-
Notifications
You must be signed in to change notification settings - Fork 2.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
TLS/ASN1 crash connecting to some sites #8058
Comments
i think the following hosts might have the same issue, all on port 1965:
On earlier erlangs (OTP 22) there is a more informative "certificate unknown" message rather than the disconcerting crash |
This certificate looks very strange indeed and does break the ASN-1 specification. We can inspect it by doing a less complete decode:
For easier understanding:
These are all given the same value which is <<19,1,63>> (just giving all these attributes the same value is strange). Using one of the other fields to decode it shows that the value will be as follows: CountryName is specified as:
Actually country code might have been a better name, so it should have values as "US", "SE", "GB" etc For better or worse many TLS implementations do not seem to have ASN-1 handling that check all constraints. We do allow the exception "USA" when decoding even if we do not allow people to create such certs using our code. I do agree with you that error handling in OTP-22.3 for this particular case is better than in OTP-26, this I think must be an unfortunate result of some refactor or other change and we will look into improving that. We are not found of making workarounds for such obvious breakages of the specification but it it is common enough we could consider including it in the exception as one character instead of two is not really a problematic in other aspects. |
Ah Ok. I'll have a closer look into whether the error can be detected/prevented/worked around/mitigated, and get back to you with its seriousness in a few days. Thanks very much for the explanation. |
…H-8058/OTP-18969 Handle asn1 decode errors
Describe the bug
The
ssl
application crashes when I connect to certain hosts, apparently citing a problem decoding part of the server certificate.To Reproduce
There are a few hosts other than
gem.billsmugs.com:1965
that do this; the vast generality of Gemini servers don't exhibit this behaviour. The error always occurs when connecting to these sites. I get:Other TLS clients, i.e., applications built on languages other than Erlang, don't seem to have a problem talking TLS to this endpoint.
Expected behavior
I'd expect something more like this:
but if there were some kind of ASN1 disaster occurring due to input from the server, I'd expect the error to be caught and reported a little more clearly. The "no case clause matching" language suggests that there's a case that isn't handled, which for things like TLS certificates might indicate an exploitable issue. And it seems to arise from something that someone has unwittingly put into a TLS certificate.
Affected versions
The text was updated successfully, but these errors were encountered: