[erlang-questions] How to downgrade a TLS connection to TCP without an TLS Alert exchange

Ingela Andin ingela.andin@REDACTED
Wed Oct 25 18:06:25 CEST 2017


2017-10-24 11:38 GMT+02:00 Rob A'Court <saintderanged.web@REDACTED>:

> Hi
> Is there a way to downgrade a TLS connection to TCP without an TLS Alert
> exchange in Erlang/Elixir?

No! That would break the TLS protocol:


  "If the application protocol using TLS provides that any data may be
   carried over the underlying transport after the TLS connection is
   closed, the TLS implementation must receive the responding
   close_notify alert before indicating to the application layer that

      the TLS connection has ended. "

To give a bit of context: We've implemented the MS-TDS protocol (used by
> Microsoft SQL Server) using Elixir and the ssl and gen_tcp libraries. A TDS
> connection typically is unencrypted apart from the login. It starts
> unencrypted with a prelogin handshake, after that comes the TLS handshake,
> and encrypted login packet is sent and then all further packets are
> unencrypted.
> Using :ssl.close to downgrade the socket to TCP expects a TLS alert
> exchange to end the SSL connection however TDS does not expect or support
> TLS alerts, it simply goes back to being unencrypted after the login. I
> appreciate this is not standard TLS but I'm not expecting to change
> Microsoft's protocol to SQL Server any time soon!
> Currently we stop encryption by sending data directly to the TCP socket
> and changing the controlling process of the TCP socket to our receiving
> process. This works however it leaves the ssl_connection process hanging
> around. It monitors our receiving process and if that process dies a TLS
> alert is sent which TDS is not expecting. The alert is only sent in some
> teardown scenarios but it just seems rather messy. We're wondering if
> there's a better way to approach our problem?

Not any clean way that I can think of, but you might be a able to make an
unclean one if you are willing to do what you describe above, which is  not
very clean.

Regards Ingela Erlang/OTP Team - Ericsson AB

> Many thanks
> Rob
> _______________________________________________
> erlang-questions mailing list
> erlang-questions@REDACTED
> http://erlang.org/mailman/listinfo/erlang-questions
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20171025/a91f5321/attachment.htm>

More information about the erlang-questions mailing list