ssl psk since 20.3 failed

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

ssl psk since 20.3 failed

obi458

This works with 20.2.2 but since 20.3(21.x) it doesn't!

Error in process <0.79.0> with exit value:
{{badmatch,{error,{tls_alert,"handshake failure"}}},
 [{client_server,init_connect,1,[{file,"client_server.erl"},{line,37}]}]}

Any hints?

-module(client_server).

%%% Purpose: Example of SSL client and server using psk.

-export([start/0, init_connect/1]).

start() ->
  %% Start ssl application
  {ok, StartedApps} = application:ensure_all_started(ssl),

  %% Let the current process be the server that listens and accepts
  %% Listen
  {ok, LSock} = ssl:listen(0, mk_opts(listen)),
  {ok, {_, LPort}} = ssl:sockname(LSock),
  io:fwrite("Listen: port = ~w.~n", [LPort]),

  %% Spawn the client process that connects to the server
  spawn(?MODULE, init_connect, [LPort]),

  %% Accept
  {ok, ASock} = ssl:transport_accept(LSock),
  ok = ssl:ssl_accept(ASock),
  io:fwrite("Accept: accepted.~n"),
  ssl:send(ASock, "hello"),
  {error, closed} = ssl:recv(ASock, 0),
  io:fwrite("Accept: detected closed.~n"),
  ssl:close(ASock),
  io:fwrite("Listen: closing and terminating.~n"),
  ssl:close(LSock),

  lists:foreach(fun application:stop/1, lists:reverse(StartedApps)).


%% Client connect
init_connect(LPort) ->
  {ok, Host} = inet:gethostname(),
  {ok, CSock} = ssl:connect(Host, LPort, mk_opts(connect)),
  io:fwrite("Connect: connected.~n"),
  {ok, Data} = ssl:recv(CSock, 0),
  io:fwrite("Connect: got data: ~p~n", [Data]),
  io:fwrite("Connect: closing and terminating.~n"),
  ssl:close(CSock).

mk_opts(listen) ->
  mk_opts("server");
mk_opts(connect) ->
  mk_opts("client");
mk_opts(Role) ->
  [{active, false},
    {psk_identity,Role},
    {user_lookup_fun,{fun lookup/3,list_to_binary(Role)}},
    {versions,['tlsv1.2']},
    {ciphers, [{dhe_psk,aes_256_gcm,null,sha384}
    ]}
  ].

lookup(psk,_,_) -> {ok,<<"psk">>}.

-- 
Grüße
Oliver Bollmann

_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions
Reply | Threaded
Open this post in threaded view
|

Re: ssl psk since 20.3 failed

Ingela Andin


Humm ... I believe  the this was broken by PR-1729, the solution feels familiar. I hope that the following patch covers all the cases. 

diff --git a/lib/ssl/src/ssl_handshake.erl b/lib/ssl/src/ssl_handshake.erl
index 63996f5..4fbf463 100644
--- a/lib/ssl/src/ssl_handshake.erl
+++ b/lib/ssl/src/ssl_handshake.erl
@@ -1056,7 +1056,10 @@ select_curve(undefined, _, _) ->
 select_hashsign(_, _, KeyExAlgo, _, _Version) when KeyExAlgo == dh_anon;
                                                    KeyExAlgo == ecdh_anon;
                                                    KeyExAlgo == srp_anon;
-                                                   KeyExAlgo == psk ->
+                                                   KeyExAlgo == psk;
+                                                   KeyExAlgo == dhe_psk;
+                                                   KeyExAlgo == ecdhe_psk;
+                                                   KeyExAlgo == rsa_psk ->
     {null, anon};
 %% The signature_algorithms extension was introduced with TLS 1.2. Ignore it if we have
 %% negotiated a lower version.


Regards Ingela Erlang/OTP team - Ericsson AB




Den ons 5 sep. 2018 kl 23:00 skrev Oliver Bollmann <[hidden email]>:

This works with 20.2.2 but since 20.3(21.x) it doesn't!

Error in process <0.79.0> with exit value:
{{badmatch,{error,{tls_alert,"handshake failure"}}},
 [{client_server,init_connect,1,[{file,"client_server.erl"},{line,37}]}]}

Any hints?

-module(client_server).

%%% Purpose: Example of SSL client and server using psk.

-export([start/0, init_connect/1]).

start() ->
  %% Start ssl application
  {ok, StartedApps} = application:ensure_all_started(ssl),

  %% Let the current process be the server that listens and accepts
  %% Listen
  {ok, LSock} = ssl:listen(0, mk_opts(listen)),
  {ok, {_, LPort}} = ssl:sockname(LSock),
  io:fwrite("Listen: port = ~w.~n", [LPort]),

  %% Spawn the client process that connects to the server
  spawn(?MODULE, init_connect, [LPort]),

  %% Accept
  {ok, ASock} = ssl:transport_accept(LSock),
  ok = ssl:ssl_accept(ASock),
  io:fwrite("Accept: accepted.~n"),
  ssl:send(ASock, "hello"),
  {error, closed} = ssl:recv(ASock, 0),
  io:fwrite("Accept: detected closed.~n"),
  ssl:close(ASock),
  io:fwrite("Listen: closing and terminating.~n"),
  ssl:close(LSock),

  lists:foreach(fun application:stop/1, lists:reverse(StartedApps)).


%% Client connect
init_connect(LPort) ->
  {ok, Host} = inet:gethostname(),
  {ok, CSock} = ssl:connect(Host, LPort, mk_opts(connect)),
  io:fwrite("Connect: connected.~n"),
  {ok, Data} = ssl:recv(CSock, 0),
  io:fwrite("Connect: got data: ~p~n", [Data]),
  io:fwrite("Connect: closing and terminating.~n"),
  ssl:close(CSock).

mk_opts(listen) ->
  mk_opts("server");
mk_opts(connect) ->
  mk_opts("client");
mk_opts(Role) ->
  [{active, false},
    {psk_identity,Role},
    {user_lookup_fun,{fun lookup/3,list_to_binary(Role)}},
    {versions,['tlsv1.2']},
    {ciphers, [{dhe_psk,aes_256_gcm,null,sha384}
    ]}
  ].

lookup(psk,_,_) -> {ok,<<"psk">>}.

-- 
Grüße
Oliver Bollmann
_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions

_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions
Reply | Threaded
Open this post in threaded view
|

Re: ssl psk since 20.3 failed

Ingela Andin
No problem :) I will include it in OTP-21.1 except rsa_psk uses certs so I removed the last one again.
Have also tweaked the test cases so that this is test correctly.

Regards Ingela Erlang/OTP team - Ericsson AB

Den tors 6 sep. 2018 kl 15:41 skrev Ingela Andin <[hidden email]>:


Humm ... I believe  the this was broken by PR-1729, the solution feels familiar. I hope that the following patch covers all the cases. 

diff --git a/lib/ssl/src/ssl_handshake.erl b/lib/ssl/src/ssl_handshake.erl
index 63996f5..4fbf463 100644
--- a/lib/ssl/src/ssl_handshake.erl
+++ b/lib/ssl/src/ssl_handshake.erl
@@ -1056,7 +1056,10 @@ select_curve(undefined, _, _) ->
 select_hashsign(_, _, KeyExAlgo, _, _Version) when KeyExAlgo == dh_anon;
                                                    KeyExAlgo == ecdh_anon;
                                                    KeyExAlgo == srp_anon;
-                                                   KeyExAlgo == psk ->
+                                                   KeyExAlgo == psk;
+                                                   KeyExAlgo == dhe_psk;
+                                                   KeyExAlgo == ecdhe_psk;
+                                                   KeyExAlgo == rsa_psk ->
     {null, anon};
 %% The signature_algorithms extension was introduced with TLS 1.2. Ignore it if we have
 %% negotiated a lower version.


Regards Ingela Erlang/OTP team - Ericsson AB




Den ons 5 sep. 2018 kl 23:00 skrev Oliver Bollmann <[hidden email]>:

This works with 20.2.2 but since 20.3(21.x) it doesn't!

Error in process <0.79.0> with exit value:
{{badmatch,{error,{tls_alert,"handshake failure"}}},
 [{client_server,init_connect,1,[{file,"client_server.erl"},{line,37}]}]}

Any hints?

-module(client_server).

%%% Purpose: Example of SSL client and server using psk.

-export([start/0, init_connect/1]).

start() ->
  %% Start ssl application
  {ok, StartedApps} = application:ensure_all_started(ssl),

  %% Let the current process be the server that listens and accepts
  %% Listen
  {ok, LSock} = ssl:listen(0, mk_opts(listen)),
  {ok, {_, LPort}} = ssl:sockname(LSock),
  io:fwrite("Listen: port = ~w.~n", [LPort]),

  %% Spawn the client process that connects to the server
  spawn(?MODULE, init_connect, [LPort]),

  %% Accept
  {ok, ASock} = ssl:transport_accept(LSock),
  ok = ssl:ssl_accept(ASock),
  io:fwrite("Accept: accepted.~n"),
  ssl:send(ASock, "hello"),
  {error, closed} = ssl:recv(ASock, 0),
  io:fwrite("Accept: detected closed.~n"),
  ssl:close(ASock),
  io:fwrite("Listen: closing and terminating.~n"),
  ssl:close(LSock),

  lists:foreach(fun application:stop/1, lists:reverse(StartedApps)).


%% Client connect
init_connect(LPort) ->
  {ok, Host} = inet:gethostname(),
  {ok, CSock} = ssl:connect(Host, LPort, mk_opts(connect)),
  io:fwrite("Connect: connected.~n"),
  {ok, Data} = ssl:recv(CSock, 0),
  io:fwrite("Connect: got data: ~p~n", [Data]),
  io:fwrite("Connect: closing and terminating.~n"),
  ssl:close(CSock).

mk_opts(listen) ->
  mk_opts("server");
mk_opts(connect) ->
  mk_opts("client");
mk_opts(Role) ->
  [{active, false},
    {psk_identity,Role},
    {user_lookup_fun,{fun lookup/3,list_to_binary(Role)}},
    {versions,['tlsv1.2']},
    {ciphers, [{dhe_psk,aes_256_gcm,null,sha384}
    ]}
  ].

lookup(psk,_,_) -> {ok,<<"psk">>}.

-- 
Grüße
Oliver Bollmann
_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions

_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions