Force TLS v1.2

Hi guys

I’m trying to connect to a remote SSL server using a filtering Proxy in between.

First, I try to establish a normal TCP connection to this local Proxy using the CONNECT word.

Second, I upgrade the TCP socket to SSL as in this snippet code:

_______________________________
tcp_client() ->
    {ok, TcpSock} = gen_tcp:connect("local_proxy_f

or_traffic_filtering", 12345, [ binary, {active,true}, {packet,0} ]),

    ok = gen_tcp:send(TcpSocket, <<"CONNECT…">>),
    … got 200OK ...
    TcpSocket.

ssl_client() ->
  TcpSocket = tcp_client(),
  Opts = [ {verify, verify_none}, {cacertfile, "cacert.pem"}, {versions, ['tlsv1.2']} ],
  {ok, Sock} = ssl:connect(TcpSocket, Opts).

connect() ->
      SslSocket = ssl_client(),

      ok = ssl:send(SslSocket, <<"...some data...">>),

      …
      ok.
_______________________________

When i call the ssl:send/2, the remote SSL server (I’ve no control on this server) immediately closes the connection with {error, closed}.

 
Furthermore, the SSL server claims I’m using SSL v1.3 (from the logs we've got).

Questions:

a. is it the right way to establish an SSL connection via a proxy?

b. how can I really ensure I’m using SSL v1.2 and not v1.3?

My config: Erlang 21.3.5, Ubuntu 18.04 LTS, Kernel 4.4.0-grs-64 on a very restricted environment: no sudo, no direct internet access

/Frank

On Sat, Apr 27, 2019 at 08:15:10PM +0000, WW wrote:
> Thank you for your answer Kostis.
> But will erlang crash if any other internal function call this internal function with an argument of integer() or someother term()?

   The point here is that dialyzer can *prove* that the function will
not be called with anything other than the first two cases. It
therefore tells you that the third catch-all case is impossible. You
can safely remove that third clause.

   If at some point in the future you write some code which could call
the function with some other input, then dialyzer will tell you about
that, too.

   If you want a quiet dialyzer, the solution here is to remove the
third (catch-all) clause, until you have some code which actually
needs it.

   Hugo.

> -------------------------------------------------------------------------------------------------------------------------------------------------------------- ###=====================================================================###
>  -spec convert_result_and_exit(any()) -> no_return().
>  %%% 
>  ###=====================================================================###
> convert_result_and_exit({error, ErrReason}) when is_binary(ErrReason)-> 
> exit({error, ErrReason}); convert_result_and_exit(no_permission)-> exit(no_permission).
>
> test() ->    convert_result_and_exit ( [1,2,3] ).     ( It is a use case , why "so they cannot be with any() as argument" ?  Where in the erlang doc defined that?)
>
> In this case, test() will crash owing to missing the convert_result_and_exit(_E) -> exit({error, <<"Unknown reason">>}).   I do not want it crash, I need a quiet exit (catch it afterwards)instead, will that be possible ?----------------------------------------------------------------------------------------------------------------------------------------------------------------
> The question is : Why dialyzer could not detect the internal non-exported spec ?  Or Erlang module interal function should not have any spec at all , because dialyzer doesn't care?
> Is it  the limitation of dialyzer or  wrong in the design? What is the best solution, in my situation?
> BR//Wei Wang
> Best Regards W.W.(KingWang)
>
>     On Saturday, April 27, 2019, 4:52:29 PM GMT+2, Kostis Sagonas <[hidden email]> wrote: 
> 
>  On 4/27/19 12:43 PM, WW wrote:
> > But according to spec   the input of the function can be any()! It is
> > obvious the _E  should be considered, otherwise erlang will crash.
> >
> > Am I wrong?
>
> Yes, you are.
>
> The function is not exported; all calls to it are from within the module
> (i.e., known to dialyzer), so they cannot be with any() as argument;
> they can only be with the term types that dialyzer has inferred.
>
> Kostis
>   

> _______________________________________________
> erlang-questions mailing list
> [hidden email]
> http://erlang.org/mailman/listinfo/erlang-questions


--
Hugo Mills             | You can get more with a kind word and a two-by-four
hugo@... carfax.org.uk | than you can with just a kind word.
http://carfax.org.uk/  |
PGP: E2AB1DE4          |                                Marcus Cole, Babylon 5
_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions

Small typo in ssl_client/0:

_______________________________
tcp_client() ->
    {ok, TcpSock} = gen_tcp:connect("local_proxy_for_traffic_fitering", 12345, [ binary, {active, true}, {packet. 0} ]),
    ok = gen_tcp:send(TcpSocket, <<"CONNECT…">>),
    … got 200OK ...
    TcpSocket.

ssl_client() ->
  TcpSocket = tcp_client(),
  Opts = [ {verify, verify_none}, {cacertfile, "cacert.pem"}, {versions, ['tlsv1.2']} ],
  {ok, Sock} = ssl:connect(TcpSocket, Opts),

   Sock.

connect() ->
      SslSocket = ssl_client(),
      ok = ssl:send("...some data...">>, SslSocket),
      …
      ok.
_______________________________

Hi guys

I’m trying to connect to a remote SSL server using a filtering Proxy in between.

First, I try to establish a normal TCP connection to this local Proxy using the CONNECT word.

Second, I upgrade the TCP socket to SSL as in this snippet code:

_______________________________
tcp_client() ->
    {ok, TcpSock} = gen_tcp:connect("local_proxy_f

or_traffic_filtering", 12345, [ binary, {active,true}, {packet,0} ]),

    ok = gen_tcp:send(TcpSocket, <<"CONNECT…">>),
    … got 200OK ...
    TcpSocket.

ssl_client() ->
  TcpSocket = tcp_client(),
  Opts = [ {verify, verify_none}, {cacertfile, "cacert.pem"}, {versions, ['tlsv1.2']} ],
  {ok, Sock} = ssl:connect(TcpSocket, Opts).

connect() ->
      SslSocket = ssl_client(),

      ok = ssl:send(SslSocket, <<"...some data...">>),

      …
      ok.
_______________________________

When i call the ssl:send/2, the remote SSL server (I’ve no control on this server) immediately closes the connection with {error, closed}.

 
Furthermore, the SSL server claims I’m using SSL v1.3 (from the logs we've got).

Questions:

a. is it the right way to establish an SSL connection via a proxy?

b. how can I really ensure I’m using SSL v1.2 and not v1.3?

My config: Erlang 21.3.5, Ubuntu 18.04 LTS, Kernel 4.4.0-grs-64 on a very restricted environment: no sudo, no direct internet access

/Frank

Hi Frank,

Sorry, that I can't really help you, but I did notice that the Erlang SSL usage example for upgrading a socket to TLS [1] says:

> Step 5: Ensure active is set to false before trying to upgrade a connection to an SSL connection, otherwise SSL handshake messages can be delivered to the wrong process

Your example seems to be using an active connection.

Maybe you could post a more complete, ready to run sample to get more feedback...

Regards

Andreas

1: http://erlang.org/doc/apps/ssl/using_ssl.html

Am Fr., 26. Apr. 2019 um 08:25 Uhr schrieb Frank Muller <[hidden email]>:

Small typo in ssl_client/0:

_______________________________
tcp_client() ->
    {ok, TcpSock} = gen_tcp:connect("local_proxy_for_traffic_fitering", 12345, [ binary, {active, true}, {packet. 0} ]),
    ok = gen_tcp:send(TcpSocket, <<"CONNECT…">>),
    … got 200OK ...
    TcpSocket.

ssl_client() ->
  TcpSocket = tcp_client(),
  Opts = [ {verify, verify_none}, {cacertfile, "cacert.pem"}, {versions, ['tlsv1.2']} ],
  {ok, Sock} = ssl:connect(TcpSocket, Opts),

   Sock.

connect() ->
      SslSocket = ssl_client(),
      ok = ssl:send("...some data...">>, SslSocket),
      …
      ok.
_______________________________

Hi guys

I’m trying to connect to a remote SSL server using a filtering Proxy in between.

First, I try to establish a normal TCP connection to this local Proxy using the CONNECT word.

Second, I upgrade the TCP socket to SSL as in this snippet code:

_______________________________
tcp_client() ->
    {ok, TcpSock} = gen_tcp:connect("local_proxy_f

or_traffic_filtering", 12345, [ binary, {active,true}, {packet,0} ]),

    ok = gen_tcp:send(TcpSocket, <<"CONNECT…">>),
    … got 200OK ...
    TcpSocket.

ssl_client() ->
  TcpSocket = tcp_client(),
  Opts = [ {verify, verify_none}, {cacertfile, "cacert.pem"}, {versions, ['tlsv1.2']} ],
  {ok, Sock} = ssl:connect(TcpSocket, Opts).

connect() ->
      SslSocket = ssl_client(),

      ok = ssl:send(SslSocket, <<"...some data...">>),

      …
      ok.
_______________________________

When i call the ssl:send/2, the remote SSL server (I’ve no control on this server) immediately closes the connection with {error, closed}.

 
Furthermore, the SSL server claims I’m using SSL v1.3 (from the logs we've got).

Questions:

a. is it the right way to establish an SSL connection via a proxy?

b. how can I really ensure I’m using SSL v1.2 and not v1.3?

My config: Erlang 21.3.5, Ubuntu 18.04 LTS, Kernel 4.4.0-grs-64 on a very restricted environment: no sudo, no direct internet access

/Frank

_______________________________________________

erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions

--

--
Dipl.-Inform. Andreas Schultz

----------------------- enabling your networks ----------------------
Travelping GmbH                     Phone:  +49-391-81 90 99 0
Roentgenstr. 13                     Fax:    +49-391-81 90 99 299
39108 Magdeburg                     Email:  [hidden email]
GERMANY                             Web:    http://www.travelping.com

Company Registration: Amtsgericht Stendal        Reg No.:   HRB 10578

Geschaeftsfuehrer: Holger Winkelmann          VAT ID No.: DE236673780
---------------------------------------------------------------------