Sending / receiving TCP requests with SSL certificate

willc0de4food · August 22, 2024, 8:05am

Hello,

I’m attempting to communicate with the Verisign EPP server over a TCP / SSL connection. This connection requires an SSL certificate, but I’m having trouble with the SSL certificate. I am inexperienced in working with anything like this, in the past all I’ve done is use Req to send various requests of different verbs. So has anyone written a library to make this easier? Or can anyone assist in the correct configuration of including an SSL certificate, sending a request and listening for a response? Here’s what I have so far, just shooting in the dark:

  def ssl_client() do
    host = Application.get_env(:appname, :epp_host) |> String.to_charlist()
    port = Application.get_env(:appname, :epp_port)
    cert = File.cwd!() <> "/ssl/cert.chain.pem"

    {:ok, connect_socket} =
      :ssl.connect(host, port, [verify: :verify_none, cacertfile: cert, active: true], :infinity)

    connect_socket
  end

  defp listen_ssl(socket) do
    case :ssl.recv(socket, 0) do
      {:ok, line} ->
        IO.puts(~s(Client got: "#{String.trim(line)}"))
        :ok = :ssl.close(socket)

      {:error, :closed} ->
        IO.puts("Server closed socket.")

      {:error, :enotconn} ->
        IO.puts("Server is not connected.")

      {:error, reason} ->
        IO.puts("Server errored with code: #{reason}")
    end
  end

  def send_ssl_request(line) do
    socket = ssl_client()
    :ssl.send(socket, line)
    listen_ssl(socket)
  end

The response that I get when I attempt to call send_ssl_request() is:
TLS :client: In state :connection received SERVER ALERT: Fatal - Bad Certificate

Thanks!

zacksiri · August 22, 2024, 8:21am

Your configuration for the certificate looks correct, however any reason you are setting verify: :verify_none instead of verify: :verify_peer ?

Also if you try cacerts: :public_key.cacerts_get() instead of passing in your own cert what happens?

willc0de4food · August 22, 2024, 4:11pm

I used :verify_none because if I use :verify_peer, I get the following error: ~c"TLS client: In state wait_cert at ssl_handshake.erl:2180 generated CLIENT ALERT: Fatal - Unknown CA\n"

If I try cacerts: :public_key.cacerts_get() I get the same error: TLS :client: In state :connection received SERVER ALERT: Fatal - Bad Certificate
I assume that’s because it doesn’t have a certificate, or the certificate it does have isn’t for the domain I need to authenticate.
If I do :public_key.cacerts_load(cert), I get :ok, but then with cacerts: :public_key.cacerts_get() I still get the same error: TLS :client: In state :connection received SERVER ALERT: Fatal - Bad Certificate

muelthe · August 22, 2024, 4:46pm

A couple of things that have caught me out in the past, one being when using :public_key_cacerts_get() I didn’t have the certificate store configured correctly on my host machine.

Second, I’ve found that I also need to include the server_name_indication (SNI) in my ssl opts (some info here on SNI: https://www.cloudflare.com/learning/ssl/what-is-sni/).

willc0de4food · August 22, 2024, 5:31pm

What type of value should I provide for the SNI? The only thing I see listed in the Erlang docs are disable
I tried providing a string with the domain (server_name_indication: "domain.ext"), but that produces an error.
This could be what I need, though. I’ve added certs_keys: [...] to the options and I’m getting TLS :client: In state :connection received SERVER ALERT: Fatal - Certificate Unknown

muelthe · August 22, 2024, 7:23pm

Yep you have it right, but I think you have to provide it as a charlist, so: ~c"foo.bar.com" (ref: Binaries, strings, and charlists — Elixir v1.17.2)

willc0de4food · August 22, 2024, 11:43pm

This worked for the SNI value, however; it didn’t resolve the problem I’m still getting Fatal - Certificate Unknown

How do I specify the version of TLS to use? I’ve tried appending the following to the options to no avail: versions: ["tlsv1.2"], versions: [~c"tlsv1.2"], versions: ["tlsv1_2"], versions: [~c"tlsv1_2"]

// Update
Finally found the correct format, it’s: versions: [:"tlsv1.2"]

Sadly, I’m still getting errors. When I try verify: :verify_peer, cacerts: :public_key.cacerts_get()
I get this error:
{:tls_alert, {:unknown_ca, ~c"TLS client: In state certify at ssl_handshake.erl:2180 generated CLIENT ALERT: Fatal - Unknown CA\n"}}

When I try verify: :verify_none, certs_keys: [%{certfile: cert, keyfile: key}],
I get this error:
{:tls_alert, {:certificate_unknown, ~c"TLS client: In state cipher received SERVER ALERT: Fatal - Certificate Unknown\n"}}

I don’t think it’s an issue with the cert / key, as when I test them with the openssl command, I seem to get a successful response, so I’m at a loss:
openssl s_client -connect domain.com:700 -cert cert.pem -key key.pem -tls1_2

---
SSL handshake has read 10844 bytes and written 1790 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: AD15B5B774CE0C8D76B920B165F72C03DE1F1B0CEF8CCD8FC229A3008E6C0497
    Session-ID-ctx: 
    Master-Key: RedactedReallyLongString
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1724396369
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: yes
---

This is my current function code:

  def ssl_start() do
    host = Application.get_env(:appname, :epp_host) |> String.to_charlist()
    port = Application.get_env(:appname, :epp_port)
    cert = File.cwd!() <> "/ssl/server/cert.pem"
    key = File.cwd!() <> "/ssl/server/key.pem"
    :public_key.cacerts_load(cert)

    opts = [
      # verify: :verify_peer,
      # cacerts: :public_key.cacerts_get(),
      verify: :verify_none, certs_keys: [%{certfile: cert, keyfile: key}],
      reuseaddr: true,
      server_name_indication: ~c"domain.ext",
      versions: [:"tlsv1.2"]
    ]

    :ssl.start()

    case :ssl.connect(host, port, opts, 5000) do
      {:ok, socket} ->
        socket

      {:error, err} ->
        dbg(err)
        nil
    end
  end

D4no0 · August 23, 2024, 8:14am

On what are you running this server? It might be possible that you are missing the client certificates on your deployed system, the symptom usually is that it works on dev envs but fails on deployed server.

To check that fast, you can try adding castore to your project and use the provided certs by castore with: CAStore.file_path()

muelthe · August 23, 2024, 2:26pm

Had a chance to test it myself.

It worked using the options setup below and I didn’t need to use the SNI. I think as mentioned before and as @D4no0 indicated, there might be an issue with the application host certificate store i.e. wherever you’re running this from (obviously, I don’t know where you’re connecting to, so I used a fairly well-known address!).

def ssl_start() do
    host = ~c"www.google.com"
    port = 443

    opts = [
      verify: :verify_peer,
      cacerts: :public_key.cacerts_get()
    ]

    :ssl.start()

    case :ssl.connect(host, port, opts, 5000) do
      {:ok, socket} ->
        socket
      {:error, error} ->
        dbg(error)
        nil
    end
  end

Edit: you might still need the SNI depending on what you’re connecting to.

For example, say you’re using maps.google.com, you’re SNI value could be *.google.com that’s just a contrived example.

willc0de4food · August 24, 2024, 3:35am

This isn’t deployed anywhere, I’m working on my localhost. So I can’t even get it to work locally

Good to know about the SNI value, I misunderstood what was needed there so I’ll modify that and give it a try. I’ll also try reducing the options and seeing if that has any effect. Thanks!

willc0de4food · August 25, 2024, 9:45am

I finally found the right combination of options to get it working. What a pain! Somehow this ended up working:

  def ssl_start() do
    host = Application.get_env(:appname, :epp_host) |> String.to_charlist()
    port = Application.get_env(:appname, :epp_port)
    certs = File.cwd!() <> "/ssl/certs.pem"
    key = File.cwd!() <> "/ssl/key.pem"
    :public_key.cacerts_load(certs)

    opts = [
      cacerts: :public_key.cacerts_get(),
      verify: :verify_none,
      certfile: certs,
      keyfile: key
    ]

    :ssl.start()

    case :ssl.connect(host, port, opts, 5000) do
      {:ok, socket} ->
        socket

      {:error, err} ->
        dbg(err)
        nil
    end
  end

I received a file with 1 key & 3 certs. I tried separating each cert into it’s own file, but the working combination was to have the 3 certs in 1 file, and the key in another.