SSL version matching OTP 27.1.1 #8908

ansd · 2024-10-07T15:08:06Z

Is the Version in line 248 supposed to match the Version in line 245 in https://github.com/erlang/otp/blob/OTP-27.1.1/lib/ssl/src/tls_handshake.erl#L245-L248 ?

I'm asking because
make -C deps/rabbitmq_mqtt ct-java t=v3
succeeds on RabbitMQ server main branch with OTP 27.1 but fails on OTP 27.1.1.

When I add {log_level, debug} to ssl_opttions, then I see a badmatch as shown

here

2024-10-07 14:39:24.598710+00:00 [debug] <0.1396.0>     message: {ssl_tls,22,
2024-10-07 14:39:24.598710+00:00 [debug] <0.1396.0>                       {3,3},
2024-10-07 14:39:24.598710+00:00 [debug] <0.1396.0>                       <<1,0,1,54,3,3,222,229,23,193,210,235,95,110,196,185,247,
2024-10-07 14:39:24.598710+00:00 [debug] <0.1396.0>                         159,37,119,201,204,134,77,64,182,55,129,12,209,37,44,
2024-10-07 14:39:24.598710+00:00 [debug] <0.1396.0>                         213,220,13,2,186,212,0,0,92,192,44,192,43,204,169,192,
2024-10-07 14:39:24.598710+00:00 [debug] <0.1396.0>                         48,204,168,192,47,0,159,204,170,0,163,0,158,0,162,192,
2024-10-07 14:39:24.598710+00:00 [debug] <0.1396.0>                         36,192,40,192,35,192,39,0,107,0,106,0,103,0,64,192,46,
2024-10-07 14:39:24.598710+00:00 [debug] <0.1396.0>                         192,50,192,45,192,49,192,38,192,42,192,37,192,41,192,
2024-10-07 14:39:24.598710+00:00 [debug] <0.1396.0>                         10,192,20,192,9,192,19,0,57,0,56,0,51,0,50,192,5,192,
2024-10-07 14:39:24.598710+00:00 [debug] <0.1396.0>                         15,192,4,192,14,0,157,0,156,0,61,0,60,0,53,0,47,0,255,
2024-10-07 14:39:24.598710+00:00 [debug] <0.1396.0>                         1,0,0,177,0,0,0,8,0,6,0,0,3,110,117,99,0,5,0,5,1,0,0,0,
2024-10-07 14:39:24.598710+00:00 [debug] <0.1396.0>                         0,0,10,0,22,0,20,0,29,0,23,0,24,0,25,0,30,1,0,1,1,1,2,
2024-10-07 14:39:24.598710+00:00 [debug] <0.1396.0>                         1,3,1,4,0,11,0,2,1,0,0,17,0,9,0,7,2,0,4,0,0,0,0,0,23,0,
2024-10-07 14:39:24.598710+00:00 [debug] <0.1396.0>                         0,0,35,0,0,0,13,0,44,0,42,4,3,5,3,6,3,8,7,8,8,8,4,8,5,
2024-10-07 14:39:24.598710+00:00 [debug] <0.1396.0>                         8,6,8,9,8,10,8,11,4,1,5,1,6,1,4,2,3,3,3,1,3,2,2,3,2,1,
2024-10-07 14:39:24.598710+00:00 [debug] <0.1396.0>                         2,2,0,43,0,3,2,3,3,0,50,0,44,0,42,4,3,5,3,6,3,8,7,8,8,
2024-10-07 14:39:24.598710+00:00 [debug] <0.1396.0>                         8,4,8,5,8,6,8,9,8,10,8,11,4,1,5,1,6,1,4,2,3,3,3,1,3,2,
2024-10-07 14:39:24.598710+00:00 [debug] <0.1396.0>                         2,3,2,1,2,2>>,
2024-10-07 14:39:24.598710+00:00 [debug] <0.1396.0>                       false}
2024-10-07 14:39:24.598710+00:00 [debug] <0.1396.0>     protocol: record
2024-10-07 14:39:24.598710+00:00 [debug] <0.1396.0>     direction: inbound
2024-10-07 14:39:24.599115+00:00 [debug] <0.1396.0>     message: {client_hello,
2024-10-07 14:39:24.599115+00:00 [debug] <0.1396.0>                  {3,3},
2024-10-07 14:39:24.599115+00:00 [debug] <0.1396.0>                  <<222,229,23,193,210,235,95,110,196,185,247,159,37,119,201,
2024-10-07 14:39:24.599115+00:00 [debug] <0.1396.0>                    204,134,77,64,182,55,129,12,209,37,44,213,220,13,2,186,212>>,
2024-10-07 14:39:24.599115+00:00 [debug] <0.1396.0>                  <<>>,undefined,
2024-10-07 14:39:24.599115+00:00 [debug] <0.1396.0>                  [<<"À,">>,<<"À+">>,<<"̩"/utf8>>,<<"À0">>,<<"̨"/utf8>>,<<"À/">>,
2024-10-07 14:39:24.599115+00:00 [debug] <0.1396.0>                   <<0,159>>,
2024-10-07 14:39:24.599115+00:00 [debug] <0.1396.0>                   <<"̪"/utf8>>,
2024-10-07 14:39:24.599115+00:00 [debug] <0.1396.0>                   <<0,163>>,
2024-10-07 14:39:24.599115+00:00 [debug] <0.1396.0>                   <<0,158>>,
2024-10-07 14:39:24.599115+00:00 [debug] <0.1396.0>                   <<0,162>>,
2024-10-07 14:39:24.599115+00:00 [debug] <0.1396.0>                   <<"À$">>,<<"À(">>,<<"À#">>,<<"À'">>,
2024-10-07 14:39:24.599115+00:00 [debug] <0.1396.0>                   <<0,107>>,
2024-10-07 14:39:24.599115+00:00 [debug] <0.1396.0>                   <<0,106>>,
2024-10-07 14:39:24.599115+00:00 [debug] <0.1396.0>                   <<0,103>>,
2024-10-07 14:39:24.599115+00:00 [debug] <0.1396.0>                   <<0,64>>,
2024-10-07 14:39:24.599115+00:00 [debug] <0.1396.0>                   <<"À.">>,<<"À2">>,<<"À-">>,<<"À1">>,<<"À&">>,<<"À*">>,
2024-10-07 14:39:24.599115+00:00 [debug] <0.1396.0>                   <<"À%">>,<<"À)">>,<<"À\n">>,
2024-10-07 14:39:24.599115+00:00 [debug] <0.1396.0>                   <<192,20>>,
2024-10-07 14:39:24.599115+00:00 [debug] <0.1396.0>                   <<"À\t">>,
2024-10-07 14:39:24.599115+00:00 [debug] <0.1396.0>                   <<192,19>>,
2024-10-07 14:39:24.599115+00:00 [debug] <0.1396.0>                   <<0,57>>,
2024-10-07 14:39:24.599115+00:00 [debug] <0.1396.0>                   <<0,56>>,
2024-10-07 14:39:24.599115+00:00 [debug] <0.1396.0>                   <<0,51>>,
2024-10-07 14:39:24.599115+00:00 [debug] <0.1396.0>                   <<0,50>>,
2024-10-07 14:39:24.599115+00:00 [debug] <0.1396.0>                   <<192,5>>,
2024-10-07 14:39:24.599115+00:00 [debug] <0.1396.0>                   <<192,15>>,
2024-10-07 14:39:24.599115+00:00 [debug] <0.1396.0>                   <<192,4>>,
2024-10-07 14:39:24.599115+00:00 [debug] <0.1396.0>                   <<192,14>>,
2024-10-07 14:39:24.599115+00:00 [debug] <0.1396.0>                   <<0,157>>,
2024-10-07 14:39:24.599115+00:00 [debug] <0.1396.0>                   <<0,156>>,
2024-10-07 14:39:24.599115+00:00 [debug] <0.1396.0>                   <<0,61>>,
2024-10-07 14:39:24.599115+00:00 [debug] <0.1396.0>                   <<0,60>>,
2024-10-07 14:39:24.599115+00:00 [debug] <0.1396.0>                   <<0,53>>,
2024-10-07 14:39:24.599115+00:00 [debug] <0.1396.0>                   <<0,47>>,
2024-10-07 14:39:24.599115+00:00 [debug] <0.1396.0>                   <<0,255>>],
2024-10-07 14:39:24.599115+00:00 [debug] <0.1396.0>                  #{client_hello_versions => {client_hello_versions,[{3,3}]},
2024-10-07 14:39:24.599115+00:00 [debug] <0.1396.0>                    srp => undefined,
2024-10-07 14:39:24.599115+00:00 [debug] <0.1396.0>                    signature_algs =>
2024-10-07 14:39:24.599115+00:00 [debug] <0.1396.0>                        {hash_sign_algos,
2024-10-07 14:39:24.599115+00:00 [debug] <0.1396.0>                            [{sha256,ecdsa},
2024-10-07 14:39:24.599115+00:00 [debug] <0.1396.0>                             {sha384,ecdsa},
2024-10-07 14:39:24.599115+00:00 [debug] <0.1396.0>                             {sha512,ecdsa},
2024-10-07 14:39:24.599115+00:00 [debug] <0.1396.0>                             {sha256,rsa_pss_rsae},
2024-10-07 14:39:24.599115+00:00 [debug] <0.1396.0>                             {sha384,rsa_pss_rsae},
2024-10-07 14:39:24.599115+00:00 [debug] <0.1396.0>                             {sha512,rsa_pss_rsae},
2024-10-07 14:39:24.599115+00:00 [debug] <0.1396.0>                             {sha256,rsa_pss_pss},
2024-10-07 14:39:24.599115+00:00 [debug] <0.1396.0>                             {sha384,rsa_pss_pss},
2024-10-07 14:39:24.599115+00:00 [debug] <0.1396.0>                             {sha512,rsa_pss_pss},
2024-10-07 14:39:24.599115+00:00 [debug] <0.1396.0>                             {sha256,rsa},
2024-10-07 14:39:24.599115+00:00 [debug] <0.1396.0>                             {sha384,rsa},
2024-10-07 14:39:24.599115+00:00 [debug] <0.1396.0>                             {sha512,rsa},
2024-10-07 14:39:24.599115+00:00 [debug] <0.1396.0>                             {sha256,dsa},
2024-10-07 14:39:24.599115+00:00 [debug] <0.1396.0>                             {sha224,ecdsa},
2024-10-07 14:39:24.599115+00:00 [debug] <0.1396.0>                             {sha224,rsa},
2024-10-07 14:39:24.599115+00:00 [debug] <0.1396.0>                             {sha224,dsa},
2024-10-07 14:39:24.599115+00:00 [debug] <0.1396.0>                             {sha,ecdsa},
2024-10-07 14:39:24.599115+00:00 [debug] <0.1396.0>                             {sha,rsa},
2024-10-07 14:39:24.599115+00:00 [debug] <0.1396.0>                             {sha,dsa}]},
2024-10-07 14:39:24.599115+00:00 [debug] <0.1396.0>                    signature_algs_cert =>
2024-10-07 14:39:24.599115+00:00 [debug] <0.1396.0>                        {signature_algorithms_cert,
2024-10-07 14:39:24.599115+00:00 [debug] <0.1396.0>                            [ecdsa_secp256r1_sha256,ecdsa_secp384r1_sha384,
2024-10-07 14:39:24.599115+00:00 [debug] <0.1396.0>                             ecdsa_secp521r1_sha512,eddsa_ed25519,eddsa_ed448,
2024-10-07 14:39:24.599115+00:00 [debug] <0.1396.0>                             rsa_pss_rsae_sha256,rsa_pss_rsae_sha384,
2024-10-07 14:39:24.599115+00:00 [debug] <0.1396.0>                             rsa_pss_rsae_sha512,rsa_pss_pss_sha256,
2024-10-07 14:39:24.599115+00:00 [debug] <0.1396.0>                             rsa_pss_pss_sha384,rsa_pss_pss_sha512,
2024-10-07 14:39:24.599115+00:00 [debug] <0.1396.0>                             rsa_pkcs1_sha256,rsa_pkcs1_sha384,
2024-10-07 14:39:24.599115+00:00 [debug] <0.1396.0>                             rsa_pkcs1_sha512,
2024-10-07 14:39:24.599115+00:00 [debug] <0.1396.0>                             {sha256,dsa},
2024-10-07 14:39:24.599115+00:00 [debug] <0.1396.0>                             {sha224,ecdsa},
2024-10-07 14:39:24.599115+00:00 [debug] <0.1396.0>                             {sha224,rsa},
2024-10-07 14:39:24.599115+00:00 [debug] <0.1396.0>                             {sha224,dsa},
2024-10-07 14:39:24.599115+00:00 [debug] <0.1396.0>                             ecdsa_sha1,rsa_pkcs1_sha1,
2024-10-07 14:39:24.599115+00:00 [debug] <0.1396.0>                             {sha,dsa}]},
2024-10-07 14:39:24.599115+00:00 [debug] <0.1396.0>                    elliptic_curves =>
2024-10-07 14:39:24.599115+00:00 [debug] <0.1396.0>                        {elliptic_curves,
2024-10-07 14:39:24.599115+00:00 [debug] <0.1396.0>                            [{1,3,101,110},
2024-10-07 14:39:24.599115+00:00 [debug] <0.1396.0>                             {1,2,840,10045,3,1,7},
2024-10-07 14:39:24.599115+00:00 [debug] <0.1396.0>                             {1,3,132,0,34},
2024-10-07 14:39:24.599115+00:00 [debug] <0.1396.0>                             {1,3,132,0,35},
2024-10-07 14:39:24.599115+00:00 [debug] <0.1396.0>                             {1,3,101,111}]},
2024-10-07 14:39:24.599115+00:00 [debug] <0.1396.0>                    sni => {sni,"nuc"},
2024-10-07 14:39:24.599115+00:00 [debug] <0.1396.0>                    alpn => undefined,
2024-10-07 14:39:24.599115+00:00 [debug] <0.1396.0>                    ec_point_formats => {ec_point_formats,[0]},
2024-10-07 14:39:24.599115+00:00 [debug] <0.1396.0>                    next_protocol_negotiation => undefined,
2024-10-07 14:39:24.599115+00:00 [debug] <0.1396.0>                    renegotiation_info => undefined}}
2024-10-07 14:39:24.599115+00:00 [debug] <0.1396.0>     protocol: handshake
2024-10-07 14:39:24.599115+00:00 [debug] <0.1396.0>     direction: inbound
2024-10-07 14:39:24.599851+00:00 [info] <0.1396.0> Description: handshake_error
2024-10-07 14:39:24.599851+00:00 [info] <0.1396.0>      Reason: [{reason,{badmatch,{3,3}}},
2024-10-07 14:39:24.599851+00:00 [info] <0.1396.0>               {stacktrace,
2024-10-07 14:39:24.599851+00:00 [info] <0.1396.0>                   [{tls_handshake,hello,4,
2024-10-07 14:39:24.599851+00:00 [info] <0.1396.0>                        [{file,"tls_handshake.erl"},{line,248}]},
2024-10-07 14:39:24.599851+00:00 [info] <0.1396.0>                    {tls_server_connection,handle_client_hello,2,
2024-10-07 14:39:24.599851+00:00 [info] <0.1396.0>                        [{file,"tls_server_connection.erl"},{line,400}]},
2024-10-07 14:39:24.599851+00:00 [info] <0.1396.0>                    {tls_server_connection,hello,3,
2024-10-07 14:39:24.599851+00:00 [info] <0.1396.0>                        [{file,"tls_server_connection.erl"},{line,215}]},
2024-10-07 14:39:24.599851+00:00 [info] <0.1396.0>                    {gen_statem,loop_state_callback,11,
2024-10-07 14:39:24.599851+00:00 [info] <0.1396.0>                        [{file,"gen_statem.erl"},{line,3735}]},
2024-10-07 14:39:24.599851+00:00 [info] <0.1396.0>                    {tls_server_connection,init,1,
2024-10-07 14:39:24.599851+00:00 [info] <0.1396.0>                        [{file,"tls_server_connection.erl"},{line,145}]},
2024-10-07 14:39:24.599851+00:00 [info] <0.1396.0>                    {proc_lib,init_p_do_apply,3,
2024-10-07 14:39:24.599851+00:00 [info] <0.1396.0>                        [{file,"proc_lib.erl"},{line,329}]}]}]
2024-10-07 14:39:24.599851+00:00 [info] <0.1396.0>
2024-10-07 14:39:24.600003+00:00 [debug] <0.1396.0>     message: [<<21,3,3,0,2>>,<<2,40>>]
2024-10-07 14:39:24.600003+00:00 [debug] <0.1396.0>     protocol: record
2024-10-07 14:39:24.600003+00:00 [debug] <0.1396.0>     direction: outbound
2024-10-07 14:39:24.600077+00:00 [notice] <0.1396.0> TLS server: In state hello at tls_handshake.erl:253 generated SERVER ALERT: Fatal - Handshake Failure
2024-10-07 14:39:24.600077+00:00 [notice] <0.1396.0>  - malformed_handshake_data

Not sure if this is an OTP bug though?

The text was updated successfully, but these errors were encountered:

IngelaAndin · 2024-10-08T10:45:56Z

Yes alas I think it is a bug. I will fix it shortly.

IngelaAndin · 2024-10-08T13:59:54Z

Will this solve your problem #8916 ? It feel like it should, I am looking into improving tests but am a bit swamped at the moment.

ansd · 2024-10-08T14:45:53Z

Thank you @IngelaAndin !
Yes, this PR makes the RabbitMQ test case green again.
(I tested using kerl build-install git https://github.com/IngelaAndin/otp ingela/ssl/fix-assert/GH-8908/OTP-19288 ssl-fix.)

ansd · 2024-10-08T14:50:29Z

Probably it doesn't help you much in writing a test case, but in this specific RabbitMQ test, ssl:versions() on the RabbitMQ node returned:

[{ssl_app,"11.2.3"},
 {supported,['tlsv1.3','tlsv1.2']},
 {supported_dtls,['dtlsv1.2']},
 {available,['tlsv1.3','tlsv1.2','tlsv1.1',tlsv1]},
 {available_dtls,['dtlsv1.2',dtlsv1]},
 {implemented,['tlsv1.3','tlsv1.2','tlsv1.1',tlsv1]},
 {implemented_dtls,['dtlsv1.2',dtlsv1]}]

IngelaAndin · 2024-10-09T06:34:56Z

Thanks for the input, I realize now why my attempts of test case fail, and how it slipped through in the first place. The thing is that our own client will only send the version extension when TLS-1.3 is also supported. And I believe this also should be backported to TLS-1.2 clients among with other new TLS-1.3 features already backported.

* ingela/ssl/fix-assert/GH-8908/OTP-19288: ssl: Fix version assertion

ansd added the bug Issue is reported as a bug label Oct 7, 2024

lhoguin mentioned this issue Oct 7, 2024

Make CI known flakes and errors rabbitmq/rabbitmq-server#12413

Open

14 tasks

ansd referenced this issue Oct 7, 2024

ssl: Old server should ignore new extension

f42c076

IngelaAndin added the team:PS Assigned to OTP team PS label Oct 8, 2024

IngelaAndin self-assigned this Oct 8, 2024

IngelaAndin mentioned this issue Oct 8, 2024

ssl: Fix version assertion #8916

Merged

IngelaAndin added a commit that referenced this issue Oct 9, 2024

Merge branch 'ingela/ssl/fix-assert/GH-8908/OTP-19288' into maint

f34d0e5

* ingela/ssl/fix-assert/GH-8908/OTP-19288: ssl: Fix version assertion

IngelaAndin closed this as completed in 031e4d0 Oct 9, 2024

michaelklishin mentioned this issue Oct 10, 2024

Erlang 27.x packages rabbitmq/erlang-rpm#127

Open

jhogberg pushed a commit that referenced this issue Oct 17, 2024

Merge branch 'ingela/ssl/fix-assert/GH-8908/OTP-19288' into maint-27

5bfe5aa

* ingela/ssl/fix-assert/GH-8908/OTP-19288: ssl: Fix version assertion

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

SSL version matching OTP 27.1.1 #8908

SSL version matching OTP 27.1.1 #8908

ansd commented Oct 7, 2024

IngelaAndin commented Oct 8, 2024

IngelaAndin commented Oct 8, 2024

ansd commented Oct 8, 2024

ansd commented Oct 8, 2024

IngelaAndin commented Oct 9, 2024

SSL version matching OTP 27.1.1 #8908

SSL version matching OTP 27.1.1 #8908

Comments

ansd commented Oct 7, 2024

IngelaAndin commented Oct 8, 2024

IngelaAndin commented Oct 8, 2024

ansd commented Oct 8, 2024

ansd commented Oct 8, 2024

IngelaAndin commented Oct 9, 2024