[erlang-questions] Errors with ADH algorithms (using ranch)

Chris Dutton chris@REDACTED
Tue Jan 23 18:05:35 CET 2018 

Note: Also posted to https://github.com/ninenines/ranch/issues/179 <https://github.com/ninenines/ranch/issues/179> which might have better formatting.

I am trying to implement ADH algorithms but have been stuck and can’t seem to find anything to help…


Here is my code and issues:

(Note: This is Elixir code calling to cowboy which I am told calls to ssl)

dispatch = :cowboy_router.compile([{:_, [
      {"/", __MODULE__, initial_state}
    ]}]

    {:ok, pid} = :cowboy.start_tls(
      __MODULE__,
      [
        :inet6,
        {:port, @http_port},
        {:cacertfile, String.to_charlist(Path.join(priv_dir, "ssl/cowboy-ca.crt"))},
        {:certfile, String.to_charlist(Path.join(priv_dir, "ssl/server.crt"))},
        {:keyfile, String.to_charlist(Path.join(priv_dir, "ssl/server.key"))},
        {:ciphers, [{:rsa, :aes_128_gcm, :null, :sha256}, {:dh_anon, :aes_256_cbc, :sha256}, {:dh_anon, :aes_256_gcm, :null, :sha384}]},
        {:dhfile, String.to_charlist(Path.join(priv_dir, "ssl/dh.pem"))},
        {:versions, [String.to_atom("tlsv1.2")]}
      ],
      %{
        env: %{dispatch: dispatch}
      }
    )
but always seem to get the error

08:40:45.886 [info]  ['TLS', 32, 'server', 58, 32, 73, 110, 32, 115, 116, 97, 116, 101, 32, 'certify', 32, 'received CLIENT ALERT: Fatal - Decode Error', 10]
which corresponds to the client giving error

curl: (35) error:1408D099:SSL routines:SSL3_GET_KEY_EXCHANGE:extra data in message
I have tried other ciphers and am able to establish a TLS connection. Here is some example curlrequests

Chriss-MacBook-Pro:~ chris$ curl -v --insecure --ciphers AES128-GCM-SHA256 https://localhost:8002
* Rebuilt URL to: https://localhost:8002/
*   Trying ::1...
* TCP_NODELAY set
* Connected to localhost (::1) port 8002 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: AES128-GCM-SHA256
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/cert.pem
  CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / AES128-GCM-SHA256
* ALPN, server accepted to use h2
* Server certificate:
*  subject: C=US; ST=Texas; O=Nine Nines; OU=Cowboy; CN=localhost
*  start date: Feb 28 05:23:34 2013 GMT
*  expire date: Feb 23 05:23:34 2033 GMT
*  issuer: C=US; ST=Texas; O=Nine Nines; OU=Cowboy; CN=ROOT CA
*  SSL certificate verify result: self signed certificate in certificate chain (19), continuing anyway.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x7feba8805800)
> GET / HTTP/2
> Host: localhost:8002
> User-Agent: curl/7.54.0
> Accept: */*
>
* Connection state changed (MAX_CONCURRENT_STREAMS updated)!
< HTTP/2 200
< content-length: 0
< content-type: application/json
< date: Tue, 23 Jan 2018 16:40:35 GMT
< server: Cowboy
<
* Connection #0 to host localhost left intact
Chriss-MacBook-Pro:~ chris$ curl -v --insecure --ciphers ADH-AES256-SHA256 https://localhost:8002
* Rebuilt URL to: https://localhost:8002/
*   Trying ::1...
* TCP_NODELAY set
* Connected to localhost (::1) port 8002 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ADH-AES256-SHA256
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/cert.pem
  CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (OUT), TLS alert, Server hello (2):
* error:1408D099:SSL routines:SSL3_GET_KEY_EXCHANGE:extra data in message
* stopped the pause stream!
* Closing connection 0
curl: (35) error:1408D099:SSL routines:SSL3_GET_KEY_EXCHANGE:extra data in message
Chriss-MacBook-Pro:~ chris$ curl -v --insecure --ciphers ADH-AES256-GCM-SHA384 https://localhost:8002
* Rebuilt URL to: https://localhost:8002/
*   Trying ::1...
* TCP_NODELAY set
* Connected to localhost (::1) port 8002 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ADH-AES256-GCM-SHA384
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/cert.pem
  CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (OUT), TLS alert, Server hello (2):
* error:1408D099:SSL routines:SSL3_GET_KEY_EXCHANGE:extra data in message
* stopped the pause stream!
* Closing connection 0
curl: (35) error:1408D099:SSL routines:SSL3_GET_KEY_EXCHANGE:extra data in message


Am I missing something?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20180123/1a49f2dc/attachment.htm>

More information about the erlang-questions mailing list