Quantcast
Erlang Erlang Bugs

ssl handshake failure on R14A (and git)

classic Classic list List threaded Threaded
10 messages Options
Nicolas Niclausse
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate
star

ssl handshake failure on R14A (and git)

Nicolas Niclausse
I'm not able to connect to a server using ssl v4.0 (R14A) and up (current git)

Erlang R14B (erts-5.8.1) [source] [64-bit] [smp:2:2] [rq:2]
[async-threads:0] [hipe] [kernel-poll:false]

4> ssl:connect("jabber.grid5000.fr",5223,[]).

=ERROR REPORT==== 24-Aug-2010::10:56:37 ===
SSL: hello: ./ssl_handshake.erl:830:Fatal error: handshake failure
{error,esslconnect}

but it works with old ssl:

5> ssl:connect("jabber.grid5000.fr",5223,[{ssl_imp,old}]).
{ok,{sslsocket,5,<0.57.0>}}

--
Nicolas

________________________________________________________________
erlang-bugs (at) erlang.org mailing list.
See http://www.erlang.org/faq.html
To unsubscribe; mailto:[hidden email]

Ingela Anderton Andin
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate
star

Re: ssl handshake failure on R14A (and git)

Ingela Anderton Andin
Hi!

I am not able to test this from work due to the firewall.    
What does ssl:connection_info/1 return when you connect using
{ssl_imp, old} ?

Regards Ingela Erlang/OTP team - Ericsson AB

Nicolas Niclausse wrote:

> I'm not able to connect to a server using ssl v4.0 (R14A) and up (current git)
>
> Erlang R14B (erts-5.8.1) [source] [64-bit] [smp:2:2] [rq:2]
> [async-threads:0] [hipe] [kernel-poll:false]
>
> 4> ssl:connect("jabber.grid5000.fr",5223,[]).
>
> =ERROR REPORT==== 24-Aug-2010::10:56:37 ===
> SSL: hello: ./ssl_handshake.erl:830:Fatal error: handshake failure
> {error,esslconnect}
>
> but it works with old ssl:
>
> 5> ssl:connect("jabber.grid5000.fr",5223,[{ssl_imp,old}]).
> {ok,{sslsocket,5,<0.57.0>}}
>
>  


________________________________________________________________
erlang-bugs (at) erlang.org mailing list.
See http://www.erlang.org/faq.html
To unsubscribe; mailto:[hidden email]

Nicolas Niclausse
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate
star

Re: ssl handshake failure on R14A (and git)

Nicolas Niclausse
Ingela Anderton Andin ecrivait le 24/08/2010 12:04:
> Hi!
>
> I am not able to test this from work due to the firewall.     What does
> ssl:connection_info/1 return when you connect using
> {ssl_imp, old} ?

Hello,

{ok,{tlsv1,"EDH-RSA-DES-CBC3-SHA"}}


--
Nicolas

________________________________________________________________
erlang-bugs (at) erlang.org mailing list.
See http://www.erlang.org/faq.html
To unsubscribe; mailto:[hidden email]

Andrew Thompson-2
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate
star

Re: ssl handshake failure on R14A (and git)

Andrew Thompson-2
On Tue, Aug 24, 2010 at 12:37:58PM +0200, Nicolas Niclausse wrote:

> Ingela Anderton Andin ecrivait le 24/08/2010 12:04:
> > Hi!
> >
> > I am not able to test this from work due to the firewall.     What does
> > ssl:connection_info/1 return when you connect using
> > {ssl_imp, old} ?
>
> Hello,
>
> {ok,{tlsv1,"EDH-RSA-DES-CBC3-SHA"}}
>
>

Try with the 'pu' git branch and not 'dev', there's some SSL fixes in
there that helped with my problem.

Andrew

________________________________________________________________
erlang-bugs (at) erlang.org mailing list.
See http://www.erlang.org/faq.html
To unsubscribe; mailto:[hidden email]

Nicolas Niclausse
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate
star

Re: ssl handshake failure on R14A (and git)

Nicolas Niclausse
Andrew Thompson ecrivait le 24/08/2010 19:27:

> On Tue, Aug 24, 2010 at 12:37:58PM +0200, Nicolas Niclausse wrote:
>> Ingela Anderton Andin ecrivait le 24/08/2010 12:04:
>>> Hi!
>>>
>>> I am not able to test this from work due to the firewall.     What does
>>> ssl:connection_info/1 return when you connect using
>>> {ssl_imp, old} ?
>>
>> Hello,
>>
>> {ok,{tlsv1,"EDH-RSA-DES-CBC3-SHA"}}
>>
>>
>
> Try with the 'pu' git branch and not 'dev', there's some SSL fixes in
> there that helped with my problem.

Thanks for the tip, but the handshake problem is still there.

--
Nicolas

________________________________________________________________
erlang-bugs (at) erlang.org mailing list.
See http://www.erlang.org/faq.html
To unsubscribe; mailto:[hidden email]

Lichtinger, Bernhard
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate
star

Re: ssl handshake failure on R14A (and git)

Lichtinger, Bernhard
In reply to this post by Nicolas Niclausse
Hi,

I had also the same problem.
The debugger helped in my case: We have certificates with depth 4, so adding the ssl_option {depth,4} resolved the problem.
e.g. ssl:connect("my-jabber-server",5223,[{depth,4}]).


But I'm still wondering, why ssl:connect without this option works also when i connect to one of our Microsoft IIS webservers, which has also a certificate of depth 4. My jabber server is an ejabberd on erlang R13.

--
Bernhard
________________________________________________________________
erlang-bugs (at) erlang.org mailing list.
See http://www.erlang.org/faq.html
To unsubscribe; mailto:[hidden email]

Lichtinger, Bernhard
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate
star

Re: ssl handshake failure on R14A (and git)

Lichtinger, Bernhard

> The debugger helped in my case: We have certificates with depth 4, so adding the ssl_option {depth,4} resolved the problem.
> e.g. ssl:connect("my-jabber-server",5223,[{depth,4}]).
I did some more debugging:

SSL handshakes also fail with {bad_cert,invalid_subject_altname} if the server's certificate has an Subject Alternative Name of the type othername. E.g. hermes.jabber.org has such Subject Alternative Names.

--
Bernhard
________________________________________________________________
erlang-bugs (at) erlang.org mailing list.
See http://www.erlang.org/faq.html
To unsubscribe; mailto:[hidden email]

Ingela Anderton Andin
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate
star

Re: ssl handshake failure on R14A (and git)

Ingela Anderton Andin
In reply to this post by Nicolas Niclausse
Hi!

We have located this bug and fixed it, it has to do with the fact that
your server sends
several handshake protocol messages in the same TLS record protocol
message, which is fine
and allowed but not all servers do. We had to move some of our code
hinger up in our model to properly
handle this. We will push this to the public repository soon but due to
some failing test cases it may be a couple
of days.

Regards Ingela Erlang/OTP team - Ericsson AB

Nicolas Niclausse wrote:

> I'm not able to connect to a server using ssl v4.0 (R14A) and up (current git)
>
> Erlang R14B (erts-5.8.1) [source] [64-bit] [smp:2:2] [rq:2]
> [async-threads:0] [hipe] [kernel-poll:false]
>
> 4> ssl:connect("jabber.grid5000.fr",5223,[]).
>
> =ERROR REPORT==== 24-Aug-2010::10:56:37 ===
> SSL: hello: ./ssl_handshake.erl:830:Fatal error: handshake failure
> {error,esslconnect}
>
> but it works with old ssl:
>
> 5> ssl:connect("jabber.grid5000.fr",5223,[{ssl_imp,old}]).
> {ok,{sslsocket,5,<0.57.0>}}
>
>  


________________________________________________________________
erlang-bugs (at) erlang.org mailing list.
See http://www.erlang.org/faq.html
To unsubscribe; mailto:[hidden email]

Ingela Anderton Andin
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate
star

Re: ssl handshake failure on R14A (and git)

Ingela Anderton Andin
In reply to this post by Lichtinger, Bernhard
Hi!

Does not really sound like the same error.  Do you have any server to
which we can connect to try and reproduce this?

Regards Ingela Erlang/OTP team - Ericsson AB

Lichtinger, Bernhard wrote:

> Hi,
>
> I had also the same problem.
> The debugger helped in my case: We have certificates with depth 4, so adding the ssl_option {depth,4} resolved the problem.
> e.g. ssl:connect("my-jabber-server",5223,[{depth,4}]).
>
>
> But I'm still wondering, why ssl:connect without this option works also when i connect to one of our Microsoft IIS webservers, which has also a certificate of depth 4. My jabber server is an ejabberd on erlang R13.
>
>  


________________________________________________________________
erlang-bugs (at) erlang.org mailing list.
See http://www.erlang.org/faq.html
To unsubscribe; mailto:[hidden email]

Nicolas Niclausse
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate
star

Re: ssl handshake failure on R14A (and git)

Nicolas Niclausse
In reply to this post by Ingela Anderton Andin
Ingela Anderton Andin ecrivait le 30/08/2010 16:16:

> Hi!
>
> We have located this bug and fixed it, it has to do with the fact that
> your server sends
> several handshake protocol messages in the same TLS record protocol
> message, which is fine
> and allowed but not all servers do. We had to move some of our code
> hinger up in our model to properly
> handle this. We will push this to the public repository soon but due to
> some failing test cases it may be a couple
> of days.

OK, i'm waiting for the update then.

Thanks!
--
Nicolas

________________________________________________________________
erlang-bugs (at) erlang.org mailing list.
See http://www.erlang.org/faq.html
To unsubscribe; mailto:[hidden email]

Loading...
Powered by Nabble Edit this page