Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

handshake failure - malformed_handshake_data on Erlang 19.1, Mac OS Sierra, Homebrew Openssl #362

Closed
fp opened this issue Nov 10, 2016 · 15 comments
Closed

handshake failure - malformed_handshake_data on Erlang 19.1, Mac OS Sierra, Homebrew Openssl #362

fp opened this issue Nov 10, 2016 · 15 comments
Assignees
@benoitc
Labels
bug

Comments

@fp
Copy link

fp commented Nov 10, 2016

The explicit specification of the cipher list in hackney_ssl.erl causes TLS handshake error with AWS S3 endpoint

8> Url = <<"https://s3-us-west-2.amazonaws.com/...">>,
9> hackney:get(Url, Headers, [] ).                     
Nov 10 10:17:40 CSV00002W SSL: certify: tls_connection.erl:688:Fatal error: handshake failure - malformed_handshake_data {error,{tls_alert,"handshake failure"}}

which ultimately comes down to the following in hackney_ssl:

10> f(BO), BO = [binary, {active, false}, {packet, raw}, {versions,['tlsv1.2', 'tlsv1.1', tlsv1, sslv3]},{secure_renegotiate, true},{reuse_sessions, true},{honor_cipher_order, true},{ciphers,DC}], ssl:connect( "s3-us-west-2.amazonaws.com", 443, BO ).

=ERROR REPORT==== 10-Nov-2016::10:30:04 ===
SSL: certify: tls_connection.erl:688:Fatal error: handshake failure - malformed_handshake_data
{error,{tls_alert,"handshake failure"}}

but if we remove explicitly setting the {ciphers, ?DEFAULT_CIPHERS} option:

11> f(BO), BO = [binary, {active, false}, {packet, raw}, {versions,['tlsv1.2', 'tlsv1.1', tlsv1, sslv3]},{secure_renegotiate, true},{reuse_sessions, true},{honor_cipher_order, true}], ssl:connect( "s3-us-west-2.amazonaws.com", 443, BO ).   {ok,{sslsocket,{gen_tcp,#Port<0.12682>,tls_connection,
                        undefined},
               <0.372.0>}}

This occurs on Mac OS Sierra w/homebrew latest openssl, but it seems like it would not be limited to just this platform, although I have not had time to validate that yet.
@fp
Copy link
Author

fp commented Nov 10, 2016

This appears to be related to Erlang being compiled with -DOPENSSL_NO_EC=1:

12> ssl:cipher_suites().
[{dhe_rsa,aes_256_gcm,null,sha384},
 {dhe_dss,aes_256_gcm,null,sha384},
 {dhe_rsa,aes_256_cbc,sha256},
 {dhe_dss,aes_256_cbc,sha256},
 {rsa,aes_256_gcm,null,sha384},
 {rsa,aes_256_cbc,sha256},
 {dhe_rsa,aes_128_gcm,null,sha256},
 {dhe_dss,aes_128_gcm,null,sha256},
 {dhe_rsa,aes_128_cbc,sha256},
 {dhe_dss,aes_128_cbc,sha256},
 {rsa,aes_128_gcm,null,sha256},
 {rsa,aes_128_cbc,sha256},
 {dhe_rsa,aes_256_cbc,sha},
 {dhe_dss,aes_256_cbc,sha},
 {rsa,aes_256_cbc,sha},
 {dhe_rsa,'3des_ede_cbc',sha},
 {dhe_dss,'3des_ede_cbc',sha},
 {rsa,'3des_ede_cbc',sha},
 {dhe_rsa,aes_128_cbc,sha},
 {dhe_dss,aes_128_cbc,sha},
 {rsa,aes_128_cbc,sha}]

and if I explicitly take out all of the EC ciphers from the explicit list, then it works:

13> DCnoEC = ["DHE-DSS-AES256-GCM-SHA384","DHE-DSS-AES256-SHA256",
13>  "AES256-GCM-SHA384","AES256-SHA256",
13>  "DHE-DSS-AES128-GCM-SHA256","DHE-DSS-AES128-SHA256",
13>  "AES128-GCM-SHA256","AES128-SHA256",
13>  "DHE-DSS-AES256-SHA","AES256-SHA","DHE-DSS-AES128-SHA","AES128-SHA"].
["DHE-DSS-AES256-GCM-SHA384","DHE-DSS-AES256-SHA256",
 "AES256-GCM-SHA384","AES256-SHA256",
 "DHE-DSS-AES128-GCM-SHA256","DHE-DSS-AES128-SHA256",
 "AES128-GCM-SHA256","AES128-SHA256","DHE-DSS-AES256-SHA",
 "AES256-SHA","DHE-DSS-AES128-SHA","AES128-SHA"]
14> f(BO), BO = [binary, {active, false}, {packet, raw}, {versions,['tlsv1.2', 'tlsv1.1', tlsv1, sslv3]},{secure_renegotiate, true},{reuse_sessions, true},{honor_cipher_order, true},{ciphers,DCnoEC}], ssl:connect( "s3-us-west-2.amazonaws.com", 443, BO ).
{ok,{sslsocket,{gen_tcp,#Port<0.12683>,tls_connection,
                        undefined},
               <0.381.0>}}

@benoitc benoitc added the bug label Nov 10, 2016
@benoitc
Copy link
Owner

benoitc commented Nov 10, 2016

mmm so I probably need to check if these ciphers are available first. Thanks for the info. Patch is coming :)

@olieidel olieidel mentioned this issue Nov 12, 2016
Closed
@dustinsmith1024
Copy link

I think I am having a similar issue. I started a new project and it was using 1.6.3. I rolled it back to 1.6.1 and things seem to work now.

@benoitc
Copy link
Owner

benoitc commented Nov 19, 2016

It seems we are too strict for some servers. Will go for a less strict mode
asap
On Sat, 19 Nov 2016 at 06:40, Dustin Smith notifications@github.com wrote:

I think I am having a similar issue. I started a new project and it was
using 1.6.3. I rolled it back to 1.6.1 and things seem to work now.


You are receiving this because you commented.

Reply to this email directly, view it on GitHub
#362 (comment),
or mute the thread
https://github.com/notifications/unsubscribe-auth/AAA4op0bW1_DUD-vFOJXqUIdtzhJmp0-ks5q_ou8gaJpZM4Ku34d
.

@mneudert mneudert mentioned this issue Nov 24, 2016
Closed
@dustinsmith1024
Copy link

Had any luck with the patch? Anything we can do to help?

@benwilson512 benwilson512 mentioned this issue Dec 21, 2016
Closed
@michalmuskala
Copy link

Any updates on this? It generally makes the 1.6.2 and 1.6.3 versions unusable.

@benoitc benoitc self-assigned this Dec 22, 2016
@benoitc
Copy link
Owner

benoitc commented Dec 22, 2016

i don't reproduce it on macosx sierra with latest openssl from homebrew. but a fix is coming.

@michalmuskala
Copy link

Thank you.

@trodrigu trodrigu mentioned this issue Dec 25, 2016
Closed
hirocaster added a commit to hirocaster/surge that referenced this issue Jan 11, 2017
@hirocaster
Version down httpoison
840a654 
- httpoison depends hackney 1.6.3
- hackney 1.6.3 has bugs.
- benoitc/hackney#362
@gVolop
Copy link

gVolop commented Feb 26, 2017

any updates?

use hackney 1.6.6 but still receive same error:
[error] SSL: :certify: tls_connection.erl:704:Fatal error: handshake failure - malformed_handshake_data

     {:hackney, "1.6.6", override: true},

macosx sierra
OpenSSL 0.9.8zh 14 Jan 2016
Erlang/OTP 19
Elixir 1.4.2

@benoitc
Copy link
Owner

benoitc commented Feb 26, 2017 via email

@gVolop
Copy link

gVolop commented Feb 26, 2017

i'm use it. 1.6.6 (tagged 2 hours ago..)
https://github.com/benoitc/hackney/releases/tag/1.6.6

@gVolop
Copy link

gVolop commented Feb 26, 2017 

      {:httpoison, "~> 0.11.0"},
      {:hackney, "1.6.6", override: true},

----> [error] SSL: :certify: tls_connection.erl:704:Fatal error: handshake failure - malformed_handshake_data

      {:httpoison, "~> 0.11.0"},
      {:hackney, "1.6.1", override: true},

-----> all fine

@benoitc
Copy link
Owner

benoitc commented Feb 26, 2017

@gVolop did you change the version of Erlang? Which version of openssl is installed on your system?

So far I need a way to reproduce this issue. The only change in the current version is that hackney is now more strict and use latest certificates from the Mozila project. Is this a public server? Is there any link I can test? If not what is the SSL configuration of your server?

Also can you enable the tracing in hackney and provide me a full trace?

@benoitc
Copy link
Owner

benoitc commented Feb 26, 2017

@gVolop also this ticket is closed. It may be not the same issue. I would appreciate a new ticket with all the info above if you can that would help a lot :)

@gVolop
Copy link

gVolop commented Feb 26, 2017

@benoitc here is the new ticket
hope all is there. if you have need additional details i would be happy to help. =)

@michaelklishin michaelklishin mentioned this issue Apr 11, 2018
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@benoitc benoitc

Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@benoitc @fp @dustinsmith1024 @michalmuskala @gVolop