Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ssl: Correct middle_box negotiation #6249

Merged
merged 3 commits into from
Sep 7, 2022
Merged

ssl: Correct middle_box negotiation #6249

merged 3 commits into from
Sep 7, 2022

Conversation

IngelaAndin
Copy link
Contributor

Closes #6241

@github-actions
Copy link
Contributor

github-actions bot commented Aug 26, 2022
edited
Loading

CT Test Results

       2 files       64 suites   48m 19s ⏱️
   741 tests    675 ✔️   66 💤 0
3 533 runs  2 761 ✔️ 772 💤 0

Results for commit 05ea2d2.

♻️ This comment has been updated with latest results.

To speed up review, make sure that you have read Contributing to Erlang/OTP and that all checks pass.

See the TESTING and DEVELOPMENT HowTo guides for details about how to run test locally.

Artifacts

// Erlang/OTP Github Action Bot

@IngelaAndin IngelaAndin added team:PS Assigned to OTP team PS testing currently being tested, tag is used by OTP internal CI labels Aug 26, 2022
KennethL
KennethL suggested changes Aug 26, 2022
View reviewed changes
lib/ssl/src/ssl_session.erl Show resolved Hide resolved
lib/ssl/src/ssl_session.erl Show resolved Hide resolved
@IngelaAndin IngelaAndin force-pushed the ingela/ssl/middle-box-negotiation/GH-6241/OTP-18219 branch from f1e3840 to 7f9c349 Compare August 29, 2022 07:12
@IngelaAndin IngelaAndin self-assigned this Aug 29, 2022
@IngelaAndin IngelaAndin force-pushed the ingela/ssl/middle-box-negotiation/GH-6241/OTP-18219 branch 4 times, most recently from d5008c9 to 6eb9932 Compare September 2, 2022 07:00
u3s
u3s reviewed Sep 2, 2022
View reviewed changes
lib/ssl/src/ssl_session.erl Outdated Show resolved Hide resolved
lib/ssl/src/ssl_session.erl Outdated Show resolved Hide resolved
lib/ssl/src/ssl_session.erl Outdated Show resolved Hide resolved
lib/ssl/src/ssl_session.erl Outdated Show resolved Hide resolved
lib/ssl/src/tls_connection_1_3.erl Outdated Show resolved Hide resolved
lib/ssl/src/tls_connection_1_3.erl Outdated Show resolved Hide resolved
lib/ssl/test/tls_1_3_version_SUITE.erl Outdated Show resolved Hide resolved
lib/ssl/test/tls_1_3_version_SUITE.erl Outdated Show resolved Hide resolved
lib/ssl/test/tls_1_3_version_SUITE.erl Outdated Show resolved Hide resolved
lib/ssl/test/tls_1_3_version_SUITE.erl Outdated Show resolved Hide resolved
@IngelaAndin IngelaAndin force-pushed the ingela/ssl/middle-box-negotiation/GH-6241/OTP-18219 branch 2 times, most recently from 66d874c to 6015499 Compare September 4, 2022 13:09
@IngelaAndin IngelaAndin modified the milestones: OTP-25.1, OTP-23.3.4.5 Sep 5, 2022
@IngelaAndin IngelaAndin force-pushed the ingela/ssl/middle-box-negotiation/GH-6241/OTP-18219 branch 3 times, most recently from 26e5986 to 05ea2d2 Compare September 7, 2022 06:40
@IngelaAndin
ssl: Correct TLS-1.3 middle_box negotiation
efc33d6 
This middlebox mode is partially negotiated: If the client
provides a non empty session ID the "compatibility middle box mode"
should be used.

Closes erlang#6241
@IngelaAndin
ssl: Cosmetic changes
cede99e
@IngelaAndin
ssl: Correct change cipher spec handling in start state
b7e1bf0
@IngelaAndin IngelaAndin force-pushed the ingela/ssl/middle-box-negotiation/GH-6241/OTP-18219 branch from 05ea2d2 to b7e1bf0 Compare September 7, 2022 11:26
@IngelaAndin IngelaAndin merged commit f40acc5 into erlang:maint Sep 7, 2022
@IngelaAndin IngelaAndin mentioned this pull request Oct 19, 2022
Closed
@GitJadhav
Copy link

@IngelaAndin We are using Rabbit 3.11.27 and Erlang OTP 25.3.2.7 and still seeing this errors in our RMQ logs

no_suitable_ciphers
no_suitable_ciphers

"TLS server: In state hello at tls_handshake.erl:348 generated SERVER
ALERT: Fatal - Insufficient Security"
 
unexpected_msg,{internal,{change_cipher_spec,<<1>>}}}

@IngelaAndin
Copy link
Contributor Author

@GitJadhav I have no reason to believe that OTP-25.3.2.7 is not handling middlebox compatibility mode correctly, we also
will ignore one such message per state if middlebox mode is not used just to increase interoperability.

You are not providing enough context for me to help you. I guess you are only asking about the last line in the log. What might help is if you know what client that is connecting when this happens. If you could connect with this client and set the server log_level to debug that could help.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@KennethL KennethL KennethL approved these changes

@u3s u3s u3s left review comments

Assignees

@IngelaAndin IngelaAndin

Labels
team:PS Assigned to OTP team PS testing currently being tested, tag is used by OTP internal CI
Projects
None yet
Milestone
OTP-25.1
Development

Successfully merging this pull request may close these issues.
4 participants
@IngelaAndin @GitJadhav @KennethL @u3s