-
Notifications
You must be signed in to change notification settings - Fork 2.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
TLS 1.2 handshake fails #7493
Comments
Well, this a somewhat intricate error case that I think we could handle better. In TLS-1.2 it is possible to configure the server to use so called anonymous cipher suites (which is not supported by default and considered a testing/debug feature) and in this case it is possible to have a server that is not configured with a certificate and key. In any normal usage of TLS it is not a valid configuration to run a server without a certificate and key. We will look into improving the error handling. I guess what you want to do is to provide your sever with a certificate and key, they are needed even if the client ignores to verify the servers certificate chain! |
Thank you for the quick reply. Still, I can't make it work. Am I doing something wrong?
The output is:
|
You are still missing the cert option the specifying the servers own cert. |
I did something like:
and now it works. Thank you so much! It wasn't obvious) Shall I close the issue? |
BTW, what is the correct behavior? Just validate that all the options are passed to |
The options handling has been reworked quite a lot. There are quite many options to SSL/TLS and there is quite a lot of legacy and unfortunate option dependency's to handle, so although this is not a bug, I will mark it enhancement and we will improve the error handling for a future release. |
Awesome! |
…/OTP-18887 ssl: Error server options when no certs
Describe the bug
Connecting to SSL socket using TLS 1.2 returns an error:
{:error, {:tls_alert, {:handshake_failure, ~c"TLS server: In state hello at tls_handshake.erl:269 generated SERVER ALERT: Fatal - Handshake Failure\n malformed_handshake_data"}}}
.Doing
ssl.versions
reports both TLS 1.2 and 1.3 are supported:SSL version [ssl_app: ~c"11.0.2", supported: [:"tlsv1.3", :"tlsv1.2"], supported_dtls: [:"dtlsv1.2"], available: [:"tlsv1.3", :"tlsv1.2", :"tlsv1.1", :tlsv1], available_dtls: [:"dtlsv1.2", :dtlsv1], implemented: [: "tlsv1.3", :"tlsv1.2", :"tlsv1.1", :tlsv1], implemented_dtls: [:"dtlsv1.2", :dtlsv1]]
To Reproduce
Expected behavior
A normal SSL handshake would occur, without crashing the Erlang process and terminating the connection.
Affected versions
Additional context
The text was updated successfully, but these errors were encountered: