Error when trying to retrieve an ssl certificate

toddholmberg · April 22, 2020, 5:10am

Hello. I am trying to understand and fix an error I am receiveing when trying to retrieve the ssl certificate from an ssl handshake. Any handshake action that returns anything other than a 200 status code results in the following error:

TLS :client: In state :hello at tls_record.erl:471 generated CLIENT ALERT: Fatal - Unexpected Message.

I would like to retrieve the certificate regardless of the response code. Here is how I initiate the handshake. FYI, I am issuing the request through a proxy.

{:ok, tcp} = :gen_tcp.connect('#{proxy_ip}', proxy_port, active: false)

:gen_tcp.send(tcp, "CONNECT #{host_name}:443 HTTP/1.1\r\nProxy-Authorization: Basic #{:base64.encode_to_string('#{proxy_uername}:#{proxy_password}')}\r\n\r\n")

ssl_options = [
      versions: [:"tlsv1.2"],
      server_name_indication: '#{host_name}',
      verify: :verify_none,
      depth: 3,
      reuse_sessions: false
    ]

recv = :gen_tcp.recv(tcp, 0, 5000)

:ssl.start()

:ssl.connect(tcp, ssl_options, timeout)

Is there anything that jumps out here as an obviouse possible issue with how I am making the request?

Thank you

voltone · April 22, 2020, 6:41am

If you are referring to the HTTP response to the proxy CONNECT request, then presumably an error means the proxy is not actually connecting you to the upstream server, so you won’t be able to complete a TLS handshake with it.

If you start the TLS handshake anyway, the ClientHello message will be interpreted by the proxy, which will likely respond with an error, which the TLS client will fail to interpret as handshake messages. Hence the CLIENT ALERT: Fatal - Unexpected Message response.

Another issue with your sample code is that :gen_tcp.recv(tcp, 0, 5000) is not guaranteed to consume the entire response to the CONNECT request. One way to ensure the entire HTTP response is read is by using active: false, packet: : http_bin in the connect call, and then iterating over the :http_response, ::http_header and :http_eoh messages you’ll receive. Then you call :inet.setopts(tcp, packet: :raw), and if necessary read the request body (number of bytes indicated in the Content-Length header). Only then can you be actually sure that the TCP connection is ready for the handshake (provided the proxy returned a success response).

toddholmberg · April 23, 2020, 6:59pm

Thank you for the information, @voltone.

The :gen_tcp.recv results for hosts that are supposed to return a non-200 status code all return following:

{:ok, {:http_response, {1, 1}, 200, "Connection established"}}
{:ok, :http_eoh}
{:error, :timeout}

Is the {:ok, {:http_response, {1, 1}, 200, "Connection established"}} maybe from the proxy, and then the rest of the request is timing out for hosts that return a 30X, 40X, 50X?

Here is my updated test code. Does the following code example correctly implement what you are talking about?

    uri = "https://#{host_name}" |> URI.parse

    ssl_options = [
      versions: [:"#{protocol}"],
      server_name_indication: '#{uri.host}',
      verify: :verify_none,
      depth: 3,
      reuse_sessions: false,
      cacertfile: :certifi.cacertfile()
    ]

    {:ok, tcp} = :gen_tcp.connect('#{proxy_host}', proxy_port, active: false, packet: :http_bin)

    :gen_tcp.send(tcp, "CONNECT #{uri.host}:#{uri.port} HTTP/1.1\r\nProxy-Authorization: Basic #{:base64.encode_to_string('#{proxy_user"]}:#{proxy["pass"]}')}\r\n\r\n")

    resp = :gen_tcp.recv(tcp, 0, 1000)

    Enum.map(1..10, fn _ ->
      case resp do
        {:ok, {:http_header, _size, _, _, _}} -> IO.inspect header
        _ = foo -> IO.inspect foo
      end
      resp
    end)

    :inet.setopts(tcp, packet: :raw)

    result =
      case :ssl.connect(tcp, ssl_options, 5000) do
        {:ok, result} -> {:ok, der} = :ssl.peercert(result)
        {:error, _message} = error -> error
      end

    :gen_tcp.close(tcp)

How do I read the request body :inet.setopts(tcp, packet: :raw) if there don’t seem to be any other headers available in the response?

One very confusing aspect of this is that many of the hosts I am trying to connect to should return something other than a 200 status code, but the http response is {:ok, {:http_response, {1, 1}, 200, "Connection established"}} and a resulting TLS error. Do you think this is further indication of a proxy issue? Maybe the proxy connection is closing?

{:ok, {:http_response, {1, 1}, 200, "Connection established"}}
{:ok, :http_eoh}
{:error, :timeout}

12:33:20.771 [info]  TLS :client: In state :hello received SERVER ALERT: Fatal - Handshake Failure

Thanks, again, for any insight into this.

FYI, I am using

Erlang/OTP 22
Elixir (1.10.1)