessed_handshake_events
> = unprocessed_events(Events, NumUnprocessed)}, Events}
>
> end
>
> catch throw:#alert{} = Alert ->
>
> ssl_connection:handle_own_alert(Alert, Version, StateName,
> State0)
>
> @@ -615,8 +616,6 @@ next_event(StateName, Record, State, Actions) ->
>
> {next_state, StateName, State, [{next_event, internal, Alert}
> | Actions]}
>
> end.
>
>
>
> -tls_handshake_events([]) ->
>
> - throw(?ALERT_REC(?FATAL, ?HANDSHAKE_FAILURE, malformed_handshake));
>
> tls_handshake_events(Packets) ->
>
> lists:map(fun(Packet) ->
>
> {next_event, internal, {handshake, Packet}}
>
> @@ -727,8 +726,10 @@ gen_info(Event, StateName, #state{negotiated_version
> = Version} = State) ->
>
>
> malformed_handshake_data),
>
> Version, StateName, State)
>
> end.
>
> -
>
> -unprocessed_events(Events) ->
>
> +
>
> +unprocessed_events([], Unprocessed) ->
>
> + Unprocessed;
>
> +unprocessed_events(Events, _) ->
>
> %% The first handshake event will be processed immediately
>
> %% as it is entered first in the event queue and
>
> %% when it is processed there will be length(Events)-1
>
>
>
>
> 2016-12-21 14:47 GMT+01:00 Justin Wood <justin.k.wood@REDACTED>:
>
>> After upgrading to Erlang OTP-19.2 and, in different requests, specified
>> the version as one of tlsv1, tlsv1.1 or tlsv1.2. Every time I received the
>> same error.
>>
>> I'm not sure if it is helpful at all, but I can replicate this on
>> Windows, OSX 10.11 (El Capitan) and Ubuntu 14.04. I have not tried on other
>> platforms.
>>
>> Is there any other information that I would be able to give that would be
>> helpful?
>>
>> On Wed, Dec 21, 2016 at 3:38 AM, Technion <technion@REDACTED> wrote:
>>
>>> Hi Justin,
>>>
>>>
>>> Is this earlier discussion relevant:
>>>
>>>
>>> http://erlang.org/pipermail/erlang-questions/2016-November/090780.html
>>>
>>>
>>>
>>>
>>>
>>> ------------------------------
>>> *From:* erlang-questions-bounces@REDACTED <
>>> erlang-questions-bounces@REDACTED> on behalf of Justin Wood <
>>> justin.k.wood@REDACTED>
>>> *Sent:* Wednesday, 21 December 2016 11:56 AM
>>> *To:* erlang-questions@REDACTED
>>> *Subject:* [erlang-questions] SSL handshake failure
>>>
>>> Hi there,
>>>
>>> I am attempting to use the ssl module in order to get a socket to a
>>> remote server (MongoDB). I am using the following line of code (OTP 19)
>>>
>>> ssl:connect("my-server.net", 27017, [binary, {active, false}, {packet,
>>> raw}], 5000).
>>>
>>> Whenever I use this, I get the following:
>>>
>>> =ERROR REPORT==== 20-Dec-2016::19:13:13 ===
>>> SSL: certify: tls_connection.erl:603:Fatal error: handshake failure -
>>> malformed_handshake
>>> {error,{tls_alert,"handshake failure"}}
>>>
>>> Which lead me to look into erlang:get_stacktrace/0
>>>
>>> erlang:get_stacktrace().
>>> [{tls_connection,start_fsm,8,
>>> [{file,"tls_connection.erl"},{line,79}]},
>>> {ssl_connection,connect,8,
>>> [{file,"ssl_connection.erl"},{line,84}]},
>>> {erl_eval,do_apply,6,[{file,"erl_eval.erl"},{line,674}]},
>>> {shell,exprs,7,[{file,"shell.erl"},{line,686}]},
>>> {shell,eval_exprs,7,[{file,"shell.erl"},{line,641}]},
>>> {shell,eval_loop,3,[{file,"shell.erl"},{line,626}]}]
>>>
>>> My problem is that the certificate that the server is using should be
>>> legitimate. I can connect, without error, using other clients and languages.
>>>
>>> I took a look through Wireshark in order to try and figure out what is
>>> going on and this is what I see.
>>>
>>> * The Client says hello and presents a list of cipher suites.
>>> * The Server says hello and says that it wants to use
>>> TLS_RSA_WITH_AES_256_GCM_SHA384 (This cipher is in the list that the
>>> client sends)
>>> * The Server sends the Client the certificates it is using (these both
>>> appear to be signed by DigiCert).
>>> * The Server sends an encrypted handshake message.
>>> * The Client responds with a Fatal Alert stating a Handshake Failure.
>>> * The Server sends another encrypted handshake message.
>>>
>>> I have verified that ssl:connect/4 is working fine as I can connect to a
>>> number of different miscellaneous services (including a number of other
>>> MongoDB instances).
>>>
>>> I was wondering if there is anything else I can do to try and figure out
>>> why erlang does not allow this connection.
>>>
>>> Justin
>>>
>>
>>
>> _______________________________________________
>> erlang-questions mailing list
>> erlang-questions@REDACTED
>> http://erlang.org/mailman/listinfo/erlang-questions
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20161222/f8e170db/attachment.htm>
More information about the erlang-questions
mailing list