You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Original reporter: voltone
Affected versions: OTP-21.1, OTP-21.2
Fixed in version: OTP-21.2.1
Component: ssl
Migrated from: https://bugs.erlang.org/browse/ERL-803
Originally reported by Nico Caille on ElixirForum:
https://elixirforum.com/t/hackney-and-client-certificates-error-closed/18723
Since OTP 21.1, if an Erlang client has previously sent data to a server and subsequently responds to a HelloRequest from the server with a renegotiation ClientHello, that message is malformed, causing the connection to fail. Note that this scenario is not covered by the ssl test suite (it tests renegotiation without prior data exchange).
It was originally reported with Hackney in combination with a Microsoft IIS server, which parses the client's HTTP request before deciding it wants to ask for a client certificate. IIS does not send an alert, but closes the TCP connection.
The issue can be reduced to a minimal case with 'ssl:connect' to 'openssl s_server', sending some data from the client and then triggering renegotiation on the server. This results in a bad_record_mac fatal alert.
In OTP 21.0.9 and earlier releases, the same scenario succeeds, so I suspect the issue was introduced in https://github.com/erlang/otp/commit/d87ac1c55188f5ba5cdf72384125d94d42118c18
I created a crude test case that reproduces the issue. A diff for the test suite (against master) and the test output attached.
The text was updated successfully, but these errors were encountered:
Thank you for the test case, I have confirmed that it fails. I agree with you that the sender process
commit is a suspect. It is needed to avoid a deadlock but alas it makes renegotiation harder to get correct. We will investigate.
Original reporter:
voltone
Affected versions:
OTP-21.1
,OTP-21.2
Fixed in version:
OTP-21.2.1
Component:
ssl
Migrated from: https://bugs.erlang.org/browse/ERL-803
The text was updated successfully, but these errors were encountered: