bad_cert ssl error for google site

[gregors]

This google seems to blow up consistently, works when I ignore ssl

https://www.googleapis.com/robot/v1/metadata/x509/securetoken@system.gserviceaccount.com

OTP 23 hackney 1.16.0

[gregors]

More information. I have access to a second laptop, where everything works fine btw. So this seems to be specific.

The system that fails: Brand New Big Sur OSX

Erlang/OTP 23 [erts-11.1.3] [source] [64-bit] [smp:16:16] [ds:16:16:10] [async-threads:1] [hipe] [dtrace]

Interactive Elixir (1.11.2) - press Ctrl+C to exit (type h() ENTER for help)
iex(1)> HTTPoison.get("https://www.googleapis.com/robot/v1/metadata/x509/securetoken@system.gserviceaccount.com")

07:52:35.311 [info]  TLS :client: In state :wait_cert_cr at ssl_handshake.erl:1952 generated CLIENT ALERT: Fatal - Handshake Failure
 - {:bad_cert, :hostname_check_failed}
{:error,
 %HTTPoison.Error{
   id: nil,
   reason: {:tls_alert,
    {:handshake_failure,
     'TLS client: In state wait_cert_cr at ssl_handshake.erl:1952 generated CLIENT ALERT: Fatal - Handshake Failure\n {bad_cert,hostname_check_failed}'}}
 }}

The system that passes has the same Elixir/Erlang versions with OS Catalina. I have tried completely removing and reinstalling elixir, erlang (via brew btw). So this might be a OS or environment specific bug, but anything I can do to help report this better please let me know.

[tomwilsonmerkle]

I have the same issue

[connorjacobsen]

Are you running on Apple M1 or Intel? I am getting this error with M1 (Elixir 1.11, OTP 23, Hackney 1.16). Everything works fine on the Intel-based Mac on OSX 10. Wondering if is an M1 issue or an OSX 11 issue (or both). I'm hitting this through ueberauth_google.

[Fudoshiki]

Same issue

iex(1)>
HTTPoison.get("https://www.googleapis.com/robot/v1/metadata/x509/40example%40example.iam.gserviceaccount.com")
[info] TLS :client: In state :wait_cert_cr at ssl_handshake.erl:1952 generated CLIENT ALERT: Fatal - Handshake Failure
 - {:bad_cert, :hostname_check_failed}
{:error,
 %HTTPoison.Error{
   id: nil,
   reason: {:tls_alert,
    {:handshake_failure,
     'TLS client: In state wait_cert_cr at ssl_handshake.erl:1952 generated CLIENT ALERT: Fatal - Handshake Failure\n {bad_cert,hostname_check_failed}'}}
 }}

With [ssl: [{:versions, [:'tlsv1.2']}]]working is fine

iex(2)>zsh
HTTPoison.get("https://www.googleapis.com/robot/v1/metadata/x509/40example%40example.iam.gserviceaccount.com", [], [ssl: [{:versions, [:'tlsv1.2']}]])
{:ok,
 %HTTPoison.Response{
   body: "{\n  \"937a5067379c98c07a7ca2d10609a7b28c28262d\": \"-----BEGIN CERTIFICATE----- ....

[drewrey]

@connorjacobsen: I'm reproducing this error on an Intel Mac running OSX 11, with Elixir 1.11, OTP 23, Hackney 1.16.

I'm encountering this issue when using auth0_jwks, which is using httpoison.

[connorjacobsen]

~@Fudoshiki I'm not able to get it working when passing in those ssl options. Though I do get exactly the error you list.~

Edit: properly passing the options gets this working for me as well.

[chriserik]

I can confirm this issue with OSX 11, Elixir 1.11, OTP 23 and Hackney 1.16. Same issue also occurs within Alpine - based Docker images built via Github Actions, and I also tested on another Notebook running Catalina with the same Elixir / OTP versions as above. Other https calls work fine. Setting the ssl version to tlsv1.2 "solves" the issue.

[benoitc]

It may be relevant to https://github.com/erlang/otp/commit/addc42df113f8f15fc20e9dff45490b3ce0d3d6b. Did anyone tested with an older version of Erlang ?

[connorjacobsen]

I have not, but I can later today. OSX 10.X, Elixir 1.11, OTP 23, and Hackney 1.16 had previously worked just fine so I hadn't tried downgrading OTP.

[supercodepoet]

I have run into this issue as well trying to call the Stripe API. I am running:

macOS 11.0.1 Erlang 23.1.5 Elixir 1.11.2 hackney 1.16.0

I tried Erlang 23.0.4 and it still failed. I tried Erlang 22.3.4.13 and it succeeded. We use Docker to build our production images and it uses Ubuntu. Using Erlang 23.1.5 works correctly. Seems it might be an issue with OTP 23 and Big Sur.

[evancloutier]

+1 on running into this!

MacOS 11.0.1 Elixir 1.11.2 (OTP 23) Hackney 1.16.0

I wasn't able to trial and error with different versions of Elixir/Erlang to see what succeeded – this is only happening to me locally, but I'll be docker-composing to avoid this for the time being.

[keithpitty]

I would appear to be encountering the same issue. In my case the error occurs via OAuth2.Client. I originally encountered it on Elixir 1.11.2 (OTP 23) but then also 1.10.4 (OTP 23). Only then did I realise that the common denominator was that I had recently upgraded to MacOS 11.0.1. Uninstalling and reinstalling Erlang and Elixir has had no effect.

[benoitc]

should be fixed in latest master via 1c4afad99e4c7802627427dd880de37529c86dc4 . This change is similar to g-andrade/tls_certificate_check@bae369641519a6d40df069a276ecb63407bff8b6

Please test and let me know.

[supercodepoet]

Pulled the latest from GitHub and ran our entire test suite and our dev environment on:

macOS 11.0.1 Elixir 1.11.2 Erlang 23.1.5

I did not get any errors and everything behaved normally. Thanks!

[moomerman]

Can confirm the same:

Static:

• macOS 11.0.1
• elixir 1.11.2

Variable (with hackney 1.16.0)

• erlang 23.1.5 (via homebrew) ❌
• erlang 23.0.4 (via kerl) ❌
• erlang 22.3.4.13 (via kerl) ✅

Using erlang 23.1.5 (via homebrew) with hackney 1c4afad works fine 🥳

[connorjacobsen]

@benoitc Fixes for me. Thank you!

[benoitc]

ok i will make a release it asap today. Thanks all for the feedback!

[supercodepoet]

I was wondering if we would be getting a release soon? Thanks.

[benoitc]

it will be published on monday.

On Sat 12 Dec 2020 at 00:33, Travis Chase notifications@github.com wrote:

I was wondering if we would be getting a release soon? Thanks.

— You are receiving this because you modified the open/close state.

Reply to this email directly, view it on GitHub https://github.com/benoitc/hackney/issues/664#issuecomment-743481258, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAADRITF4PMVQLFK6IQYHO3SUKT43ANCNFSM4UAKXFJA .

-- Sent from my Mobile