Enabling TLS-PSK issue, Erlang is missing Ciphers? How would I add new ones?

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Enabling TLS-PSK issue, Erlang is missing Ciphers? How would I add new ones?

asdf asdf
Hello everyone,

I am currently working on adding PSK functionality to EMQTT and/or RabbitMQ, and my first goal is to get it working in standard Erlang. I have a client that will connect with public-keys, and I am attempting to modify it to suit my needs.

A problem I have just encountered though is that Erlang does not seem to have any psk-ciphers , when I run rp(ssl:cipher_suites(erlang)). in the erlang terminal, I get a long list of ciphers but none of them are psk ciphers. For example, a cipher I am looking for is {psk, aes_256, sha512}, but none are psk:

[{ecdhe_ecdsa,aes_256_gcm,null},
 {ecdhe_rsa,aes_256_gcm,null},
 {ecdhe_ecdsa,aes_256_cbc,sha384},
 {ecdhe_rsa,aes_256_cbc,sha384},
\...
... etc


When I run rp(ssl:cipher_suites(openssl)). in the terminal, similarly, there are no psk ciphers ------

However, the Erlang documentation for ssl (http://erlang.org/doc/man/ssl.html) clearly states that psk is possible. And my openssl does contain psk ciphers for that matter. When I run openssl ciphers, two psk ciphers are available : 
PSK-AES256-CBC-SHA and PSK-RC4-SHA

So, when I run my program, the server doesn't recognize the suite:

HERE is the output when I try to connect:
Eshell V7.2  (abort with ^G)
1> c(s).
{ok,s}
2> s:start().
<0.52.0>
3> s:client("hello").

=ERROR REPORT==== 7-Jul-2017::10:20:34 ===
Error in process <0.52.0> with exit value:
{{badmatch,{error,closed}},[{s,accept,1,[{file,"s.erl"},{line,13}]}]}
** exception exit: {badmatch,{error,{options,{ciphers,[{psk,aes_256_cbc,
                                                            sha512}]}}}}
     in function  s:client/1 (s.erl, line 36)



Is there any way to add any ciphers to erlang?


- I know/think that I also need to use a lookup_fun on my server in ssl:listen to go and match the psk_identity presented by the client to a profile , I received this link: https://github.com/erlang/otp/blob/32a1dca92c0f949ef6ce2c751b23aff82f9d998f/lib/ssl/test/ssl_test_lib.erl#L404 
from another thread, pointing me to example implementation of the lookup_fun (sort of, not really). IF anyone can shed more light on this, I would greatly appreciate it. This is the next step once my server begins to recognize the cipher suite.


HERE is my erlang code I am working on to enable psks: 

 1     -module(s).
  
2     -export([start/0, client/1, accept/1]).
  
3 
  
4     start() ->
  
5        ssl:start(),
  
6        server(4000).
  
7 
  
8     server(Port) ->
  
9             {ok, LSocket} = ssl:listen(Port, [{psk_identity, "abcde"}, {reuseaddr, true}]),
 
10             spawn(fun() -> accept(LSocket) end).
 
11 
 
12     accept(LSocket) ->
 
13        {ok, Socket} = ssl:transport_accept(LSocket),
 
14        ok = ssl:ssl_accept(Socket),
 
15         Pid = spawn(fun() ->
 
16             io:format("Connection accepted ~p~n", [Socket]),
 
17             loop(Socket)
 
18        end),
 
19        ssl:controlling_process(Socket, Pid),
 
20        accept(LSocket).
 
21 
 
22     loop(Socket) ->
 
23        ssl:setopts(Socket, [{active, once}]),
 
24        receive
 
25        {ssl,Sock, Data} ->
 
26             io:format("Got packet: ~p~n", [Data]),
 
27             ssl:send(Sock, Data),
 
28             loop(Socket);
 
29        {ssl_closed, Sock} ->
 
30             io:format("Closing socket: ~p~n", [Sock]);
 
31        Error ->
 
32             io:format("Error on socket: ~p~n", [Error])
 
33        end.
 
34 
 
35     client(N) ->
 
36         {ok, Socket} = ssl:connect("localhost", 4000,  [{ciphers, [{psk, aes_256_cbc, sha512}]}, {psk_identity,"abcde"}]),
 
37         io:format("Client opened socket: ~p~n",[Socket]),
 
38         ok = ssl:send(Socket, N),
 
39         Value = receive
 
40                 {ssl,{sslsocket,new_ssl,_}, Data} ->
 
41                     io:format("Client received: ~p~n",[Data])
 
42                 after 2000 ->
 
43                     0
 
44                 end,
 
45         ssl:close(Socket),
 
46         Value.











_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Enabling TLS-PSK issue, Erlang is missing Ciphers? How would I add new ones?

Andreas Schultz
Hi,

----- On Jul 7, 2017, at 4:39 PM, asdf asdf [hidden email] wrote:

> Hello everyone,

> I am currently working on adding PSK functionality to EMQTT and/or RabbitMQ, and
> my first goal is to get it working in standard Erlang. I have a client that
> will connect with public-keys, and I am attempting to modify it to suit my
> needs.

You are aware that PSK (pre-shared keys) and client certificates are two different beasts? Your "public-keys" reference sounds a lot like client certificates!

> A problem I have just encountered though is that Erlang does not seem to have
> any psk-ciphers , when I run rp(ssl:cipher_suites(erlang)) . in the erlang
> terminal, I get a long list of ciphers but none of them are psk ciphers.

That's because ssl:cipher_suites(erlang) only lists the default suites, you need to use ssl:cipher_suites(all) to really see all suites.

> For example, a cipher I am looking for is {psk, aes_256, sha512}, but none are
> psk:

There is no cipher suite that has "sha512" in its name. However, in TLS 1.2 the server and client are free to negotiate sha512 as hash for the verification of handshake.

Some possible candidates are:
 * {dhe_psk, aes_256_gcm, null, sha384}
 * {dhe_psk, aes_256_cbc, sha384}
 * {rsa_psk, aes_256_gcm, null, sha384}
 * {rsa_psk, aes_256_cbc, sha384}

I would strongly recommend the DHE ciphers!

> - I know/think that I also need to use a lookup_fun on my server in ssl:listen to go and match the psk_identity presented by the client to a profile ,
> I received this link: [ https://github.com/erlang/otp/blob/32a1dca92c0f949ef6ce2c751b23aff82f9d998f/lib/ssl/test/ssl_test_lib.erl#L404 | from another thread, pointing me to example implementation of the lookup_fun (sort of, not really). IF anyone can shed more light on this, I would greatly appreciate it. This is the next step once my server begins to recognize the cipher suite.

For PSK, you need a lookup function that gets the User Hint from the TLS Client Hello and returns the {ok, PSK} for that user. The PSK needs to be a binary.
A very simple version with the same PSK for every user would be:

    user_lookup(psk, _Username, UserState) ->
        {ok, UserState}.

And then you add this to your ssl options:

   {user_lookup_fun, {fun user_lookup/3, <<"secret">>}},

Regards
Andreas

PS: please do not send HTML formated mails. Other might be fine with them, but I won't respond to them.
_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions
Loading...