jgfdjgfd
Ranch: TLS 1.3 connections are successful even though handshake fails
Hi! I have an issue with a Ranch listener with client verification. In short, when using tls 1.2 it works as expected, but when using tls 1.3 clients always receive {:ok, socket}, even when the handshake process fails (i would have expected to receive {:error, {tls_alert, …}}. However, when trying to send to this socket, {:error, :closed} is received. Below is an example.
Listener:
def start_listener(opts) do
versions = Keyword.get(opts, :versions)
verify_fun = Keyword.get(opts, :verify_fun)
key = key()
cacerts = cacerts()
crt = cert()
socket_opts =
[
cacerts: cacerts,
key: key,
cert: crt,
versions: versions,
verify: :verify_peer,
fail_if_no_peer_cert: true,
verify_fun: {verify_fun, []},
port: 49665,
ciphers: :ssl.cipher_suites(:all,:'tlsv1.2') ++ :ssl.cipher_suites(:all,:'tlsv1.3')
]
opts = %{
connection_type: :supervisor,
socket_opts: socket_opts,
}
{:ok, _} = :ranch.start_listener(:Tls, :ranch_ssl, opts, Prot, cert_verification: true)
end
Client connection:
def connect(tls_versions) do
client_ca_cert = client_ca_cert()
{client_cert, client_key} = generate_cert()
:ssl.connect(
{127, 0, 0, 1},
49_665,
[
versions: tls_versions,
ciphers: :ssl.cipher_suites(:all,:'tlsv1.2') ++ :ssl.cipher_suites(:all,:'tlsv1.3'),
cacerts: [client_ca_cert],
key: {:RSAPrivateKey, client_key},
cert: client_cert,
]
)
end
When i try to connect with TLS 1.2 and a verify function that is guaranteed to fail it works as expected:
iex(1)> Listener.start_listener([versions: [:"tlsv1.2"], verify_fun: fn(_c, _r, _s) -> {:fail, :internal_error} end])
{:ok, #PID<0.207.0>}
iex(2)> Listener.connect([:"tlsv1.2"])
11:40:44.558 [warn] Description: 'Authenticity is not established by certificate path validation'
Reason: 'Option {verify, verify_peer} and cacertfile/cacerts is missing'
11:40:44.607 [info] TLS :server: In state :certify at ssl_handshake.erl:2017 generated SERVER ALERT: Fatal - Handshake Failure
- :internal_error
11:40:44.617 [info] TLS :client: In state :cipher received SERVER ALERT: Fatal - Handshake Failure
{:error,
{:tls_alert,
{:handshake_failure,
'TLS client: In state cipher received SERVER ALERT: Fatal - Handshake Failure\n'}}}
However, when doing the same with TLS 1.3, i get the successful message. It seems to be received before the handshake has failed:
iex(1)> Listener.start_listener([versions: [:"tlsv1.3"], verify_fun: fn(_c, _r, _s) -> {:fail, :internal_error} end])
{:ok, #PID<0.221.0>}
iex(2)> Listener.connect([:"tlsv1.3"])
11:42:51.559 [warn] Description: 'Authenticity is not established by certificate path validation'
Reason: 'Option {verify, verify_peer} and cacertfile/cacerts is missing'
{:ok,
{:sslsocket, {:gen_tcp, #Port<0.7>, :tls_connection, :undefined},
[#PID<0.240.0>, #PID<0.238.0>]}}
iex(3)>
11:42:51.640 [info] TLS :server: In state :wait_cert at ssl_handshake.erl:2017 generated SERVER ALERT: Fatal - Handshake Failure
- :internal_error
11:42:51.665 [info] TLS :client: In state :connection received SERVER ALERT: Fatal - Handshake Failure
Popular in Questions
lets say i have a sample like
a = 20; b = 10;
if (a > b) do
{:ok, "a"}
end
if (a < b) do
{:ok, b}
end
if (a == b) do
{:ok, "equa...
New
Hello all!
I am typing this post from my new MacBook Pro with the M1 chip. I’m loving it so far, and will probably use it as my daily dr...
New
I have a phoenix application from which a user can download multiple(5-6) files of size 1MB. I couldn’t find anything related to sending ...
New
Hey all,
I discovered Elixir and I love it. I always wanted to learn a functional programming and I intended to go for Haskell, but afte...
New
About me? ( if you have nothing better to do than reading about some random guy in the internet :stuck_out_tongue: )
Hello all, this is ...
New
Hello everybody,
usually, I use a 29" ultra-wide monitor for VSCode which can easily accomodate explorer (files panel) + file with code ...
New
I’m trying to make a websocket server in Phoenix or raw Elixir. I heard about gun, I think I could use cowboy, but since I’m not that sma...
New
I’ve got an issue with an app and I’ve no idea of how to troubleshoot it. I’m hoping someone here might have seen something similar.
I p...
New
Hi,
I need to transform a list of numbers into a map where the keys are the indexes and the values are the original values of the list. ...
New
I am trying to run a deploy with docker and I successfully runned with this command:
docker build -t romenigld/blog-prod .
but when I t...
New
Other popular topics
lets say i have a sample like
a = 20; b = 10;
if (a > b) do
{:ok, "a"}
end
if (a < b) do
{:ok, b}
end
if (a == b) do
{:ok, "equa...
New
I wanted to check elixir version in phoenix because i found that my elixir is 1.5 but when i use Enum.chunk_by it said the function is un...
New
This post is an instruction guide to help you setup your Neovim for Elixir development from scratch. It includes general information on h...
New
Anybody knows a comprehensive comparison of Django and Phoenix, thanks for the help.
Where are they similar?
Where do they differ the m...
New
After calling mix ecto.create I get this error:
17:00:32.162 [error] GenServer #PID<0.412.0> terminating
** (Postgrex.Error) FATAL...
New
I am trying to figure out how Mix knows whether the environment is test, dev, or prod – where is this set?
Thanks.
New
What learn first? Rust or Elixir
Hi Elixir community!
I’m here because i want learn a new language. I’m a junior developer and mainly i ...
New
Why is it that the mnesia database isn’t the most preferred database for use in Elixir/Phoenix?
New
I am VERY much an elixir newbie. I have taken one elixir course and one phoenix course on Udemy. During that course, I saw the instructor...
New
Hi!
In PHP: $_SERVER[‘SERVER_ADDR’] - in Elixir?
Searched the docs for ip address and the web, no good results.
Thanks!
New
Categories:
Sub Categories:
Forums
Popular Tags
- #ecto
- #liveview
- #troubleshooting
- #learning-elixir
- #deployment
- #library
- #erlang
- #testing
- #genserver
- #mix
- #absinthe
- #remote-other
- #otp
- #plug
- #how-to-question
- #macros
- #postgres
- #channels
- #elixirconf
- #exunit
- #discussion
- #code-sync
- #javascript
- #podcasts
- #onsite
- #dialyzer
- #docker
- #authentication
- #umbrella
- #full-time-contract
- #podcasts-by-brainlid
- #ecto-query
- #elixir-ls
- #phoenix_html
- #iex
- #blog-post
- #graphql
- #genstage
- #ai
- #websockets
- #supervisor
- #advent-of-code
- #elixirconf-us
- #distillery
- #processes
- #forms
- #api
- #metaprogramming
- #security
- #performance









