toddholmberg
Error when trying to retrieve an ssl certificate
Hello. I am trying to understand and fix an error I am receiveing when trying to retrieve the ssl certificate from an ssl handshake. Any handshake action that returns anything other than a 200 status code results in the following error:
TLS :client: In state :hello at tls_record.erl:471 generated CLIENT ALERT: Fatal - Unexpected Message.
I would like to retrieve the certificate regardless of the response code. Here is how I initiate the handshake. FYI, I am issuing the request through a proxy.
{:ok, tcp} = :gen_tcp.connect('#{proxy_ip}', proxy_port, active: false)
:gen_tcp.send(tcp, "CONNECT #{host_name}:443 HTTP/1.1\r\nProxy-Authorization: Basic #{:base64.encode_to_string('#{proxy_uername}:#{proxy_password}')}\r\n\r\n")
ssl_options = [
versions: [:"tlsv1.2"],
server_name_indication: '#{host_name}',
verify: :verify_none,
depth: 3,
reuse_sessions: false
]
recv = :gen_tcp.recv(tcp, 0, 5000)
:ssl.start()
:ssl.connect(tcp, ssl_options, timeout)
Is there anything that jumps out here as an obviouse possible issue with how I am making the request?
Thank you
First Post!
voltone
If you are referring to the HTTP response to the proxy CONNECT request, then presumably an error means the proxy is not actually connecting you to the upstream server, so you won’t be able to complete a TLS handshake with it.
If you start the TLS handshake anyway, the ClientHello message will be interpreted by the proxy, which will likely respond with an error, which the TLS client will fail to interpret as handshake messages. Hence the CLIENT ALERT: Fatal - Unexpected Message response.
Another issue with your sample code is that :gen_tcp.recv(tcp, 0, 5000) is not guaranteed to consume the entire response to the CONNECT request. One way to ensure the entire HTTP response is read is by using active: false, packet: : http_bin in the connect call, and then iterating over the :http_response, ::http_header and :http_eoh messages you’ll receive. Then you call :inet.setopts(tcp, packet: :raw), and if necessary read the request body (number of bytes indicated in the Content-Length header). Only then can you be actually sure that the TCP connection is ready for the handshake (provided the proxy returned a success response).
Popular in Questions
Other popular topics
Categories:
Sub Categories:
Forums
Popular Tags
- #ecto
- #liveview
- #troubleshooting
- #learning-elixir
- #deployment
- #library
- #erlang
- #testing
- #genserver
- #mix
- #absinthe
- #remote-other
- #otp
- #plug
- #how-to-question
- #macros
- #postgres
- #channels
- #elixirconf
- #exunit
- #discussion
- #code-sync
- #javascript
- #podcasts
- #onsite
- #dialyzer
- #docker
- #authentication
- #umbrella
- #full-time-contract
- #podcasts-by-brainlid
- #ecto-query
- #elixir-ls
- #phoenix_html
- #iex
- #blog-post
- #graphql
- #genstage
- #ai
- #websockets
- #supervisor
- #advent-of-code
- #elixirconf-us
- #distillery
- #processes
- #forms
- #api
- #metaprogramming
- #security
- #performance









