[erlang-questions] ssl psk since 20.3 failed

Ingela Andin ingela.andin@REDACTED
Thu Sep 6 15:41:54 CEST 2018 

Humm ... I believe  the this was broken by PR-1729, the solution feels
familiar. I hope that the following patch covers all the cases.

diff --git a/lib/ssl/src/ssl_handshake.erl b/lib/ssl/src/ssl_handshake.erl
index 63996f5..4fbf463 100644
--- a/lib/ssl/src/ssl_handshake.erl
+++ b/lib/ssl/src/ssl_handshake.erl
@@ -1056,7 +1056,10 @@ select_curve(undefined, _, _) ->
 select_hashsign(_, _, KeyExAlgo, _, _Version) when KeyExAlgo == dh_anon;
                                                    KeyExAlgo == ecdh_anon;
                                                    KeyExAlgo == srp_anon;
-                                                   KeyExAlgo == psk ->
+                                                   KeyExAlgo == psk;
+                                                   KeyExAlgo == dhe_psk;
+                                                   KeyExAlgo == ecdhe_psk;
+                                                   KeyExAlgo == rsa_psk ->
     {null, anon};
 %% The signature_algorithms extension was introduced with TLS 1.2. Ignore
it if we have
 %% negotiated a lower version.


Regards Ingela Erlang/OTP team - Ericsson AB




Den ons 5 sep. 2018 kl 23:00 skrev Oliver Bollmann <
oliver.bollmann@REDACTED>:

> This works with 20.2.2 but since 20.3(21.x) it doesn't!
>
> Error in process <0.79.0> with exit value:
> {{badmatch,{error,{tls_alert,"handshake failure"}}},
>  [{client_server,init_connect,1,[{file,"client_server.erl"},{line,37}]}]}
>
> Any hints?
>
> -module(client_server).%%% Purpose: Example of SSL client and server using psk.-export([start/0, init_connect/1]).start() ->
>   %% Start ssl application  {ok, StartedApps} = application:ensure_all_started(ssl),
>
>   %% Let the current process be the server that listens and accepts  %% Listen  {ok, LSock} = ssl:listen(0, mk_opts(listen)),
>   {ok, {_, LPort}} = ssl:sockname(LSock),
>   io:fwrite("Listen: port = ~w.~n", [LPort]),
>
>   %% Spawn the client process that connects to the server  spawn(?MODULE, init_connect, [LPort]),
>
>   %% Accept  {ok, ASock} = ssl:transport_accept(LSock),
>   ok = ssl:ssl_accept(ASock),
>   io:fwrite("Accept: accepted.~n"),
>   ssl:send(ASock, "hello"),
>   {error, closed} = ssl:recv(ASock, 0),
>   io:fwrite("Accept: detected closed.~n"),
>   ssl:close(ASock),
>   io:fwrite("Listen: closing and terminating.~n"),
>   ssl:close(LSock),
>
>   lists:foreach(fun application:stop/1, lists:reverse(StartedApps)).%% Client connectinit_connect(LPort) ->
>   {ok, Host} = inet:gethostname(),
>   {ok, CSock} = ssl:connect(Host, LPort, mk_opts(connect)),
>   io:fwrite("Connect: connected.~n"),
>   {ok, Data} = ssl:recv(CSock, 0),
>   io:fwrite("Connect: got data: ~p~n", [Data]),
>   io:fwrite("Connect: closing and terminating.~n"),
>   ssl:close(CSock).mk_opts(listen) ->
>   mk_opts("server");
> mk_opts(connect) ->
>   mk_opts("client");
> mk_opts(Role) ->
>   [{active, false},
>     {psk_identity,Role},
>     {user_lookup_fun,{fun lookup/3,list_to_binary(Role)}},
>     {versions,['tlsv1.2']},
>     {ciphers, [{dhe_psk,aes_256_gcm,null,sha384}
>     ]}
>   ].lookup(psk,_,_) -> {ok,<<"psk">>}.
>
> --
> Grüße
> Oliver Bollmann
>
> _______________________________________________
> erlang-questions mailing list
> erlang-questions@REDACTED
> http://erlang.org/mailman/listinfo/erlang-questions
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20180906/f7923e6a/attachment.htm>

More information about the erlang-questions mailing list