[erlang-questions] ssl lib failed with alert
Ingela Andin
ingela.andin@REDACTED
Fri May 12 23:15:19 CEST 2017
Hi again!
On second thought, you did connect to an TLS server not to a
upgradeable tcp server as I was thinking about.
So your approach should work as it is was ssl internally does. Your site
does seem to require a server name indication though,
which you will get with ssl:connect .
{ok, Tcp} = gen_tcp:connect("httpbin.org", 443, [binary]).
{ok, Ssl} = ssl:connect(Tcp, [{server_name_indication,"httpbin.org"}],
30000).
works.
Regards Ingela Erlang/OTP team - Ericsson AB
2017-05-12 15:04 GMT+02:00 Ingela Andin <ingela.andin@REDACTED>:
> Hi!
>
> 2017-05-12 12:52 GMT+02:00 Dmitry Kolesnikov <dmkolesnikov@REDACTED>:
>
>> Hello,
>>
>> I hope Ingela and other bright people could help me to localize an issue
>> with ssl 8.1 at Erlang/OTP 19 [erts-8.2]. The issue listed below is
>> repeatable in shell and prod deployments.
>>
>> ```
>> ssl:start().
>> {ok, Tcp} = gen_tcp:connect("httpbin.org", 443, [binary]).
>> {ok, Ssl} = ssl:connect(Tcp, [], 30000).
>>
>> =ERROR REPORT==== 12-May-2017::13:34:21 ===
>> SSL: hello: ssl_alert.erl:88:Fatal error: internal error
>> ** exception error: no match of right hand side value
>> {error,{tls_alert,"internal error"}}
>> ```
>>
>> It is not clear the root cause of SSL alert. Why the remote side decline
>> SSL connection with ALERT 80? curl https://httpbin.org works.
>>
>>
> It is the server that sends the alert 80, which means that the server
> experienced an internal error.
>
> The following works fine:
>
> ssl:connect("httpbin.org", 443, []).
> {ok,{sslsocket,{gen_tcp,#Port<0.839>,tls_connection,
> undefined},
> <0.105.0>}}
>
>
> If you first want to manually start a tcp connection and then upgrade it
> to TLS the client and server need to somehow agree on this so that the
> server is ready to receive the TLS
> client hello when it is sent by the client. This is often referred to as
> STARTTLS and is used by a lot of protocols like FTPS.
>
> Regards Ingela Erlang/OTP Team Ericsson AB
>
>
>
>
>> curl Client Hello is following
>>
>> ```
>> TLSv1.2 Record Layer: Handshake Protocol: Client Hello
>> Content Type: Handshake (22)
>> Version: TLS 1.0 (0x0301)
>> Length: 224
>> Handshake Protocol: Client Hello
>> Handshake Type: Client Hello (1)
>> Length: 220
>> Version: TLS 1.2 (0x0303)
>> Random
>> Session ID Length: 0
>> Cipher Suites Length: 110
>> Cipher Suites (55 suites)
>> Cipher Suite: TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00ff)
>> Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
>> (0xc02c)
>> Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
>> (0xc02b)
>> Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
>> (0xc024)
>> Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
>> (0xc023)
>> Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)
>> Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)
>> Cipher Suite: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA (0xc008)
>> Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)
>> Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
>> Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)
>> Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)
>> Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
>> Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
>> Cipher Suite: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (0xc012)
>> Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02e)
>> Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02d)
>> Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 (0xc026)
>> Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 (0xc025)
>> Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA (0xc005)
>> Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA (0xc004)
>> Cipher Suite: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA (0xc003)
>> Cipher Suite: TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 (0xc032)
>> Cipher Suite: TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 (0xc031)
>> Cipher Suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 (0xc02a)
>> Cipher Suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 (0xc029)
>> Cipher Suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA (0xc00f)
>> Cipher Suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA (0xc00e)
>> Cipher Suite: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA (0xc00d)
>> Cipher Suite: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x009f)
>> Cipher Suite: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x009e)
>> Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x006b)
>> Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x0067)
>> Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)
>> Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033)
>> Cipher Suite: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x0016)
>> Cipher Suite: TLS_RSA_WITH_AES_256_GCM_SHA384 (0x009d)
>> Cipher Suite: TLS_RSA_WITH_AES_128_GCM_SHA256 (0x009c)
>> Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA256 (0x003d)
>> Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA256 (0x003c)
>> Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
>> Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
>> Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)
>> Cipher Suite: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA (0xc007)
>> Cipher Suite: TLS_ECDHE_RSA_WITH_RC4_128_SHA (0xc011)
>> Cipher Suite: TLS_ECDH_ECDSA_WITH_RC4_128_SHA (0xc002)
>> Cipher Suite: TLS_ECDH_RSA_WITH_RC4_128_SHA (0xc00c)
>> Cipher Suite: TLS_RSA_WITH_RC4_128_SHA (0x0005)
>> Cipher Suite: TLS_RSA_WITH_RC4_128_MD5 (0x0004)
>> Cipher Suite: TLS_PSK_WITH_AES_256_CBC_SHA384 (0x00af)
>> Cipher Suite: TLS_PSK_WITH_AES_128_CBC_SHA256 (0x00ae)
>> Cipher Suite: TLS_PSK_WITH_AES_256_CBC_SHA (0x008d)
>> Cipher Suite: TLS_PSK_WITH_AES_128_CBC_SHA (0x008c)
>> Cipher Suite: TLS_PSK_WITH_RC4_128_SHA (0x008a)
>> Cipher Suite: TLS_PSK_WITH_3DES_EDE_CBC_SHA (0x008b)
>> Compression Methods Length: 1
>> Compression Methods (1 method)
>> Extensions Length: 69
>> Extension: server_name
>> Extension: elliptic_curves
>> Extension: ec_point_formats
>> Extension: signature_algorithms
>> Extension: status_request
>> Extension: signed_certificate_timestamp
>> ```
>>
>> OTP ssl lib Client Hello is following
>>
>> ```
>> TLSv1.2 Record Layer: Handshake Protocol: Client Hello
>> Content Type: Handshake (22)
>> Version: TLS 1.0 (0x0301)
>> Length: 213
>> Handshake Protocol: Client Hello
>> Handshake Type: Client Hello (1)
>> Length: 209
>> Version: TLS 1.2 (0x0303)
>> Random
>> Session ID Length: 0
>> Cipher Suites Length: 100
>> Cipher Suites (50 suites)
>> Cipher Suite: TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00ff)
>> Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
>> (0xc02c)
>> Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)
>> Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
>> (0xc024)
>> Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)
>> Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02e)
>> Cipher Suite: TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 (0xc032)
>> Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 (0xc026)
>> Cipher Suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 (0xc02a)
>> Cipher Suite: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x009f)
>> Cipher Suite: TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 (0x00a3)
>> Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x006b)
>> Cipher Suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 (0x006a)
>> Cipher Suite: TLS_RSA_WITH_AES_256_GCM_SHA384 (0x009d)
>> Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA256 (0x003d)
>> Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
>> (0xc02b)
>> Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
>> Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
>> (0xc023)
>> Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)
>> Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02d)
>> Cipher Suite: TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 (0xc031)
>> Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 (0xc025)
>> Cipher Suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 (0xc029)
>> Cipher Suite: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x009e)
>> Cipher Suite: TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 (0x00a2)
>> Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x0067)
>> Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 (0x0040)
>> Cipher Suite: TLS_RSA_WITH_AES_128_GCM_SHA256 (0x009c)
>> Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA256 (0x003c)
>> Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)
>> Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
>> Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)
>> Cipher Suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA (0x0038)
>> Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA (0xc005)
>> Cipher Suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA (0xc00f)
>> Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
>> Cipher Suite: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA (0xc008)
>> Cipher Suite: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (0xc012)
>> Cipher Suite: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x0016)
>> Cipher Suite: TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA (0x0013)
>> Cipher Suite: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA (0xc003)
>> Cipher Suite: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA (0xc00d)
>> Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)
>> Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)
>> Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
>> Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033)
>> Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA (0x0032)
>> Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA (0xc004)
>> Cipher Suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA (0xc00e)
>> Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
>> Compression Methods Length: 1
>> Compression Methods (1 method)
>> Extensions Length: 68
>> Extension: elliptic_curves
>> Extension: ec_point_formats
>> ```
>>
>> In case of curl the following Server Hello is send back
>> ```
>> TLSv1.2 Record Layer: Handshake Protocol: Server Hello
>> Content Type: Handshake (22)
>> Version: TLS 1.2 (0x0303)
>> Length: 87
>> Handshake Protocol: Server Hello
>> Handshake Type: Server Hello (2)
>> Length: 83
>> Version: TLS 1.2 (0x0303)
>> Random
>> Session ID Length: 32
>> Session ID: bbc2e52ca6918654931096e223825a4a173780c8d010837d...
>> Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
>> Compression Method: null (0)
>> Extensions Length: 11
>> Extension: ec_point_formats
>> Extension: renegotiation_info
>> ```
>>
>> I can restrict ssl lib to work with TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
>> but it fails as well.
>>
>> ```
>> {ok, Tcp} = gen_tcp:connect("httpbin.org", 443, [binary]).
>> {ok, Ssl} = ssl:connect(Tcp, [{ciphers, [{ecdhe_rsa,aes_128_gcm,null,sha256}]}],
>> 30000).
>>
>> =ERROR REPORT==== 12-May-2017::13:49:28 ===
>> SSL: hello: ssl_alert.erl:88:Fatal error: internal error
>> ** exception error: no match of right hand side value
>> {error,{tls_alert,"internal error"}}
>> ```
>>
>> Thanks you in advanced!
>>
>> Best Regards,
>> Dmitry
>>
>>
>> _______________________________________________
>> erlang-questions mailing list
>> erlang-questions@REDACTED
>> http://erlang.org/mailman/listinfo/erlang-questions
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20170512/7f07b972/attachment.htm>
More information about the erlang-questions
mailing list