-
Notifications
You must be signed in to change notification settings - Fork 2.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
TLS handshake failure when ciphers and versions are returned from sni_fun. #5985
Comments
I have reproduced the reported behaviour and will look into it next week |
If upgrading a TCP socket to a TLS socket and in the same time changing the supported protocol version in the sni_fun callback, so that it does not match the default, care must be applied to make sure correct decoding of hello information is used. Closes erlang#5985
Please try my PR. |
By the way, you would get the same set of ciphers as in your example doing only Ciphers = ssl:filter_cipher_suites(ssl:cipher_suites(all ,HighestVersion), []). All is an inclusive option (there is also the possibility to do an exclusive listing). |
…ions-opt/GH-5985/OTP-18100 ssl: Handle protocol version change in sni_fun
Thank you @IngelaAndin . Can this be included in a 24.x release as well? |
I already prepared it to be piggybacked on the next OTP-24 patch, that is it will be included the next time an OTP-24 patch is made but it will not be the reason for making the patch. |
…into maint-24 * ingela/ssl/sni-fun-new-versions-opt/GH-5985/OTP-18100: ssl: Handle protocol version change in sni_fun
…into maint-25 * ingela/ssl/sni-fun-new-versions-opt/GH-5985/OTP-18100: ssl: Handle protocol version change in sni_fun
Describe the bug
Specifying the
ciphers
andversions
SSL options forssl:handshake/2
succeeds. Returning the same exact options from thesni_fun
, fails.To Reproduce
Build and run the following code and observe the output. With the first
ssl:handshake(...)
line included and the second one commented out, theopenssl
command will succeed.Now comment out the first
ssl:handshake(...)
line and include the second one instead. Observe in theopenssl
command output how the handshake now fails and no cipher will be indicated as selected for the SSL-Session:The error message from
openssl
is:Expected behavior
It should not make a difference whether the
ciphers
andversions
are specifying directly tossl:handshake/2
or returned from thesni_fun
option. The SSL handshake should succeed in both cases.Affected versions
Erlang/OTP 24 [erts-12.3.2] [source] [64-bit] [smp:4:4] [ds:4:4:10] [async-threads:1] [jit] [dtrace]
Additional context
It seems that
ciphers
option can be returned from thesni_fun
as long as theversions
options is given at the top level directly tossl:handshake/2
. That configuration works.Also, specifying
{versions, ['tlsv1.2']}
at the top level and returning{versions, ['tlsv1.2', 'tlsv1.1', tlsv1]}
from thesni_fun
and enforcingopenssl
to use'tlsv1.1'
, will also fail - meaning that the versions returned fromsni_fun
will not override the options given at the top level. See correspondingssl:handshake(...)
line andopenssl
command below:Going in the opposite direction and providing all supported TLS versions at the top level and reducing them in the
sni_fun
appears to work.The text was updated successfully, but these errors were encountered: