[erlang-questions] ssl psk since 20.3 failed
Ingela Andin
ingela.andin@REDACTED
Thu Sep 6 15:41:54 CEST 2018
Humm ... I believe the this was broken by PR-1729, the solution feels
familiar. I hope that the following patch covers all the cases.
diff --git a/lib/ssl/src/ssl_handshake.erl b/lib/ssl/src/ssl_handshake.erl
index 63996f5..4fbf463 100644
--- a/lib/ssl/src/ssl_handshake.erl
+++ b/lib/ssl/src/ssl_handshake.erl
@@ -1056,7 +1056,10 @@ select_curve(undefined, _, _) ->
select_hashsign(_, _, KeyExAlgo, _, _Version) when KeyExAlgo == dh_anon;
KeyExAlgo == ecdh_anon;
KeyExAlgo == srp_anon;
- KeyExAlgo == psk ->
+ KeyExAlgo == psk;
+ KeyExAlgo == dhe_psk;
+ KeyExAlgo == ecdhe_psk;
+ KeyExAlgo == rsa_psk ->
{null, anon};
%% The signature_algorithms extension was introduced with TLS 1.2. Ignore
it if we have
%% negotiated a lower version.
Regards Ingela Erlang/OTP team - Ericsson AB
Den ons 5 sep. 2018 kl 23:00 skrev Oliver Bollmann <
oliver.bollmann@REDACTED>:
> This works with 20.2.2 but since 20.3(21.x) it doesn't!
>
> Error in process <0.79.0> with exit value:
> {{badmatch,{error,{tls_alert,"handshake failure"}}},
> [{client_server,init_connect,1,[{file,"client_server.erl"},{line,37}]}]}
>
> Any hints?
>
> -module(client_server).%%% Purpose: Example of SSL client and server using psk.-export([start/0, init_connect/1]).start() ->
> %% Start ssl application {ok, StartedApps} = application:ensure_all_started(ssl),
>
> %% Let the current process be the server that listens and accepts %% Listen {ok, LSock} = ssl:listen(0, mk_opts(listen)),
> {ok, {_, LPort}} = ssl:sockname(LSock),
> io:fwrite("Listen: port = ~w.~n", [LPort]),
>
> %% Spawn the client process that connects to the server spawn(?MODULE, init_connect, [LPort]),
>
> %% Accept {ok, ASock} = ssl:transport_accept(LSock),
> ok = ssl:ssl_accept(ASock),
> io:fwrite("Accept: accepted.~n"),
> ssl:send(ASock, "hello"),
> {error, closed} = ssl:recv(ASock, 0),
> io:fwrite("Accept: detected closed.~n"),
> ssl:close(ASock),
> io:fwrite("Listen: closing and terminating.~n"),
> ssl:close(LSock),
>
> lists:foreach(fun application:stop/1, lists:reverse(StartedApps)).%% Client connectinit_connect(LPort) ->
> {ok, Host} = inet:gethostname(),
> {ok, CSock} = ssl:connect(Host, LPort, mk_opts(connect)),
> io:fwrite("Connect: connected.~n"),
> {ok, Data} = ssl:recv(CSock, 0),
> io:fwrite("Connect: got data: ~p~n", [Data]),
> io:fwrite("Connect: closing and terminating.~n"),
> ssl:close(CSock).mk_opts(listen) ->
> mk_opts("server");
> mk_opts(connect) ->
> mk_opts("client");
> mk_opts(Role) ->
> [{active, false},
> {psk_identity,Role},
> {user_lookup_fun,{fun lookup/3,list_to_binary(Role)}},
> {versions,['tlsv1.2']},
> {ciphers, [{dhe_psk,aes_256_gcm,null,sha384}
> ]}
> ].lookup(psk,_,_) -> {ok,<<"psk">>}.
>
> --
> Grüße
> Oliver Bollmann
>
> _______________________________________________
> erlang-questions mailing list
> erlang-questions@REDACTED
> http://erlang.org/mailman/listinfo/erlang-questions
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20180906/f7923e6a/attachment.htm>
More information about the erlang-questions
mailing list