Force TLS v1.2

classic Classic list List threaded Threaded
14 messages Options
Reply | Threaded
Open this post in threaded view
|

Force TLS v1.2

Frank Muller
Hi guys

I’m trying to connect to a remote SSL server using a filtering Proxy in between.

First, I try to establish a normal TCP connection to this local Proxy using the CONNECT word.

Second, I upgrade the TCP socket to SSL as in this snippet code:

_______________________________
tcp_client() ->
    {ok, TcpSock} = gen_tcp:connect("local_proxy_f
or_traffic_filtering", 12345, [ binary, {active,true}, {packet,0} ]),

    ok = gen_tcp:send(TcpSocket, <<"CONNECT…">>),
    … got 200OK ...
    TcpSocket.

ssl_client() ->
  TcpSocket = tcp_client(),
  Opts = [ {verify, verify_none}, {cacertfile, "cacert.pem"}, {versions, ['tlsv1.2']} ],
  {ok, Sock} = ssl:connect(TcpSocket, Opts).

connect() ->
      SslSocket = ssl_client(),
      ok = ssl:send(SslSocket, <<"...some data...">>),
      …
      ok.
_______________________________

When i call the ssl:send/2, the remote SSL server (I’ve no control on this server) immediately closes the connection with {error, closed}.
 
Furthermore, the SSL server claims I’m using SSL v1.3 (from the logs we've got).

Questions:
a. is it the right way to establish an SSL connection via a proxy?

b. how can I really ensure I’m using SSL v1.2 and not v1.3?


My config: Erlang 21.3.5, Ubuntu 18.04 LTS, Kernel 4.4.0-grs-64 on a very restricted environment: no sudo, no direct internet access

/Frank

_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions
Reply | Threaded
Open this post in threaded view
|

Re: Force TLS v1.2

Frank Muller
Small typo in ssl_client/0:
_______________________________
tcp_client() ->
    {ok, TcpSock} = gen_tcp:connect("local_proxy_for_traffic_fitering", 12345, [ binary, {active, true}, {packet. 0} ]),
    ok = gen_tcp:send(TcpSocket, <<"CONNECT…">>),
    … got 200OK ...
    TcpSocket.

ssl_client() ->
  TcpSocket = tcp_client(),
  Opts = [ {verify, verify_none}, {cacertfile, "cacert.pem"}, {versions, ['tlsv1.2']} ],
  {ok, Sock} = ssl:connect(TcpSocket, Opts),
   Sock.

connect() ->
      SslSocket = ssl_client(),
      ok = ssl:send("...some data...">>, SslSocket),
      …
      ok.
_______________________________


Hi guys

I’m trying to connect to a remote SSL server using a filtering Proxy in between.

First, I try to establish a normal TCP connection to this local Proxy using the CONNECT word.

Second, I upgrade the TCP socket to SSL as in this snippet code:

_______________________________
tcp_client() ->
    {ok, TcpSock} = gen_tcp:connect("local_proxy_f
or_traffic_filtering", 12345, [ binary, {active,true}, {packet,0} ]),

    ok = gen_tcp:send(TcpSocket, <<"CONNECT…">>),
    … got 200OK ...
    TcpSocket.

ssl_client() ->
  TcpSocket = tcp_client(),
  Opts = [ {verify, verify_none}, {cacertfile, "cacert.pem"}, {versions, ['tlsv1.2']} ],
  {ok, Sock} = ssl:connect(TcpSocket, Opts).

connect() ->
      SslSocket = ssl_client(),
      ok = ssl:send(SslSocket, <<"...some data...">>),
      …
      ok.
_______________________________

When i call the ssl:send/2, the remote SSL server (I’ve no control on this server) immediately closes the connection with {error, closed}.
 
Furthermore, the SSL server claims I’m using SSL v1.3 (from the logs we've got).

Questions:
a. is it the right way to establish an SSL connection via a proxy?

b. how can I really ensure I’m using SSL v1.2 and not v1.3?


My config: Erlang 21.3.5, Ubuntu 18.04 LTS, Kernel 4.4.0-grs-64 on a very restricted environment: no sudo, no direct internet access

/Frank

_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions
Reply | Threaded
Open this post in threaded view
|

Re: Force TLS v1.2

WW-2
Dialyzer warning if not export my function convert_result_and_exit/1


%%% ###=====================================================================###
-spec convert_result_and_exit(any()) -> no_return().
%%% ###=====================================================================###
convert_result_and_exit({error, ErrReason}) when is_binary(ErrReason)-> exit({error, ErrReason});
convert_result_and_exit(no_permission)-> exit(no_permission);
convert_result_and_exit(_E) -> exit({error, <<"Unknown reason">>}).



got a warning from dialyzer:

1569: The variable _E can never match since previous clauses completely covered the type 'no_permission' | {'error',binary()}

Anybody has an explanation why ?   

Dialyzer   bug ?

Best regards//KW





Best Regards W.W.(KingWang)


On Friday, April 26, 2019, 8:26:00 AM GMT+2, Frank Muller <[hidden email]> wrote:


Small typo in ssl_client/0:
_______________________________
tcp_client() ->
    {ok, TcpSock} = gen_tcp:connect("local_proxy_for_traffic_fitering", 12345, [ binary, {active, true}, {packet. 0} ]),
    ok = gen_tcp:send(TcpSocket, <<"CONNECT…">>),
    … got 200OK ...
    TcpSocket.

ssl_client() ->
  TcpSocket = tcp_client(),
  Opts = [ {verify, verify_none}, {cacertfile, "cacert.pem"}, {versions, ['tlsv1.2']} ],
  {ok, Sock} = ssl:connect(TcpSocket, Opts),
   Sock.

connect() ->
      SslSocket = ssl_client(),
      ok = ssl:send("...some data...">>, SslSocket),
      …
      ok.
_______________________________


Hi guys

I’m trying to connect to a remote SSL server using a filtering Proxy in between.

First, I try to establish a normal TCP connection to this local Proxy using the CONNECT word.

Second, I upgrade the TCP socket to SSL as in this snippet code:

_______________________________
tcp_client() ->
    {ok, TcpSock} = gen_tcp:connect("local_proxy_f
or_traffic_filtering", 12345, [ binary, {active,true}, {packet,0} ]),

    ok = gen_tcp:send(TcpSocket, <<"CONNECT…">>),
    … got 200OK ...
    TcpSocket.

ssl_client() ->
  TcpSocket = tcp_client(),
  Opts = [ {verify, verify_none}, {cacertfile, "cacert.pem"}, {versions, ['tlsv1.2']} ],
  {ok, Sock} = ssl:connect(TcpSocket, Opts).

connect() ->
      SslSocket = ssl_client(),
      ok = ssl:send(SslSocket, <<"...some data...">>),
      …
      ok.
_______________________________

When i call the ssl:send/2, the remote SSL server (I’ve no control on this server) immediately closes the connection with {error, closed}.
 
Furthermore, the SSL server claims I’m using SSL v1.3 (from the logs we've got).

Questions:
a. is it the right way to establish an SSL connection via a proxy?

b. how can I really ensure I’m using SSL v1.2 and not v1.3?


My config: Erlang 21.3.5, Ubuntu 18.04 LTS, Kernel 4.4.0-grs-64 on a very restricted environment: no sudo, no direct internet access

/Frank
_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions

_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions
Reply | Threaded
Open this post in threaded view
|

Re: Force TLS v1.2

Kostis Sagonas-2
On 4/26/19 3:34 PM, WW wrote:

> Dialyzer warning if not export my function convert_result_and_exit/1
>
>
> %%%
> ###=====================================================================###
> -spec convert_result_and_exit(any()) -> no_return().
> %%%
> ###=====================================================================###
> convert_result_and_exit({error, ErrReason}) when is_binary(ErrReason)->
> exit({error, ErrReason});
> convert_result_and_exit(no_permission)-> exit(no_permission);
> convert_result_and_exit(_E) -> exit({error, <<"Unknown reason">>}).
>
>
> got a warning from dialyzer:
>
> 1569: The variable _E can never match since previous clauses completely
> covered the type 'no_permission' | {'error',binary()}
>
> Anybody has an explanation why ?

Because all calls to convert_result_and_exit/1 are either with an
{'error',binary()} tuple or the 'no_permission' atom.  Thus, Dialyzer
can figure out that the third clause is unreachable and informs you
about it.

Effectively, it tells you that you have either made a mistake somewhere
and you have no call with something other than 'no_permission' |
{'error',binary()} or you can remove this clause (comment it out).

Once you have done that, perhaps you may also want to strengthen the
spec of the function.

> Dialyzer   bug ?

Remember the slogan: "Dialyzer is never wrong!"

Kostis
_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions
Reply | Threaded
Open this post in threaded view
|

Re: Force TLS v1.2

WW-2
But according to spec   the input of the function can be any()! It is obvious the _E  should be considered, otherwise erlang will crash.

Am I wrong? 

Best Regards W.W.(KingWang)


On Saturday, April 27, 2019, 12:30:21 PM GMT+2, Kostis Sagonas <[hidden email]> wrote:


On 4/26/19 3:34 PM, WW wrote:

> Dialyzer warning if not export my function convert_result_and_exit/1
>
>
> %%%
> ###=====================================================================###
> -spec convert_result_and_exit(any()) -> no_return().
> %%%
> ###=====================================================================###
> convert_result_and_exit({error, ErrReason}) when is_binary(ErrReason)->
> exit({error, ErrReason});
> convert_result_and_exit(no_permission)-> exit(no_permission);
> convert_result_and_exit(_E) -> exit({error, <<"Unknown reason">>}).
>
>
> got a warning from dialyzer:
>
> 1569: The variable _E can never match since previous clauses completely
> covered the type 'no_permission' | {'error',binary()}
>
> Anybody has an explanation why ?

Because all calls to convert_result_and_exit/1 are either with an
{'error',binary()} tuple or the 'no_permission' atom.  Thus, Dialyzer
can figure out that the third clause is unreachable and informs you
about it.

Effectively, it tells you that you have either made a mistake somewhere
and you have no call with something other than 'no_permission' |
{'error',binary()} or you can remove this clause (comment it out).

Once you have done that, perhaps you may also want to strengthen the
spec of the function.

> Dialyzer   bug ?

Remember the slogan: "Dialyzer is never wrong!"

Kostis

_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions

_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions
Reply | Threaded
Open this post in threaded view
|

Re: Force TLS v1.2

Kostis Sagonas-2
On 4/27/19 12:43 PM, WW wrote:
> But according to spec   the input of the function can be any()! It is
> obvious the _E  should be considered, otherwise erlang will crash.
>
> Am I wrong?

Yes, you are.

The function is not exported; all calls to it are from within the module
(i.e., known to dialyzer), so they cannot be with any() as argument;
they can only be with the term types that dialyzer has inferred.

Kostis
_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions
Reply | Threaded
Open this post in threaded view
|

Re: Force TLS v1.2

WW-2
Thank you for your answer Kostis.

But will erlang crash if any other internal function call this internal function with an argument of integer() or someother term()?

--------------------------------------------------------------------------------------------------------------------------------------------------------------
 ###=====================================================================###
 -spec convert_result_and_exit(any()) -> no_return().
 %%% 
 ###=====================================================================###
convert_result_and_exit({error, ErrReason}) when is_binary(ErrReason)-> 
exit({error, ErrReason});
 convert_result_and_exit(no_permission)-> exit(no_permission).

test() ->
    convert_result_and_exit ( [1,2,3] ).     ( It is a use case , why "so they cannot be with any() as argument" ?  Where in the erlang doc defined that?)

In this case, test() will crash owing to missing the convert_result_and_exit(_E) -> exit({error, <<"Unknown reason">>}).   I do not want it crash, I need a quiet exit (catch it afterwards)instead, will that be possible ?
----------------------------------------------------------------------------------------------------------------------------------------------------------------

The question is : Why dialyzer could not detect the internal non-exported spec ?  Or Erlang module interal function should not have any spec at all , because dialyzer doesn't care?

Is it  the limitation of dialyzer or  wrong in the design? What is the best solution, in my situation?

BR//Wei Wang

Best Regards W.W.(KingWang)


On Saturday, April 27, 2019, 4:52:29 PM GMT+2, Kostis Sagonas <[hidden email]> wrote:


On 4/27/19 12:43 PM, WW wrote:
> But according to spec   the input of the function can be any()! It is
> obvious the _E  should be considered, otherwise erlang will crash.
>
> Am I wrong?

Yes, you are.

The function is not exported; all calls to it are from within the module
(i.e., known to dialyzer), so they cannot be with any() as argument;
they can only be with the term types that dialyzer has inferred.


Kostis

_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions
Reply | Threaded
Open this post in threaded view
|

Re: Force TLS v1.2

WW-2
Will it be the only solution that I exported that function even it is not used by outside? Called exported internal function?

Best Regards W.W.(KingWang)


On Saturday, April 27, 2019, 10:15:10 PM GMT+2, WW <[hidden email]> wrote:


Thank you for your answer Kostis.

But will erlang crash if any other internal function call this internal function with an argument of integer() or someother term()?

--------------------------------------------------------------------------------------------------------------------------------------------------------------
 ###=====================================================================###
 -spec convert_result_and_exit(any()) -> no_return().
 %%% 
 ###=====================================================================###
convert_result_and_exit({error, ErrReason}) when is_binary(ErrReason)-> 
exit({error, ErrReason});
 convert_result_and_exit(no_permission)-> exit(no_permission).

test() ->
    convert_result_and_exit ( [1,2,3] ).     ( It is a use case , why "so they cannot be with any() as argument" ?  Where in the erlang doc defined that?)

In this case, test() will crash owing to missing the convert_result_and_exit(_E) -> exit({error, <<"Unknown reason">>}).   I do not want it crash, I need a quiet exit (catch it afterwards)instead, will that be possible ?
----------------------------------------------------------------------------------------------------------------------------------------------------------------

The question is : Why dialyzer could not detect the internal non-exported spec ?  Or Erlang module interal function should not have any spec at all , because dialyzer doesn't care?

Is it  the limitation of dialyzer or  wrong in the design? What is the best solution, in my situation?

BR//Wei Wang

Best Regards W.W.(KingWang)


On Saturday, April 27, 2019, 4:52:29 PM GMT+2, Kostis Sagonas <[hidden email]> wrote:


On 4/27/19 12:43 PM, WW wrote:
> But according to spec   the input of the function can be any()! It is
> obvious the _E  should be considered, otherwise erlang will crash.
>
> Am I wrong?

Yes, you are.

The function is not exported; all calls to it are from within the module
(i.e., known to dialyzer), so they cannot be with any() as argument;
they can only be with the term types that dialyzer has inferred.


Kostis

_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions
Reply | Threaded
Open this post in threaded view
|

Re: Force TLS v1.2

Hugo Mills-2
In reply to this post by WW-2
On Sat, Apr 27, 2019 at 08:15:10PM +0000, WW wrote:
> Thank you for your answer Kostis.
> But will erlang crash if any other internal function call this internal function with an argument of integer() or someother term()?

   The point here is that dialyzer can *prove* that the function will
not be called with anything other than the first two cases. It
therefore tells you that the third catch-all case is impossible. You
can safely remove that third clause.

   If at some point in the future you write some code which could call
the function with some other input, then dialyzer will tell you about
that, too.

   If you want a quiet dialyzer, the solution here is to remove the
third (catch-all) clause, until you have some code which actually
needs it.

   Hugo.

> -------------------------------------------------------------------------------------------------------------------------------------------------------------- ###=====================================================================###
>  -spec convert_result_and_exit(any()) -> no_return().
>  %%% 
>  ###=====================================================================###
> convert_result_and_exit({error, ErrReason}) when is_binary(ErrReason)-> 
> exit({error, ErrReason}); convert_result_and_exit(no_permission)-> exit(no_permission).
>
> test() ->    convert_result_and_exit ( [1,2,3] ).     ( It is a use case , why "so they cannot be with any() as argument" ?  Where in the erlang doc defined that?)
>
> In this case, test() will crash owing to missing the convert_result_and_exit(_E) -> exit({error, <<"Unknown reason">>}).   I do not want it crash, I need a quiet exit (catch it afterwards)instead, will that be possible ?----------------------------------------------------------------------------------------------------------------------------------------------------------------
> The question is : Why dialyzer could not detect the internal non-exported spec ?  Or Erlang module interal function should not have any spec at all , because dialyzer doesn't care?
> Is it  the limitation of dialyzer or  wrong in the design? What is the best solution, in my situation?
> BR//Wei Wang
> Best Regards W.W.(KingWang)
>
>     On Saturday, April 27, 2019, 4:52:29 PM GMT+2, Kostis Sagonas <[hidden email]> wrote:  
>  
>  On 4/27/19 12:43 PM, WW wrote:
> > But according to spec   the input of the function can be any()! It is
> > obvious the _E  should be considered, otherwise erlang will crash.
> >
> > Am I wrong?
>
> Yes, you are.
>
> The function is not exported; all calls to it are from within the module
> (i.e., known to dialyzer), so they cannot be with any() as argument;
> they can only be with the term types that dialyzer has inferred.
>
> Kostis
>  

> _______________________________________________
> erlang-questions mailing list
> [hidden email]
> http://erlang.org/mailman/listinfo/erlang-questions


--
Hugo Mills             | You can get more with a kind word and a two-by-four
hugo@... carfax.org.uk | than you can with just a kind word.
http://carfax.org.uk/  |
PGP: E2AB1DE4          |                                Marcus Cole, Babylon 5

_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions

signature.asc (853 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Force TLS v1.2

WW-2
The problem is that I have already a internal function call that (any())  case

Best Regards W.W.(KingWang)


On Saturday, April 27, 2019, 10:52:11 PM GMT+2, Hugo Mills <[hidden email]> wrote:


On Sat, Apr 27, 2019 at 08:15:10PM +0000, WW wrote:
> Thank you for your answer Kostis.
> But will erlang crash if any other internal function call this internal function with an argument of integer() or someother term()?

  The point here is that dialyzer can *prove* that the function will
not be called with anything other than the first two cases. It
therefore tells you that the third catch-all case is impossible. You
can safely remove that third clause.

  If at some point in the future you write some code which could call
the function with some other input, then dialyzer will tell you about
that, too.

  If you want a quiet dialyzer, the solution here is to remove the
third (catch-all) clause, until you have some code which actually
needs it.

  Hugo.


> -------------------------------------------------------------------------------------------------------------------------------------------------------------- ###=====================================================================###
>  -spec convert_result_and_exit(any()) -> no_return().
>  %%% 
>  ###=====================================================================###
> convert_result_and_exit({error, ErrReason}) when is_binary(ErrReason)-> 
> exit({error, ErrReason}); convert_result_and_exit(no_permission)-> exit(no_permission).
>
> test() ->    convert_result_and_exit ( [1,2,3] ).     ( It is a use case , why "so they cannot be with any() as argument" ?  Where in the erlang doc defined that?)
>
> In this case, test() will crash owing to missing the convert_result_and_exit(_E) -> exit({error, <<"Unknown reason">>}).   I do not want it crash, I need a quiet exit (catch it afterwards)instead, will that be possible ?----------------------------------------------------------------------------------------------------------------------------------------------------------------
> The question is : Why dialyzer could not detect the internal non-exported spec ?  Or Erlang module interal function should not have any spec at all , because dialyzer doesn't care?
> Is it  the limitation of dialyzer or  wrong in the design? What is the best solution, in my situation?
> BR//Wei Wang
> Best Regards W.W.(KingWang)
>
>    On Saturday, April 27, 2019, 4:52:29 PM GMT+2, Kostis Sagonas <[hidden email]> wrote: 

>  On 4/27/19 12:43 PM, WW wrote:
> > But according to spec   the input of the function can be any()! It is
> > obvious the _E  should be considered, otherwise erlang will crash.
> >
> > Am I wrong?
>
> Yes, you are.
>
> The function is not exported; all calls to it are from within the module
> (i.e., known to dialyzer), so they cannot be with any() as argument;
> they can only be with the term types that dialyzer has inferred.
>
> Kostis


> _______________________________________________
> erlang-questions mailing list
> [hidden email]
> http://erlang.org/mailman/listinfo/erlang-questions


--
Hugo Mills            | You can get more with a kind word and a two-by-four
[hidden email] carfax.org.uk | than you can with just a kind word.
http://carfax.org.uk/ |
PGP: E2AB1DE4          |                                Marcus Cole, Babylon 5

_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions
Reply | Threaded
Open this post in threaded view
|

Re: Force TLS v1.2

Frank Muller
In reply to this post by Hugo Mills-2
Hey guys 

Why this thread is about Dialyzer?
I created it because a TLS issue i had (see my original post).

Thank you.
/Frank

 
On Sat, Apr 27, 2019 at 08:15:10PM +0000, WW wrote:
> Thank you for your answer Kostis.
> But will erlang crash if any other internal function call this internal function with an argument of integer() or someother term()?

   The point here is that dialyzer can *prove* that the function will
not be called with anything other than the first two cases. It
therefore tells you that the third catch-all case is impossible. You
can safely remove that third clause.

   If at some point in the future you write some code which could call
the function with some other input, then dialyzer will tell you about
that, too.

   If you want a quiet dialyzer, the solution here is to remove the
third (catch-all) clause, until you have some code which actually
needs it.

   Hugo.

> -------------------------------------------------------------------------------------------------------------------------------------------------------------- ###=====================================================================###
>  -spec convert_result_and_exit(any()) -> no_return().
>  %%% 
>  ###=====================================================================###
> convert_result_and_exit({error, ErrReason}) when is_binary(ErrReason)-> 
> exit({error, ErrReason}); convert_result_and_exit(no_permission)-> exit(no_permission).
>
> test() ->    convert_result_and_exit ( [1,2,3] ).     ( It is a use case , why "so they cannot be with any() as argument" ?  Where in the erlang doc defined that?)
>
> In this case, test() will crash owing to missing the convert_result_and_exit(_E) -> exit({error, <<"Unknown reason">>}).   I do not want it crash, I need a quiet exit (catch it afterwards)instead, will that be possible ?----------------------------------------------------------------------------------------------------------------------------------------------------------------
> The question is : Why dialyzer could not detect the internal non-exported spec ?  Or Erlang module interal function should not have any spec at all , because dialyzer doesn't care?
> Is it  the limitation of dialyzer or  wrong in the design? What is the best solution, in my situation?
> BR//Wei Wang
> Best Regards W.W.(KingWang)
>
>     On Saturday, April 27, 2019, 4:52:29 PM GMT+2, Kostis Sagonas <[hidden email]> wrote: 

>  On 4/27/19 12:43 PM, WW wrote:
> > But according to spec   the input of the function can be any()! It is
> > obvious the _E  should be considered, otherwise erlang will crash.
> >
> > Am I wrong?
>
> Yes, you are.
>
> The function is not exported; all calls to it are from within the module
> (i.e., known to dialyzer), so they cannot be with any() as argument;
> they can only be with the term types that dialyzer has inferred.
>
> Kostis
>   

> _______________________________________________
> erlang-questions mailing list
> [hidden email]
> http://erlang.org/mailman/listinfo/erlang-questions


--
Hugo Mills             | You can get more with a kind word and a two-by-four
hugo@... carfax.org.uk | than you can with just a kind word.
http://carfax.org.uk/  |
PGP: E2AB1DE4          |                                Marcus Cole, Babylon 5
_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions

_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions
Reply | Threaded
Open this post in threaded view
|

Re: Force TLS v1.2

Frank Muller
In reply to this post by Frank Muller
Help please!!!

Small typo in ssl_client/0:
_______________________________
tcp_client() ->
    {ok, TcpSock} = gen_tcp:connect("local_proxy_for_traffic_fitering", 12345, [ binary, {active, true}, {packet. 0} ]),
    ok = gen_tcp:send(TcpSocket, <<"CONNECT…">>),
    … got 200OK ...
    TcpSocket.

ssl_client() ->
  TcpSocket = tcp_client(),
  Opts = [ {verify, verify_none}, {cacertfile, "cacert.pem"}, {versions, ['tlsv1.2']} ],
  {ok, Sock} = ssl:connect(TcpSocket, Opts),
   Sock.

connect() ->
      SslSocket = ssl_client(),
      ok = ssl:send("...some data...">>, SslSocket),
      …
      ok.
_______________________________


Hi guys

I’m trying to connect to a remote SSL server using a filtering Proxy in between.

First, I try to establish a normal TCP connection to this local Proxy using the CONNECT word.

Second, I upgrade the TCP socket to SSL as in this snippet code:

_______________________________
tcp_client() ->
    {ok, TcpSock} = gen_tcp:connect("local_proxy_f
or_traffic_filtering", 12345, [ binary, {active,true}, {packet,0} ]),

    ok = gen_tcp:send(TcpSocket, <<"CONNECT…">>),
    … got 200OK ...
    TcpSocket.

ssl_client() ->
  TcpSocket = tcp_client(),
  Opts = [ {verify, verify_none}, {cacertfile, "cacert.pem"}, {versions, ['tlsv1.2']} ],
  {ok, Sock} = ssl:connect(TcpSocket, Opts).

connect() ->
      SslSocket = ssl_client(),
      ok = ssl:send(SslSocket, <<"...some data...">>),
      …
      ok.
_______________________________

When i call the ssl:send/2, the remote SSL server (I’ve no control on this server) immediately closes the connection with {error, closed}.
 
Furthermore, the SSL server claims I’m using SSL v1.3 (from the logs we've got).

Questions:
a. is it the right way to establish an SSL connection via a proxy?

b. how can I really ensure I’m using SSL v1.2 and not v1.3?


My config: Erlang 21.3.5, Ubuntu 18.04 LTS, Kernel 4.4.0-grs-64 on a very restricted environment: no sudo, no direct internet access

/Frank

_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions
Reply | Threaded
Open this post in threaded view
|

Re: Force TLS v1.2

Andreas Schultz-3
In reply to this post by Frank Muller
Hi Frank,

Sorry, that I can't really help you, but I did notice that the Erlang SSL usage example for upgrading a socket to TLS [1] says:

> Step 5: Ensure active is set to false before trying to upgrade a connection to an SSL connection, otherwise SSL handshake messages can be delivered to the wrong process

Your example seems to be using an active connection.

Maybe you could post a more complete, ready to run sample to get more feedback...

Regards
Andreas


Am Fr., 26. Apr. 2019 um 08:25 Uhr schrieb Frank Muller <[hidden email]>:
Small typo in ssl_client/0:
_______________________________
tcp_client() ->
    {ok, TcpSock} = gen_tcp:connect("local_proxy_for_traffic_fitering", 12345, [ binary, {active, true}, {packet. 0} ]),
    ok = gen_tcp:send(TcpSocket, <<"CONNECT…">>),
    … got 200OK ...
    TcpSocket.

ssl_client() ->
  TcpSocket = tcp_client(),
  Opts = [ {verify, verify_none}, {cacertfile, "cacert.pem"}, {versions, ['tlsv1.2']} ],
  {ok, Sock} = ssl:connect(TcpSocket, Opts),
   Sock.

connect() ->
      SslSocket = ssl_client(),
      ok = ssl:send("...some data...">>, SslSocket),
      …
      ok.
_______________________________


Hi guys

I’m trying to connect to a remote SSL server using a filtering Proxy in between.

First, I try to establish a normal TCP connection to this local Proxy using the CONNECT word.

Second, I upgrade the TCP socket to SSL as in this snippet code:

_______________________________
tcp_client() ->
    {ok, TcpSock} = gen_tcp:connect("local_proxy_f
or_traffic_filtering", 12345, [ binary, {active,true}, {packet,0} ]),

    ok = gen_tcp:send(TcpSocket, <<"CONNECT…">>),
    … got 200OK ...
    TcpSocket.

ssl_client() ->
  TcpSocket = tcp_client(),
  Opts = [ {verify, verify_none}, {cacertfile, "cacert.pem"}, {versions, ['tlsv1.2']} ],
  {ok, Sock} = ssl:connect(TcpSocket, Opts).

connect() ->
      SslSocket = ssl_client(),
      ok = ssl:send(SslSocket, <<"...some data...">>),
      …
      ok.
_______________________________

When i call the ssl:send/2, the remote SSL server (I’ve no control on this server) immediately closes the connection with {error, closed}.
 
Furthermore, the SSL server claims I’m using SSL v1.3 (from the logs we've got).

Questions:
a. is it the right way to establish an SSL connection via a proxy?

b. how can I really ensure I’m using SSL v1.2 and not v1.3?


My config: Erlang 21.3.5, Ubuntu 18.04 LTS, Kernel 4.4.0-grs-64 on a very restricted environment: no sudo, no direct internet access

/Frank
_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions


--
--
Dipl.-Inform. Andreas Schultz

----------------------- enabling your networks ----------------------
Travelping GmbH                     Phone:  +49-391-81 90 99 0
Roentgenstr. 13                     Fax:    +49-391-81 90 99 299
39108 Magdeburg                     Email:  [hidden email]
GERMANY                             Web:    http://www.travelping.com

Company Registration: Amtsgericht Stendal        Reg No.:   HRB 10578
Geschaeftsfuehrer: Holger Winkelmann          VAT ID No.: DE236673780
---------------------------------------------------------------------

_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions
Reply | Threaded
Open this post in threaded view
|

Re: Force TLS v1.2

Frank Muller
Hi Andreas

Thanks for pointing out that. 
I just tried with {active,false} but nothing changed.
The connection is closed immediately. 

Any other hint?

/Frank

Hi Frank,

Sorry, that I can't really help you, but I did notice that the Erlang SSL usage example for upgrading a socket to TLS [1] says:

> Step 5: Ensure active is set to false before trying to upgrade a connection to an SSL connection, otherwise SSL handshake messages can be delivered to the wrong process

Your example seems to be using an active connection.

Maybe you could post a more complete, ready to run sample to get more feedback...

Regards
Andreas


Am Fr., 26. Apr. 2019 um 08:25 Uhr schrieb Frank Muller <[hidden email]>:
Small typo in ssl_client/0:
_______________________________
tcp_client() ->
    {ok, TcpSock} = gen_tcp:connect("local_proxy_for_traffic_fitering", 12345, [ binary, {active, true}, {packet. 0} ]),
    ok = gen_tcp:send(TcpSocket, <<"CONNECT…">>),
    … got 200OK ...
    TcpSocket.

ssl_client() ->
  TcpSocket = tcp_client(),
  Opts = [ {verify, verify_none}, {cacertfile, "cacert.pem"}, {versions, ['tlsv1.2']} ],
  {ok, Sock} = ssl:connect(TcpSocket, Opts),
   Sock.

connect() ->
      SslSocket = ssl_client(),
      ok = ssl:send("...some data...">>, SslSocket),
      …
      ok.
_______________________________


Hi guys

I’m trying to connect to a remote SSL server using a filtering Proxy in between.

First, I try to establish a normal TCP connection to this local Proxy using the CONNECT word.

Second, I upgrade the TCP socket to SSL as in this snippet code:

_______________________________
tcp_client() ->
    {ok, TcpSock} = gen_tcp:connect("local_proxy_f
or_traffic_filtering", 12345, [ binary, {active,true}, {packet,0} ]),

    ok = gen_tcp:send(TcpSocket, <<"CONNECT…">>),
    … got 200OK ...
    TcpSocket.

ssl_client() ->
  TcpSocket = tcp_client(),
  Opts = [ {verify, verify_none}, {cacertfile, "cacert.pem"}, {versions, ['tlsv1.2']} ],
  {ok, Sock} = ssl:connect(TcpSocket, Opts).

connect() ->
      SslSocket = ssl_client(),
      ok = ssl:send(SslSocket, <<"...some data...">>),
      …
      ok.
_______________________________

When i call the ssl:send/2, the remote SSL server (I’ve no control on this server) immediately closes the connection with {error, closed}.
 
Furthermore, the SSL server claims I’m using SSL v1.3 (from the logs we've got).

Questions:
a. is it the right way to establish an SSL connection via a proxy?

b. how can I really ensure I’m using SSL v1.2 and not v1.3?


My config: Erlang 21.3.5, Ubuntu 18.04 LTS, Kernel 4.4.0-grs-64 on a very restricted environment: no sudo, no direct internet access

/Frank
_______________________________________________


--
--
Dipl.-Inform. Andreas Schultz

----------------------- enabling your networks ----------------------
Travelping GmbH                     Phone:  +49-391-81 90 99 0
Roentgenstr. 13                     Fax:    +49-391-81 90 99 299
39108 Magdeburg                     Email:  [hidden email]
GERMANY                             Web:    http://www.travelping.com

Company Registration: Amtsgericht Stendal        Reg No.:   HRB 10578
Geschaeftsfuehrer: Holger Winkelmann          VAT ID No.: DE236673780
---------------------------------------------------------------------

_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions