[erlang-questions] Unexpected tls_alert "handshake failure" connecting to api.bitbucket.org (and others) with Erlang 18.3.4 (and later)

Jake Gordon jakesgordon@REDACTED
Mon Nov 7 16:07:31 CET 2016 

Thanks Ben!

Yes, I was seeing the same thing with wireshark, the server was responding
with failed handshake immediately after the ClientHello, and yes, forcing
the connection to use tlsv1.2 for that endpoint does resolve the issue for
me.

For the record, I forced the tls version as follows...

> ssl:connect('api.bitbucket.org', 443, [{ versions, [ 'tlsv1.2' ] }]).

And, just to confirm I can also do that from the higher level Elixir
HTTPoison library...

iex> HTTPoison.request("GET", "https://api.bitbucket.org", "", [], ssl: [
versions: [ :'tlsv1.2' ] ])

Thank you!

- Jake


On Mon, Nov 7, 2016 at 2:31 AM, Ben Murphy <benmmurphy@REDACTED> wrote:

> Hi Jake,
>
> If you force TLSv1.2 it will connect correctly. We have had trouble
> with IIS servers returning connection_closed when they are using
> SHA256 certificate and we don't force TLSv1.2. More details here:
> http://erlang.org/pipermail/erlang-bugs/2016-September/005195.html .
> However, this server looks to be running nginx and a different error
> is returned so I'm not sure if is the same issue. The handshake falls
> over after the client hello for me.
>
> It seems the only big difference between the hellos is the TLS version
> (maybe some nginx/openssl servers are dropping TLS1.0 traffic?) and
> the lack of signature algorithms.
>
> On Sun, Nov 6, 2016 at 9:53 PM, Jake Gordon <jakesgordon@REDACTED> wrote:
> > Hi All.
> >
> > I'm hoping to get some insight into a problem with ssl:connect (and
> > ultimately httpc:request) getting tls handshake errors connecting to some
> > (but not all) webservers even while other clients on the same machine
> (cURL,
> > Ruby Net::HTTP, etc) can connect just fine.
> >
> > I'm using Erlang 19.1.3, but this issue appears to have started with
> 18.3.4
> > (earlier versions appear to work correctly)
> >
> > I'm trying to connect to a (correctly configured) public endpoint at
> > api.bitbucket.org
> >
> >   > ssl:connect('api.bitbucket.org', 443, []).
> >   {error,{tls_alert,"handshake failure"}}
> >
> > If I attempt to connect to a different endpoint, lets say api.github.com
> it
> > works just fine.
> >
> >   > ssl:connect('api.github.com', 443, [])
> >   {ok,{sslsocket, ... }}
> >
> > Since it's only *some* SSL endpoints, clearly there is some server side
> > certificate configuration causing the erlang client to behave differently
> > during the handshake, but I'm not sure how to diagnose this when cURL and
> > other language clients work correctly.
> >
> > I'm using a clean install of the esl-erlang packages provided by Erlang
> > Solutions on Ubuntu 16.04 and debugging with older versions it looks
> like it
> > broke somewhere around 18.3.4
> >
> > Any insights would be greatly appreciated!
> >
> > Thanks
> > - Jake
> >
> > _______________________________________________
> > erlang-questions mailing list
> > erlang-questions@REDACTED
> > http://erlang.org/mailman/listinfo/erlang-questions
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20161107/1e2433bb/attachment.htm>

More information about the erlang-questions mailing list