-
Notifications
You must be signed in to change notification settings - Fork 2.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
TLS handshake error with Java client on Erlang 24.1 #5255
Comments
It is the Java client that fails the connection. One thing that was added in 24.1 was support for RSA-PSS-PSS signatures and signature_algorithms_cert in TLS-1.2. The java client advertises support for it but it would not have been negotiated in TLS-1.2 pre 24.1. So there seems to be some interop problem. I guess your erlang server is running with TLS-1.3 support as we do not enable these algorithms in a "TLS-1.2 server" by default yet. I have not had time to dig deeper yet. |
If I set the Java client to use TLS 1.3, the handshake succeeds and if I let the Java client to TLS 1.2 and set |
Absolutely it should work out of the box. Question is why java client announces it supports the RSA-PSS-PSS algorithms for TLS-1.2 when it then does not seem to support it. We would not try to use them if the client does note claim to support them. It is a TLS-1.3 requirement that you should be able to support these algorithms for TLS-1.2 also if you have TLS-1.3 server. |
I'm not familiar enough with the Java TLS implementation to answer. All I know is that I tried with the latest version of each current LTS release (8.0.302, 11.0.12, and 17.0.0) and they all fail. |
I can reproduce, and I will also try some things out with the latest OpenSSL too. It can be some mismatch in how to negotiate these algorithms for this combination and possible errors could be both in the Java client (which I know very little about) and on our side. |
I have found a weakness in our test cases for these algorithm combinations, and fixed atleast part of the problem. I am still working on more interop tests. Will make a PR later. |
Closes erlang#5255 Due to test case allowing fallback algorithms PSS algorithms where not properly selected all the way in TLS-1.2 and some algorithm handling code was missing.
…1.2/GH-5255/OTP-17688 Ingela/ssl/interop pss tls 1.2/gh 5255/otp 17688
I'm still getting the same failure with the fix and the example above. Have you tried as well? |
I get no TLS alert and java log ends with:
|
What java version do you have? I have OpenJDK 11.0.11 |
I tried on Java 8, 11, and 17. I'll recompile from master and give it a try again. |
Still no luck, I compiled with kerl:
And I re-ran my example above and I get the same error. |
Humm this is strange but maybe it was me having the wrong erlang in my path or something, now it fails again :( Although I am pretty sure I did fix a bug I still had some other issues with OpenSSL that I meant to address later as the java client seemed to work. |
I think there could be another bug in the certificate_request message, will look into it more tomorrow. |
So this turned out to be really interesting. I found out why the Java client was creating an illegal parameter. It was an oversight of a completely different fix from the PSS support. After fixing that I got another alert and I found a few more places to fix conversions to handle TLS-1.2 vs TLS-1.3. But none of these symptoms matched the OpenSSL issues that were that some tests made OpenSSL return internal error alert. However, after fixing the issues I found with the Java client the OpenSSL test started to work. You can try the updated branch ingela/ssl/interop-PSS-TLS-1.2/GH-5255/OTP-17688 that I pushed to my github-repo. It should contain 4 more commits that was not in the PR. |
I tried the branch with the 4 commits and it's working now. I tested with Java 8, 11, and 17. Good job, thanks for the follow-up! |
…maint * ingela/ssl/interop-PSS-TLS-1.2/GH-5255/OTP-17688: ssl: Add guard for possible future algorithms not beeing handled as legacy ssl: Add OpenSSL interop tests ssl: Fix filter and conversions of singnature algorithms schemes for TLS-1.2 ssl: Fix Authority to not become empty in pre TLS-1.3 CertificateRequest
No problem, it is fascinating how sometimes two wrongs can make one right when you test your own client against your own server, I have merged the new commits to maint and master. I also have included the fix for the next maint-24 patch. |
…maint-24 * ingela/ssl/interop-PSS-TLS-1.2/GH-5255/OTP-17688: ssl: Add guard for possible future algorithms not beeing handled as legacy ssl: Add OpenSSL interop tests ssl: Fix filter and conversions of singnature algorithms schemes for TLS-1.2 ssl: Fix Authority to not become empty in pre TLS-1.3 CertificateRequest ssl: Fix algorithm typo ssl: Move ssl application exports up ssl: Fix TLS-1.2 RSASSA-PSS negotiation
The handshake between our Erlang server and Java client in our test suites started to fail when we upgraded to Erlang 24.1.
This can be reproduced with the following program steps:
In another terminal:
Here is the Erlang server output:
Here is the Java client output:
Attached is the crash dump.
erl_crash.zip
The text was updated successfully, but these errors were encountered: