Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

TLS 1.3 connection with client verification always successful #335

Closed
nieg675 opened this issue Dec 30, 2021 · 1 comment
Closed

TLS 1.3 connection with client verification always successful #335

nieg675 opened this issue Dec 30, 2021 · 1 comment

Comments

@nieg675
Copy link

nieg675 commented Dec 30, 2021

When using Ranch 1.8 with client verification and TLS 1.3, clients always receive {:ok, socket}, even when the handshake fails (i would have expected to receive {:error, {tls_alert, …}}. When using TLS 1.2 it works as expected.

I have made a minimal example at https://github.com/nieg675/tls with some tests, where the code for the Listener module used below can also be found. I also tried with a python client with the same result.

Example:

When i try to connect with TLS 1.2 and a verify function that is guaranteed to fail it works as expected:

iex(1)> Listener.start_listener([versions: [:"tlsv1.2"], verify_fun: fn(_c, _r, _s) -> {:fail, :internal_error} end])
{:ok, #PID<0.207.0>}
iex(2)> Listener.connect([:"tlsv1.2"])

11:40:44.558 [warn]  Description: 'Authenticity is not established by certificate path validation'
     Reason: 'Option {verify, verify_peer} and cacertfile/cacerts is missing'

 
11:40:44.607 [info]  TLS :server: In state :certify at ssl_handshake.erl:2017 generated SERVER ALERT: Fatal - Handshake Failure
 - :internal_error
 
11:40:44.617 [info]  TLS :client: In state :cipher received SERVER ALERT: Fatal - Handshake Failure

{:error,
 {:tls_alert,
  {:handshake_failure,
   'TLS client: In state cipher received SERVER ALERT: Fatal - Handshake Failure\n'}}}

However, when doing the same with TLS 1.3, i get the successful message. It seems to be received before the handshake has failed:

iex(1)> Listener.start_listener([versions: [:"tlsv1.3"], verify_fun: fn(_c, _r, _s) -> {:fail, :internal_error} end])
{:ok, #PID<0.221.0>}
iex(2)> Listener.connect([:"tlsv1.3"])

11:42:51.559 [warn]  Description: 'Authenticity is not established by certificate path validation'
     Reason: 'Option {verify, verify_peer} and cacertfile/cacerts is missing'

{:ok,
 {:sslsocket, {:gen_tcp, #Port<0.7>, :tls_connection, :undefined},
  [#PID<0.240.0>, #PID<0.238.0>]}}
iex(3)> 
11:42:51.640 [info]  TLS :server: In state :wait_cert at ssl_handshake.erl:2017 generated SERVER ALERT: Fatal - Handshake Failure
 - :internal_error
 
11:42:51.665 [info]  TLS :client: In state :connection received SERVER ALERT: Fatal - Handshake Failure
@essen
Copy link
Member

essen commented Dec 30, 2021

Please open such TLS issues against the erlang/otp repository directly as Ranch only provides a thin wrapper on top of the ssl application.

@essen essen closed this as completed Dec 30, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@essen @nieg675