search

erlang / otp

Erlang/OTP
http://erlang.org
Apache License 2.0
11.39k stars 2.96k forks source link

SSL closed (TLS 1.2) on handshake with OTP 27, but not happening on OTP 26 #8910

Closed gfviegas closed 1 month ago

gfviegas commented 1 month ago

Describe the bug :ssl.connect is connecting succesfully with OTP 26 but it's not working with the same arguments in OTP 27.

Im trying to connect to an external web service requiring TLS 1.2 and digital certificates for authentication. After much debugging I noticed all requests from curl, wget and postman were doing just fine but running from OTP not. Then I noticed the SSL connection in OTP was not working properly. After downgrading to OTP 26 it worked as expected.

To Reproduce I tried a SSL connection to a specific host on 3 different machines (in different networks, Linux and MacOS), with OTP 27 and none would connect to it. When using OTP 26 it did.

Expected behavior SSL connection should not be dropped early in OTP 27

Affected versions Tested with 27.0 and 27.1, both affected.

Additional context Sorry, I'm an Elixir engineer here, so sorry for using Interactive Elixir for testing it out.

Here is the reproduction:

  1. Uninstalled OTP and Elixir from my machine. Cleared all cache and deps.
  2. Installed OTP 27.1 (also tried earlier with OTP 27.0) and Elixir 1.17 w/ OTP27
  3. Opened an IEx session.

  4. Ran the following steps:

    :ssl.start()

:ssl.connect('nfe.prefeitura.sp.gov.br', 443, [certfile: 'priv/static/certificates/cert.crt', keyfile: 'priv/static/certificates/cert.key', password: 'REDACTED', verify: :verify_none, versions: [:"tlsv1.2"], log_level: :debug])

and got a {:error, :closed} output

  1. Repeated step 1 and installed OTP 26.2.5.3 and Elixir 1.17 w/ OTP26
  2. Repeated steps 3-4 and got a {:ok, {:sslsocket, {:gen_tcp, #Port<0.4>, :tls_connection, :undefined}, [#PID<0.147.0>, #PID<0.146.0>]}} output instead. Note: in the very same directory with the same certs and password.

Here is the full breakdown and debug logging for both sessions:

Full iEX session with OTP 27 ```elixir Erlang/OTP 27 [erts-15.1.1] [source] [64-bit] [smp:12:12] [ds:12:12:10] [async-threads:1] [jit] Interactive Elixir (1.17.3) - press Ctrl+C to exit (type h() ENTER for help) iex(1)> :ssl.start :ok iex(2)> :ssl.connect('nfe.prefeitura.sp.gov.br', 443, [certfile: 'priv/static/certificates/cert.crt', keyfile: 'priv/static/certificates/cert.key', password: 'REDACTED', verify: :verify_none, versions: [:"tlsv1.2"], log_level: :debug]) >>> TLS 1.2 Handshake, ClientHello [{client_version,{3,3}}, {random, <<103,4,60,130,104,234,111,209,128,76,165,30,187,2,172,17,53,81,43,206, 247,42,202,105,156,135,6,36,45,244,39,49>>}, {session_id,<<>>}, {cookie,undefined}, {cipher_suites, ["TLS_EMPTY_RENEGOTIATION_INFO_SCSV", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_256_CCM","TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8", "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256", "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_128_CCM","TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8", "TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256", "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_DHE_DSS_WITH_AES_256_GCM_SHA384", "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_DHE_DSS_WITH_AES_128_GCM_SHA256", "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256"]}, {extensions, #{srp => undefined, signature_algs => {hash_sign_algos, [{sha512,ecdsa}, {sha512,rsa_pss_pss}, {sha512,rsa_pss_rsae}, {sha512,rsa}, {sha384,ecdsa}, {sha384,rsa_pss_pss}, {sha384,rsa_pss_rsae}, {sha384,rsa}, {sha256,ecdsa}, {sha256,rsa_pss_pss}, {sha256,rsa_pss_rsae}, {sha256,rsa}]}, signature_algs_cert => {signature_algorithms_cert, [{sha512,ecdsa}, rsa_pss_pss_sha512,rsa_pss_rsae_sha512, {sha512,rsa}, {sha384,ecdsa}, rsa_pss_pss_sha384,rsa_pss_rsae_sha384, {sha384,rsa}, {sha256,ecdsa}, rsa_pss_pss_sha256,rsa_pss_rsae_sha256, {sha256,rsa}, {sha,rsa}]}, use_srtp => undefined, elliptic_curves => {elliptic_curves, [{1,3,101,110}, {1,3,101,111}, {1,3,132,0,35}, {1,3,36,3,3,2,8,1,1,13}, {1,3,132,0,34}, {1,3,36,3,3,2,8,1,1,11}, {1,2,840,10045,3,1,7}, {1,3,36,3,3,2,8,1,1,7}]}, sni => {sni,"nfe.prefeitura.sp.gov.br"}, max_frag_enum => undefined,alpn => undefined, ec_point_formats => {ec_point_formats,[0]}, next_protocol_negotiation => undefined, renegotiation_info => {renegotiation_info,undefined}}}] 16:54:42.136 [debug] [message: {:client_hello, {3, 3}, <<103, 4, 60, 130, 104, 234, 111, 209, 128, 76, 165, 30, 187, 2, 172, 17, 53, 81, 43, 206, 247, 42, 202, 105, 156, 135, 6, 36, 45, 244, 39, 49>>, "", :undefined, [<<0, 255>>, <<192, 44>>, <<192, 48>>, <<192, 173>>, <<192, 175>>, "̩", "̨", <<192, 43>>, <<192, 47>>, <<192, 172>>, <<192, 174>>, <<192, 46>>, <<192, 50>>, <<192, 45>>, <<192, 49>>, <<0, 159>>, <<0, 163>>, <<0, 158>>, <<0, 162>>, "̪"], %{srp: :undefined, signature_algs: {:hash_sign_algos, [sha512: :ecdsa, sha512: :rsa_pss_pss, sha512: :rsa_pss_rsae, sha512: :rsa, sha384: :ecdsa, sha384: :rsa_pss_pss, sha384: :rsa_pss_rsae, sha384: :rsa, sha256: :ecdsa, sha256: :rsa_pss_pss, sha256: :rsa_pss_rsae, sha256: :rsa]}, signature_algs_cert: {:signature_algorithms_cert, [{:sha512, :ecdsa}, :rsa_pss_pss_sha512, :rsa_pss_rsae_sha512, {:sha512, :rsa}, {:sha384, :ecdsa}, :rsa_pss_pss_sha384, :rsa_pss_rsae_sha384, {:sha384, :rsa}, {:sha256, :ecdsa}, :rsa_pss_pss_sha256, :rsa_pss_rsae_sha256, {:sha256, :rsa}, {:sha, :rsa}]}, use_srtp: :undefined, elliptic_curves: {:elliptic_curves, [{1, 3, 101, 110}, {1, 3, 101, 111}, {1, 3, 132, 0, 35}, {1, 3, 36, 3, 3, 2, 8, 1, 1, 13}, {1, 3, 132, 0, 34}, {1, 3, 36, 3, 3, 2, 8, 1, 1, 11}, {1, 2, 840, 10045, 3, 1, 7}, {1, 3, 36, 3, 3, 2, 8, 1, 1, 7}]}, sni: {:sni, ~c"nfe.prefeitura.sp.gov.br"}, max_frag_enum: :undefined, alpn: :undefined, ec_point_formats: {:ec_point_formats, [0]}, next_protocol_negotiation: :undefined, renegotiation_info: {:renegotiation_info, :undefined}}}, protocol: :handshake, direction: :outbound] writing (213 bytes) TLS 1.2 Record Protocol, handshake 0000 - 16 03 03 00 d0 01 00 00 cc 03 03 67 04 3c 82 68 ...........g.<.h 0010 - ea 6f d1 80 4c a5 1e bb 02 ac 11 35 51 2b ce f7 .o..L......5Q+.. 0020 - 2a ca 69 9c 87 06 24 2d f4 27 31 00 00 28 00 ff *.i...$-.'1..(.. 0030 - c0 2c c0 30 c0 ad c0 af cc a9 cc a8 c0 2b c0 2f .,.0.........+./ 0040 - c0 ac c0 ae c0 2e c0 32 c0 2d c0 31 00 9f 00 a3 .......2.-.1.... 0050 - 00 9e 00 a2 cc aa 01 00 00 7b 00 0b 00 02 01 00 .........{...... 0060 - 00 00 00 1d 00 1b 00 00 18 6e 66 65 2e 70 72 65 .........nfe.pre 0070 - 66 65 69 74 75 72 61 2e 73 70 2e 67 6f 76 2e 62 feitura.sp.gov.b 0080 - 72 00 0a 00 12 00 10 00 1d 00 1e 00 19 00 1c 00 r............... 0090 - 18 00 1b 00 17 00 1a 00 32 00 1c 00 1a 06 03 08 ........2....... 00a0 - 0b 08 06 06 01 05 03 08 0a 08 05 05 01 04 03 08 ................ 00b0 - 09 08 04 04 01 02 01 00 0d 00 1a 00 18 06 03 08 ................ 00c0 - 0b 08 06 06 01 05 03 08 0a 08 05 05 01 04 03 08 ................ 00d0 - 09 08 04 04 01 ..... 16:54:42.140 [debug] [message: [<<22, 3, 3, 0, 208>>, <<1, 0, 0, 204, 3, 3, 103, 4, 60, 130, 104, 234, 111, 209, 128, 76, 165, 30, 187, 2, 172, 17, 53, 81, 43, 206, 247, 42, 202, 105, 156, 135, 6, 36, 45, 244, 39, 49, 0, 0, 40, 0, 255, 192, 44, 192, 48, ...>>], protocol: :record, direction: :outbound] {:error, :closed} ```
gfviegas commented 1 month ago

Broke it into 2 comments to avoid the char limit by Github.

Full iEX session with OTP 26 ```elixir Erlang/OTP 26 [erts-14.2.5.3] [source] [64-bit] [smp:12:12] [ds:12:12:10] [async-threads:1] [jit] Interactive Elixir (1.17.3) - press Ctrl+C to exit (type h() ENTER for help) iex(1)> :ssl.start :ok iex(2)> :ssl.connect('nfe.prefeitura.sp.gov.br', 443, [certfile: 'priv/static/certificates/cert.crt', keyfile: 'priv/static/certificates/cert.key', password: 'REDACTED', verify: :verify_none, versions: [:"tlsv1.2"], log_level: :debug]) >>> TLS 1.2 Handshake, ClientHello [{client_version,{3,3}}, {random, <<103,4,62,25,85,205,96,11,198,163,48,224,67,137,120,24,110,120,251,163, 223,197,245,195,132,162,92,30,153,112,125,212>>}, {session_id,<<>>}, {cookie,undefined}, {cipher_suites, ["TLS_EMPTY_RENEGOTIATION_INFO_SCSV", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_256_CCM","TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8", "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384", "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256", "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_128_CCM","TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8", "TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384", "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384", "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256", "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256", "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_DHE_DSS_WITH_AES_256_GCM_SHA384", "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256", "TLS_DHE_DSS_WITH_AES_256_CBC_SHA256", "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_DHE_DSS_WITH_AES_128_GCM_SHA256", "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256", "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256", "TLS_DHE_DSS_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA", "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA", "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA", "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA", "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA","TLS_DHE_RSA_WITH_AES_256_CBC_SHA", "TLS_DHE_DSS_WITH_AES_256_CBC_SHA","TLS_DHE_RSA_WITH_AES_128_CBC_SHA", "TLS_DHE_DSS_WITH_AES_128_CBC_SHA"]}, {compression_methods,[0]}, {extensions, #{srp => undefined, signature_algs => {hash_sign_algos, [{sha512,ecdsa}, {sha512,rsa_pss_pss}, {sha512,rsa_pss_rsae}, {sha512,rsa}, {sha384,ecdsa}, {sha384,rsa_pss_pss}, {sha384,rsa_pss_rsae}, {sha384,rsa}, {sha256,ecdsa}, {sha256,rsa_pss_pss}, {sha256,rsa_pss_rsae}, {sha256,rsa}]}, signature_algs_cert => {signature_algorithms_cert, [{sha512,ecdsa}, rsa_pss_pss_sha512,rsa_pss_rsae_sha512, {sha512,rsa}, {sha384,ecdsa}, rsa_pss_pss_sha384,rsa_pss_rsae_sha384, {sha384,rsa}, {sha256,ecdsa}, rsa_pss_pss_sha256,rsa_pss_rsae_sha256, {sha256,rsa}, {sha,rsa}]}, use_srtp => undefined, elliptic_curves => {elliptic_curves, [{1,3,101,110}, {1,3,101,111}, {1,3,132,0,35}, {1,3,36,3,3,2,8,1,1,13}, {1,3,132,0,34}, {1,3,36,3,3,2,8,1,1,11}, {1,2,840,10045,3,1,7}, {1,3,36,3,3,2,8,1,1,7}]}, sni => {sni,"nfe.prefeitura.sp.gov.br"}, max_frag_enum => undefined,alpn => undefined, ec_point_formats => {ec_point_formats,[0]}, next_protocol_negotiation => undefined, renegotiation_info => {renegotiation_info,undefined}}}] 17:01:30.057 [debug] [message: {:client_hello, {3, 3}, <<103, 4, 62, 25, 85, 205, 96, 11, 198, 163, 48, 224, 67, 137, 120, 24, 110, 120, 251, 163, 223, 197, 245, 195, 132, 162, 92, 30, 153, 112, 125, 212>>, "", :undefined, [<<0, 255>>, <<192, 44>>, <<192, 48>>, <<192, 173>>, <<192, 175>>, <<192, 36>>, <<192, 40>>, "̩", "̨", <<192, 43>>, <<192, 47>>, <<192, 172>>, <<192, 174>>, <<192, 46>>, <<192, 50>>, <<192, 38>>, <<192, 42>>, <<192, 45>>, <<192, 49>>, <<192, 35>>, <<192, 39>>, <<192, 37>>, <<192, 41>>, <<0, 159>>, <<0, 163>>, <<0, 107>>, <<0, 106>>, <<0, 158>>, <<0, 162>>, "̪", <<0, 103>>, <<0, 64>>, <<192, 10>>, <<192, 20>>, <<192, 5>>, <<192, 15>>, <<192, 9>>, <<192, 19>>, <<192, 4>>, <<192, 14>>, <<0, 57>>, <<0, ...>>, <<...>>, ...], [0], %{srp: :undefined, signature_algs: {:hash_sign_algos, [sha512: :ecdsa, sha512: :rsa_pss_pss, sha512: :rsa_pss_rsae, sha512: :rsa, sha384: :ecdsa, sha384: :rsa_pss_pss, sha384: :rsa_pss_rsae, sha384: :rsa, sha256: :ecdsa, sha256: :rsa_pss_pss, sha256: :rsa_pss_rsae, sha256: :rsa]}, signature_algs_cert: {:signature_algorithms_cert, [{:sha512, :ecdsa}, :rsa_pss_pss_sha512, :rsa_pss_rsae_sha512, {:sha512, :rsa}, {:sha384, :ecdsa}, :rsa_pss_pss_sha384, :rsa_pss_rsae_sha384, {:sha384, :rsa}, {:sha256, :ecdsa}, :rsa_pss_pss_sha256, :rsa_pss_rsae_sha256, {:sha256, :rsa}, {:sha, :rsa}]}, use_srtp: :undefined, elliptic_curves: {:elliptic_curves, [{1, 3, 101, 110}, {1, 3, 101, 111}, {1, 3, 132, 0, 35}, {1, 3, 36, 3, 3, 2, 8, 1, 1, 13}, {1, 3, 132, 0, 34}, {1, 3, 36, 3, 3, 2, 8, 1, 1, 11}, {1, 2, 840, 10045, 3, 1, 7}, {1, 3, 36, 3, 3, 2, 8, 1, 1, 7}]}, sni: {:sni, ~c"nfe.prefeitura.sp.gov.br"}, max_frag_enum: :undefined, alpn: :undefined, ec_point_formats: {:ec_point_formats, [0]}, next_protocol_negotiation: :undefined, renegotiation_info: {:renegotiation_info, :undefined}}}, protocol: :handshake, direction: :outbound] writing (261 bytes) TLS 1.2 Record Protocol, handshake 0000 - 16 03 03 01 00 01 00 00 fc 03 03 67 04 3e 19 55 ...........g.>.U 0010 - cd 60 0b c6 a3 30 e0 43 89 78 18 6e 78 fb a3 df .`...0.C.x.nx... 0020 - c5 f5 c3 84 a2 5c 1e 99 70 7d d4 00 00 58 00 ff .....\..p}...X.. 0030 - c0 2c c0 30 c0 ad c0 af c0 24 c0 28 cc a9 cc a8 .,.0.....$.(.... 0040 - c0 2b c0 2f c0 ac c0 ae c0 2e c0 32 c0 26 c0 2a .+./.......2.&.* 0050 - c0 2d c0 31 c0 23 c0 27 c0 25 c0 29 00 9f 00 a3 .-.1.#.'.%.).... 0060 - 00 6b 00 6a 00 9e 00 a2 cc aa 00 67 00 40 c0 0a .k.j.......g.@.. 0070 - c0 14 c0 05 c0 0f c0 09 c0 13 c0 04 c0 0e 00 39 ...............9 0080 - 00 38 00 33 00 32 01 00 00 7b 00 0b 00 02 01 00 .8.3.2...{...... 0090 - 00 00 00 1d 00 1b 00 00 18 6e 66 65 2e 70 72 65 .........nfe.pre 00a0 - 66 65 69 74 75 72 61 2e 73 70 2e 67 6f 76 2e 62 feitura.sp.gov.b 00b0 - 72 00 0a 00 12 00 10 00 1d 00 1e 00 19 00 1c 00 r............... 00c0 - 18 00 1b 00 17 00 1a 00 32 00 1c 00 1a 06 03 08 ........2....... 00d0 - 0b 08 06 06 01 05 03 08 0a 08 05 05 01 04 03 08 ................ 00e0 - 09 08 04 04 01 02 01 00 0d 00 1a 00 18 06 03 08 ................ 00f0 - 0b 08 06 06 01 05 03 08 0a 08 05 05 01 04 03 08 ................ 0100 - 09 08 04 04 01 ..... 17:01:30.062 [debug] [message: [<<22, 3, 3, 1, 0>>, <<1, 0, 0, 252, 3, 3, 103, 4, 62, 25, 85, 205, 96, 11, 198, 163, 48, 224, 67, 137, 120, 24, 110, 120, 251, 163, 223, 197, 245, 195, 132, 162, 92, 30, 153, 112, 125, 212, 0, 0, 88, 0, 255, 192, 44, 192, 48, ...>>], protocol: :record, direction: :outbound] reading (4463 bytes) TLS 1.2 Record Protocol, handshake 0000 - 16 03 03 11 6a 02 00 00 4d 03 03 67 04 3e 1a db ....j...M..g.>.. 0010 - d0 8b ad 79 d3 7f c1 5e 59 46 04 3f 8d e8 83 48 ...y...^YF.?...H 0020 - a1 62 7a 89 8e 2a 90 64 dc 00 c3 20 95 18 00 00 .bz..*.d... .... 0030 - 44 3f 73 ab c4 60 5b a1 63 61 b3 6d 17 98 eb 9c D?s..`[.ca.m.... 0040 - 87 c0 a4 16 24 13 20 c4 3c 31 a8 7e c0 28 00 00 ....$. .<1.~.(.. ... REDACTING FOR NOT TAKING MAXIMUM LENGTH 1160 - 5f 86 23 87 03 e3 2a 1b 73 f6 83 0e 00 00 00 _.#...*.s...... 17:01:30.085 [debug] [message: {:ssl_tls, 22, {3, 3}, <<2, 0, 0, 77, 3, 3, 103, 4, 62, 26, 219, 208, 139, 173, 121, 211, 127, 193, 94, 89, 70, 4, 63, 141, 232, 131, 72, 161, 98, 122, 137, 142, 42, 144, 100, 220, 0, 195, 32, 149, 24, 0, 0, 68, 63, ...>>, false}, protocol: :record, direction: :inbound] <<< TLS 1.2 Handshake, ServerHello [{server_version,{3,3}}, {random,<<103,4,62,26,219,208,139,173,121,211,127,193,94,89,70,4,63,141,232, 131,72,161,98,122,137,142,42,144,100,220,0,195>>}, {session_id,<<149,24,0,0,68,63,115,171,196,96,91,161,99,97,179,109,23,152, 235,156,135,192,164,22,36,19,32,196,60,49,168,126>>}, {cipher_suite,"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"}, {compression_method,0}, {extensions,#{alpn => undefined,ec_point_formats => undefined, next_protocol_negotiation => undefined, renegotiation_info => {renegotiation_info,<<0>>}}}] 17:01:30.088 [debug] [message: {:server_hello, {3, 3}, <<103, 4, 62, 26, 219, 208, 139, 173, 121, 211, 127, 193, 94, 89, 70, 4, 63, 141, 232, 131, 72, 161, 98, 122, 137, 142, 42, 144, 100, 220, 0, 195>>, <<149, 24, 0, 0, 68, 63, 115, 171, 196, 96, 91, 161, 99, 97, 179, 109, 23, 152, 235, 156, 135, 192, 164, 22, 36, 19, 32, 196, 60, 49, 168, 126>>, <<192, 40>>, 0, %{alpn: :undefined, ec_point_formats: :undefined, next_protocol_negotiation: :undefined, renegotiation_info: {:renegotiation_info, <<0>>}}}, protocol: :handshake, direction: :inbound] <<< Handshake, Certificate [{asn1_certificates,[<<48,130,6,106,48,130,...>>, <<48,130,4,176,48,130,3,...>>, <<48,130,4,78,48,130,3,54,160,...>>]}] 17:01:30.088 [debug] [message: {:certificate, [<<48, 130, 6, 106, 48, 130, 5, 82, 160, 3, 2, 1, 2, 2, 12, 99, 166, 53, 249, 51, 100, 95, 116, 188, 93, 44, 31, 48, 13, 6, 9, 42, 134, 72, 134, 247, 13, 1, 1, 11, 5, 0, 48, 83, 49, 11, ...>>, <<48, 130, 4, 176, 48, 130, 3, 152, 160, 3, 2, 1, 2, 2, 16, 119, 189, 14, 7, 66, 213, 217, 233, 208, 73, 215, 116, 208, 42, 111, 154, 48, 13, 6, 9, 42, 134, 72, 134, 247, 13, 1, 1, 11, 5, ...>>, <<48, 130, 4, 78, 48, 130, 3, 54, 160, 3, 2, 1, 2, 2, 13, 1, 238, 95, 22, 157, 255, 151, 53, 43, 100, 101, 214, 106, 48, 13, 6, 9, 42, 134, 72, 134, 247, 13, 1, 1, 11, 5, 0, 48, ...>>]}, protocol: :handshake, direction: :inbound] <<< Handshake, ServerKeyExchange [{exchange_keys,<<3,0,25,133,4,1,36,30,140,186,36,56,129,30,133,...>>}] 17:01:30.089 [debug] [message: {:server_key_exchange, <<3, 0, 25, 133, 4, 1, 36, 30, 140, 186, 36, 56, 129, 30, 133, ...>>}, protocol: :handshake, direction: :inbound] <<< Handshake, ServerHelloDone [] 17:01:30.090 [debug] [message: {:server_hello_done}, protocol: :handshake, direction: :inbound] >>> Handshake, ClientKeyExchange [{exchange_keys, {client_ec_diffie_hellman_public, <<4,0,2,194,92,199,165,56,60,102,85,230,102,237,7,131,125,129,99, 236,91,114,97,40,15,83,64,221,199,52,115,209,209,95,254,187,98, 134,72,223,147,231,193,252,175,171,92,216,234,198,122,249,248,48, 163,180,242,141,9,243,237,12,170,72,15,156,194,1,44,210,32,140, 88,51,235,99,52,205,7,180,241,154,12,181,89,209,201,19,64,207,85, 41,238,14,23,28,42,242,119,67,70,231,150,224,123,220,240,146,48, 78,241,238,146,217,63,254,192,182,109,251,153,128,165,31,104,110, 68,110,129,118,159,227,0>>}}] 17:01:30.098 [debug] [message: {:client_key_exchange, {:client_ec_diffie_hellman_public, <<4, 0, 2, 194, 92, 199, 165, 56, 60, 102, 85, 230, 102, 237, 7, 131, 125, 129, 99, 236, 91, 114, 97, 40, 15, 83, 64, 221, 199, 52, 115, 209, 209, 95, 254, 187, 98, 134, 72, 223, 147, 231, 193, 252, 175, ...>>}}, protocol: :handshake, direction: :outbound] writing (143 bytes) TLS 1.2 Record Protocol, handshake 0000 - 16 03 03 00 8a 10 00 00 86 85 04 00 02 c2 5c c7 ..............\. ... REDACTING FOR NOT TAKING MAXIMUM LENGTH 0080 - 6d fb 99 80 a5 1f 68 6e 44 6e 81 76 9f e3 00 m.....hnDn.v... 17:01:30.098 [debug] [message: [<<22, 3, 3, 0, 138>>, <<16, 0, 0, 134, 133, 4, 0, 2, 194, 92, 199, 165, 56, 60, 102, 85, 230, 102, 237, 7, 131, 125, 129, 99, 236, 91, 114, 97, 40, 15, 83, 64, 221, 199, 52, 115, 209, 209, 95, 254, 187, 98, 134, 72, 223, 147, 231, ...>>], protocol: :record, direction: :outbound] writing (6 bytes) TLS 1.2 Record Protocol, change_cipher_spec 0000 - 14 03 03 00 01 01 ...... 17:01:30.098 [debug] [message: [<<20, 3, 3, 0, 1>>, <<1>>], protocol: :record, direction: :outbound] >>> Handshake, Finished [{verify_data,<<145,166,39,87,169,234,255,188,130,123,79,144>>}] 17:01:30.098 [debug] [message: {:finished, <<145, 166, 39, 87, 169, 234, 255, 188, 130, 123, 79, 144>>}, protocol: :handshake, direction: :outbound] writing (101 bytes) TLS 1.2 Record Protocol, handshake 0000 - 16 03 03 00 60 38 22 73 07 3c ea 95 d3 29 65 f8 ....`8"s.<...)e. ... REDACTING FOR NOT TAKING MAXIMUM LENGTH 0060 - 50 88 c7 66 68 P..fh 17:01:30.098 [debug] [message: [<<22, 3, 3, 0, 96>>, <<56, 34, 115, 7, 60, 234, 149, 211, 41, 101, 248, 239, 2, 103, 189, 34, 241, 113, 186, 35, 143, 144, 155, 149, 77, 186, 227, 248, 99, 72, 130, 0, 145, 245, 39, 101, 28, 192, 134, 234, 160, 237, 216, 33, 202, 198, 182, ...>>], protocol: :record, direction: :outbound] reading (6 bytes) TLS 1.2 Record Protocol, change_cipher_spec 0000 - 14 03 03 00 01 01 ...... 17:01:30.120 [debug] [message: {:ssl_tls, 20, {3, 3}, <<1>>, false}, protocol: :record, direction: :inbound] reading (101 bytes) TLS 1.2 Record Protocol, handshake 0000 - 16 03 03 00 60 7b 49 8a 1c e4 87 5a 46 44 58 d0 ....`{I....ZFDX. ... REDACTING FOR NOT TAKING MAXIMUM LENGTH 0060 - 16 a3 91 0c a7 ..... 17:01:30.120 [debug] [message: {:ssl_tls, 22, {3, 3}, <<123, 73, 138, 28, 228, 135, 90, 70, 68, 88, 208, 30, 35, 152, 183, 206, 235, 244, 164, 115, 36, 78, 24, 143, 209, 252, 134, 53, 183, 57, 152, 26, 68, 69, 0, 88, 25, 102, 158, 126, 213, 38, 137, 159, 19, ...>>, false}, protocol: :record, direction: :inbound] <<< Handshake, Finished [{verify_data,<<159,159,45,41,64,12,230,129,249,44,223,41>>}] 17:01:30.120 [debug] [message: {:finished, <<159, 159, 45, 41, 64, 12, 230, 129, 249, 44, 223, 41>>}, protocol: :handshake, direction: :inbound] {:ok, {:sslsocket, {:gen_tcp, #Port<0.4>, :tls_connection, :undefined}, [#PID<0.147.0>, #PID<0.146.0>]}} ```
gfviegas commented 1 month ago

UPDATE: Found out that some ciphers were removed from the default list with OTP 27 in #8250

If anyone finds the same issue, you can override it passing the option ciphers: :ssl.cipher_suites(:all, :"tlsv1.2") or finding out exactly what cipher is missing in your use case.

Thanks!