Open emnvn opened 8 years ago
lukebakken
commented
8 years ago I have done some investigation since I have run into the same issue with the Python client. It appears that only a subset of ciphers can be used. I used the riak_core_security:print_ciphers(). function to get a list of valid ciphers and am confirming which ones do not cause this error.
lukebakken
commented
8 years ago SSL settings:
tls_protocols.sslv3 = off
tls_protocols.tlsv1 = on
tls_protocols.tlsv1.1 = on
tls_protocols.tlsv1.2 = on
check_crl = offI ran riak_core_security:print_ciphers(). and, out of the "Valid ciphers" list, only the following did not trigger the tls_v1:enum_to_oid(28) error:
DHE-RSA-AES128-SHA256
DHE-RSA-AES128-SHA
DHE-RSA-AES256-SHA256
DHE-RSA-AES256-SHA
AES128-SHA256
AES128-SHA
AES256-SHA256
AES256-SHA
RC4-SHASee the "Configuration of TLS and Ciphers" section on this page for configuring ciphers.
lukebakken
commented
8 years ago Searching google for tls_v1:enum_to_oid(28) shows that this is a known issue in R16 Erlang releases.
paulgray
commented
8 years ago After providing a list of R16-supported ciphers to riakc_pb_socket:start_link/3 I managed to successfully connect to Riak using 18.2.1 client:
riakc_pb_socket:start_link(Host, Port, [{credentials, "XXX", "YYY"},
{cacertfile, "/tmp/cacertfile.pem"},
{ssl_opts, [{ciphers, ciphers()]}]).
-spec ciphers() -> [string()].
ciphers() ->
["DHE-RSA-AES128-SHA256",
"DHE-RSA-AES128-SHA",
"DHE-RSA-AES256-SHA256",
"DHE-RSA-AES256-SHA",
"AES128-SHA256",
"AES128-SHA",
"AES256-SHA256",
"AES256-SHA",
"RC4-SHA"].@paulgray - thank you for the update.
sandergarretsen
commented
7 years ago Hi,
I'm having the same problem. Trying @paulgray 's solution is giving me another error though:
Supervisor riak_api_pb_sup had child undefined started with {riak_api_pb_server,start_link,undefined} at <0.14493.2705> exit with reason {{badarg,[{crypto,rsa_sign_nif,[md5sha,{digest,<<215,...,...>>,...]],...},...]},...} in context child_terminated
Any suggestions?
I'm trying to connect from Erlang/OTP 19 [erts-8.2] by the way
lukebakken
commented
7 years ago @sandergarretsen - check out the badarg error:
crypto,rsa_sign_nif,[md5shaI searched online for that error, and came up with this thread.
Could you provide the output of openssl ciphers for each TLS version?
Also, in your configuration, why do you have tlsv1 commented out?
sandergarretsen
commented
7 years ago Hi @lukebakken, Thanks for your quick response.
Could you provide the output of openssl ciphers for each TLS version?
$ openssl ciphers -v | grep TLS
ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD
ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(256) Mac=AEAD
ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA384
ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(256) Mac=SHA384
DHE-DSS-AES256-GCM-SHA384 TLSv1.2 Kx=DH Au=DSS Enc=AESGCM(256) Mac=AEAD
DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(256) Mac=AEAD
DHE-RSA-AES256-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AES(256) Mac=SHA256
DHE-DSS-AES256-SHA256 TLSv1.2 Kx=DH Au=DSS Enc=AES(256) Mac=SHA256
ECDH-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AESGCM(256) Mac=AEAD
ECDH-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AESGCM(256) Mac=AEAD
ECDH-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AES(256) Mac=SHA384
ECDH-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AES(256) Mac=SHA384
AES256-GCM-SHA384 TLSv1.2 Kx=RSA Au=RSA Enc=AESGCM(256) Mac=AEAD
AES256-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA256
ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(128) Mac=AEAD
ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(128) Mac=AEAD
ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA256
ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(128) Mac=SHA256
DHE-DSS-AES128-GCM-SHA256 TLSv1.2 Kx=DH Au=DSS Enc=AESGCM(128) Mac=AEAD
DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(128) Mac=AEAD
DHE-RSA-AES128-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AES(128) Mac=SHA256
DHE-DSS-AES128-SHA256 TLSv1.2 Kx=DH Au=DSS Enc=AES(128) Mac=SHA256
ECDH-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AESGCM(128) Mac=AEAD
ECDH-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AESGCM(128) Mac=AEAD
ECDH-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AES(128) Mac=SHA256
ECDH-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AES(128) Mac=SHA256
AES128-GCM-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AESGCM(128) Mac=AEAD
AES128-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA256
This is the output on the machine running the client... does it help to also output above command on the riak-node?
Also, in your configuration, why do you have tlsv1 commented out?
To be very honest... I don't really know :s. This was configured quite a while ago by someone who left the team...
lukebakken
commented
7 years ago Can you please re-configure your nodes with these settings, re-start, and see if the issue persists?
tls_protocols.sslv3 = off
tls_protocols.tlsv1 = on
tls_protocols.tlsv1.1 = on
tls_protocols.tlsv1.2 = on
check_crl = off
Hello,
Currently, I used riak-erlang-client library to communicate riak server which is in Security enabled mode.
It worked well with erlang version of R15B03, R16B02
But this error will happend when I use Erlang version of 17.x
"exception error: no match of right hand side value {error,{tcp,closed}}"
I traced on server, I found this log: " 2015-09-01 16:27:44.859 [error] <0.1455.0> gen_fsm <0.1455.0> in state hello terminated with reason: no function clause matching tls_v1:enum_to_oid(28) line 404 "
Anyone can help me ?
Thanks :)