[erlang-questions] How to downgrade a TLS connection to TCP without an TLS Alert exchange

Ingela Andin ingela.andin@REDACTED
Wed Oct 25 18:06:25 CEST 2017 

Hi!

2017-10-24 11:38 GMT+02:00 Rob A'Court <saintderanged.web@REDACTED>:

> Hi
>
> Is there a way to downgrade a TLS connection to TCP without an TLS Alert
> exchange in Erlang/Elixir?
>


No! That would break the TLS protocol:

FROM the RFC.

  "If the application protocol using TLS provides that any data may be
   carried over the underlying transport after the TLS connection is
   closed, the TLS implementation must receive the responding
   close_notify alert before indicating to the application layer that

      the TLS connection has ended. "



To give a bit of context: We've implemented the MS-TDS protocol (used by
> Microsoft SQL Server) using Elixir and the ssl and gen_tcp libraries. A TDS
> connection typically is unencrypted apart from the login. It starts
> unencrypted with a prelogin handshake, after that comes the TLS handshake,
> and encrypted login packet is sent and then all further packets are
> unencrypted.
>
> Using :ssl.close to downgrade the socket to TCP expects a TLS alert
> exchange to end the SSL connection however TDS does not expect or support
> TLS alerts, it simply goes back to being unencrypted after the login. I
> appreciate this is not standard TLS but I'm not expecting to change
> Microsoft's protocol to SQL Server any time soon!
>
> Currently we stop encryption by sending data directly to the TCP socket
> and changing the controlling process of the TCP socket to our receiving
> process. This works however it leaves the ssl_connection process hanging
> around. It monitors our receiving process and if that process dies a TLS
> alert is sent which TDS is not expecting. The alert is only sent in some
> teardown scenarios but it just seems rather messy. We're wondering if
> there's a better way to approach our problem?
>


Not any clean way that I can think of, but you might be a able to make an
unclean one if you are willing to do what you describe above, which is  not
very clean.


Regards Ingela Erlang/OTP Team - Ericsson AB


> Many thanks
>
> Rob
>
> _______________________________________________
> erlang-questions mailing list
> erlang-questions@REDACTED
> http://erlang.org/mailman/listinfo/erlang-questions
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20171025/a91f5321/attachment.htm>

More information about the erlang-questions mailing list