Unknown error while using SSL/TLS

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

Unknown error while using SSL/TLS

Amin Arria
Hi everyone,

I have an application using cowboy with SSL/TLS. For some reason it has stopped accepting connections and giving SSL erros to the clients connecting.

The only piece of info the server gives is "TLS server: In state certify received CLIENT ALERT: Fatal - Illegal Parameter" and I can't find anything about. Do you know anything?

Thanks,
Amin

_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions
Reply | Threaded
Open this post in threaded view
|

Re: Unknown error while using SSL/TLS

Ingela Andin
Hi Amin!

2018-08-07 21:19 GMT+02:00 Amin Arria <[hidden email]>:
Hi everyone,

I have an application using cowboy with SSL/TLS. For some reason it has stopped accepting connections and giving SSL erros to the clients connecting.

The only piece of info the server gives is "TLS server: In state certify received CLIENT ALERT: Fatal - Illegal Parameter" and I can't find anything about. Do you know anything?


If you think about the wording, you would realise that it is the clients that are sending the alerts and not the server. However it is possible that it is due to a bug in the server, but it could also be a client problem.  Illegal Parameter
is tipically a subtle interop problem that is the client or the server is doing something wrong so that they are not able to a agree on a shared secret.

Without any more details about versions of OTP and the ssl application and what cipher suites used to work it is hard to say anything more. 

Regards Ingela Erlang/OTP team - Ericsson AB



 
Thanks,
Amin

_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions



_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions
Reply | Threaded
Open this post in threaded view
|

Re: Unknown error while using SSL/TLS

Leo Liu-2
In reply to this post by Amin Arria
On 2018-08-07 16:19 -0300, Amin Arria wrote:
> I have an application using cowboy with SSL/TLS. For some reason it has
> stopped accepting connections and giving SSL erros to the clients
> connecting.
>
> The only piece of info the server gives is "TLS server: In state certify
> received CLIENT ALERT: Fatal - Illegal Parameter" and I can't find anything
> about. Do you know anything?

I have to debug such an issue some weeks ago. I got a call for help near
midnight and wasted nearly 3 hours to get it working (sort of).

Something changed between OTP 20.3.2 and 20.3.8.3 that makes some
certificates unhappy. I bypassed it by using SSL application from 20.3.2
with OTP 20.3.8.3. There is some bug somewhere.

Leo
_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions
Reply | Threaded
Open this post in threaded view
|

Re: Unknown error while using SSL/TLS

Ingela Andin
Hi!


I  believe the bug could be solved by the following patch:

diff --git a/lib/ssl/src/ssl_cipher.erl b/lib/ssl/src/ssl_cipher.erl
index 40d974f..aa453fe 100644
--- a/lib/ssl/src/ssl_cipher.erl
+++ b/lib/ssl/src/ssl_cipher.erl
@@ -2555,6 +2555,8 @@ ecdsa_signed_suites(Ciphers, Version) ->
 
 rsa_keyed(dhe_rsa) ->
     true;
+rsa_keyed(ecdhe_rsa) ->
+    true;
 rsa_keyed(rsa) ->
     true;
 rsa_keyed(rsa_psk) ->
@@ -2618,6 +2620,8 @@ ec_keyed(ecdh_ecdsa) ->
     true;
 ec_keyed(ecdh_rsa) ->
     true;
+ec_keyed(ecdhe_ecdsa) ->
+    true;
 ec_keyed(_) ->
     false.
 

Regards Ingela Erlang/OTP Team 






2018-08-08 14:23 GMT+02:00 Leo Liu <[hidden email]>:
On 2018-08-07 16:19 -0300, Amin Arria wrote:
> I have an application using cowboy with SSL/TLS. For some reason it has
> stopped accepting connections and giving SSL erros to the clients
> connecting.
>
> The only piece of info the server gives is "TLS server: In state certify
> received CLIENT ALERT: Fatal - Illegal Parameter" and I can't find anything
> about. Do you know anything?

I have to debug such an issue some weeks ago. I got a call for help near
midnight and wasted nearly 3 hours to get it working (sort of).

Something changed between OTP 20.3.2 and 20.3.8.3 that makes some
certificates unhappy. I bypassed it by using SSL application from 20.3.2
with OTP 20.3.8.3. There is some bug somewhere.

Leo
_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions


_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions
Reply | Threaded
Open this post in threaded view
|

Re: Unknown error while using SSL/TLS

Leo Liu-2
On 2018-08-09 09:53 +0200, Ingela Andin wrote:
> Hi!
>
>
> I  believe the bug could be solved by the following patch:

Yes, fix the issue here. Amin, can you verify it also fixes the issue
you were seeing?

Leo

>
> diff --git a/lib/ssl/src/ssl_cipher.erl b/lib/ssl/src/ssl_cipher.erl
> index 40d974f..aa453fe 100644
> --- a/lib/ssl/src/ssl_cipher.erl
> +++ b/lib/ssl/src/ssl_cipher.erl
> @@ -2555,6 +2555,8 @@ ecdsa_signed_suites(Ciphers, Version) ->
>
>  rsa_keyed(dhe_rsa) ->
>      true;
> +rsa_keyed(ecdhe_rsa) ->
> +    true;
>  rsa_keyed(rsa) ->
>      true;
>  rsa_keyed(rsa_psk) ->
> @@ -2618,6 +2620,8 @@ ec_keyed(ecdh_ecdsa) ->
>      true;
>  ec_keyed(ecdh_rsa) ->
>      true;
> +ec_keyed(ecdhe_ecdsa) ->
> +    true;
>  ec_keyed(_) ->
>      false.
>
>
> Regards Ingela Erlang/OTP Team
_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions
Reply | Threaded
Open this post in threaded view
|

Re: Unknown error while using SSL/TLS

Amin Arria
Hi, sorry for the delay.

I couldn't test the patch directly, but with the new OTP 20.3.8.5 (that has the patch) everything works fine.

Thank you Ingela and Leo!

On Thu, Aug 9, 2018 at 5:39 AM, Leo Liu <[hidden email]> wrote:
On 2018-08-09 09:53 +0200, Ingela Andin wrote:
> Hi!
>
>
> I  believe the bug could be solved by the following patch:

Yes, fix the issue here. Amin, can you verify it also fixes the issue
you were seeing?

Leo

>
> diff --git a/lib/ssl/src/ssl_cipher.erl b/lib/ssl/src/ssl_cipher.erl
> index 40d974f..aa453fe 100644
> --- a/lib/ssl/src/ssl_cipher.erl
> +++ b/lib/ssl/src/ssl_cipher.erl
> @@ -2555,6 +2555,8 @@ ecdsa_signed_suites(Ciphers, Version) ->
>
>  rsa_keyed(dhe_rsa) ->
>      true;
> +rsa_keyed(ecdhe_rsa) ->
> +    true;
>  rsa_keyed(rsa) ->
>      true;
>  rsa_keyed(rsa_psk) ->
> @@ -2618,6 +2620,8 @@ ec_keyed(ecdh_ecdsa) ->
>      true;
>  ec_keyed(ecdh_rsa) ->
>      true;
> +ec_keyed(ecdhe_ecdsa) ->
> +    true;
>  ec_keyed(_) ->
>      false.
>
>
> Regards Ingela Erlang/OTP Team


_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions