Skip to content

Instantly share code, notes, and snippets.

@lukebakken

lukebakken/README.md

Last active January 3, 2018 20:59
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save lukebakken/5bff550515588d32d4d3c14d6ace51e7 to your computer and use it in GitHub Desktop.
Save lukebakken/5bff550515588d32d4d3c14d6ace51e7 to your computer and use it in GitHub Desktop.
Download ZIP
ERL-539
Raw
README.md

ERL-539

Certificate setup

  • Clone https://github.com/michaelklishin/tls-gen.git
  • Do the following: 
    cd tls-gen/basic
make

Reproduction

  • Start TLS/SSL server:

Note: ensure Erlang is in your PATH. Edit repro so that the cacertfile, certfile and keyfile paths are all valid.

./repro
  • Connect a client:
cd tls-gen/basic/result
openssl s_client -connect localhost:4000 \
    -cert ./client_certificate.pem \
    -key ./client_key.pem \
    -CAfile ./ca_certificate.pem \
    -verify 8

Notice that connection succeeds.

  • Change options

Edit repro so that the cacertfile path is invalid, something like this:

    {cacertfile, "/FOOBAR/michaelklishin/tls-gen/basic/result/ca_certificate.pem"},

  • Re-start the server with ./repro

  • Connect a client:

cd tls-gen/basic/result
openssl s_client -connect localhost:4000 \
    -cert ./client_certificate.pem \
    -key ./client_key.pem \
    -CAfile ./ca_certificate.pem \
    -verify 8

Notice that the server throws the following error:

[ERROR] exit : {{function_clause,
                 [{tls_connection,gen_handshake,
                   [error,
                    {call,{<0.5.0>,#Ref<0.2501599645.817364995.145871>}},
                    {new_user,<0.84.0>},
                    {{options,
                      {cacertfile,
                       "/FOOBAR/home/lbakken/development/michaelklishin/tls-gen/basic/result/ca_certificate.pem",
                       {error,enoent}}},

Results

After applying the most recent patch to a master build of Erlang, and running ./repro with the invalid cacertfile option, the following is output, which is the same as what is output with Erlang 19.3:

lbakken@shostakovich ~/development/erlang/builds/master-ERL-539/otp_src_git (master *%=)
$ bin/escript /home/lbakken/issues/erlang/ERL-539/gist/repro 

=ERROR REPORT==== 3-Jan-2018::12:57:19 ===
Error in process <0.83.0> on node 'ERL539@localhost' with exit value:
{{badmatch,
     {error,
         {options,
             {cacertfile,
                 "/FOOBAR/home/lbakken/development/michaelklishin/tls-gen/basic/result/ca_certificate.pem",
                 {error,enoent}}}}},
 [{erl_eval,expr,3,[]}]}
Raw
repro
#!/usr/bin/env escript
%% -*- erlang -*-
%%! -smp enable -sname ERL539
main(_) ->
try
start()
catch
ErrT:Err ->
io:format("[ERROR] ~p : ~p~n", [ErrT, Err]),
usage()
end;
main(_) ->
usage().
usage() ->
io:format("usage: repro\n"),
halt(1).
start() ->
ssl:start(),
server(4000).
server(Port) ->
Opts = [
{cacertfile, "/FOOBAR/home/lbakken/development/michaelklishin/tls-gen/basic/result/ca_certificate.pem"},
{certfile, "/home/lbakken/development/michaelklishin/tls-gen/basic/result/server_certificate.pem"},
{keyfile, "/home/lbakken/development/michaelklishin/tls-gen/basic/result/server_key.pem"},
{reuseaddr, true},
{active, false}
],
{ok, LSocket} = ssl:listen(Port, Opts),
accept(LSocket).
accept(LSocket) ->
{ok, Socket} = ssl:transport_accept(LSocket),
Pid = spawn(fun() ->
ok = ssl:ssl_accept(Socket),
io:format("Connection accepted ~p~n", [Socket]),
loop(Socket)
end),
ssl:controlling_process(Socket, Pid),
accept(LSocket).
loop(Socket) ->
ssl:setopts(Socket, [{active, once}]),
receive
{ssl,Sock, Data} ->
io:format("Got packet: ~p~n", [Data]),
ssl:send(Sock, Data),
loop(Socket);
{ssl_closed, Sock} ->
io:format("Closing socket: ~p~n", [Sock]);
Error ->
io:format("Error on socket: ~p~n", [Error])
end.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment