thousandsofthem
SSL connection issue
Hi there,
I’ve encountered ssl handshake issue, details:
Elixir 1.4.2, Erlang 19.3
code:
HTTPoison.get("https://api.searchads.apple.com/...", [], [ssl: [keyfile: "...pem", certfile: "...cert.pem", ]])
# [error] SSL: :certify: tls_connection.erl:715:Fatal error: handshake failure - malformed_handshake_data
This specific query works perfectly fine via curl and python.
After investigating a bit (wireshark etc), the exact issue was found: server wants specifically TLS_RSA_WITH_AES_128_GCM_SHA256
… aaand elixir/erlang do not list such thing in its handshake
:ssl.cipher_suites(:openssl)
['ECDHE-ECDSA-AES256-GCM-SHA384', ...] #- no mentions of required chipher
:ssl.cipher_suites(:erlang)
[{:ecdhe_ecdsa, :aes_256_gcm, :null, :sha384},
{:ecdhe_rsa, :aes_256_gcm, :null, :sha384},
...
{:rsa, :aes_128_gcm, :null, :sha256} # <-- that's it
Also, present in the source code: https://github.com/erlang/otp/blob/maint-19/lib/ssl/src/ssl_cipher.erl#L703
Still, i can’t switch it on:
... , versions: [:'tlsv1'], ciphers: ["TLS-RSA-WITH-AES-128-GCM-SHA256"] # -> same error
... , versions: [:'tlsv1'], ciphers: ["TLS_RSA_WITH_AES_128_GCM_SHA256"] # -> same error
... , versions: [:'tlsv1'], ciphers: [{:rsa, :aes_128_gcm, :null, :sha256}] # -> same error
... , ciphers: [{:rsa, :aes_128_gcm, :null, :sha256}] # -> same error
etc
Wireshark confirms elixir/erlang still sending list of cipher suits that not intersect with desired cipher (weirdly, it is different a bit each time, adding/removing some useless outdated ciphers).
Behavior confirmed on OSX brew installation and linux docker one (alpine)
Any thoughts how to proceed?
Most Liked
Azolo
Instead of using the :cacertfile use the :cacerts option.
cert1 = File.read!("path/to/cert1.pem") |> :public_key.pem_decode
cert2 = File.read!("path/to/cert2.pem") |> :public_key.pem_decode
cacerts = [cert1, cert2]
SSL in Erlang is the most confusing thing ever.
voltone
You can verify each of the PEM certificates by copy & pasting them (one at a time) into openssl x509 -text -noout: presumably if something is wrong with the PEM file contents, OpenSSL would also throw an error. In the output, note the subject and issuer, so you’ll know which PEM certificate is which, i.e. which one needs to be referenced from certfile and which ones need to go in the CA store.
The server tells me (when connecting using openssl s_client -connect api.searchads.apple.com:443) that it expects a client certificate that can be traced back to one of these root CAs:
Acceptable client certificate CA names
/CN=Apple Corporate Root CA/OU=Certification Authority/O=Apple Inc./C=US
/CN=Apple Corporate External Authentication CA 1/OU=Certification Authority/O=Apple Inc./C=US
Presumably the intermediate CAs linking your end-certificate to one of these root CAs are in the PEM file.
zambal
Specifying the cipher as a tuple as returned from :ssl.cipher_suites/1 seems to work though:
HTTPoison.get "https://google.com", [], [ssl: [ciphers: [{:rsa, :aes_128_gcm, :null, :sha256}]
]]








