Erlang OTP 26 ssl defaults

tzirechnoy commented 6 months ago

OTP 26 changed the default verify option value in the ssl:connect from verify_none to verify_peer: https://www.erlang.org/blog/otp-26-highlights/#ssl-safer-defaults

This breaks most of the tsung SSL client code.

The final error looks like:

** Reason for termination ==
** {badarg,[{erlang,atom_to_list,
                    [{options,incompatible,
                              [{verify,verify_peer},{cacerts,undefined}]}],
                    [{error_info,#{module => erl_erts_errors}}]},
            {ts_client,reconnect,5,
                       [{file,"src/tsung/ts_client.erl"},{line,1057}]},
            {ts_client,handle_next_request,2,
                       [{file,"src/tsung/ts_client.erl"},{line,834}]},
            {gen_fsm,handle_msg,8,[{file,"gen_fsm.erl"},{line,475}]},
            {proc_lib,init_p_do_apply,3,[{file,"proc_lib.erl"},{line,241}]}]}

Here is a quick and dirty patch, to possibly fix the issue:

diff --git a/src/tsung/ts_bosh.erl b/src/tsung/ts_bosh.erl
index 7ffc95d..aa1dd56 100644
--- a/src/tsung/ts_bosh.erl
+++ b/src/tsung/ts_bosh.erl
@@ -563,7 +563,7 @@ socket_connect(ssl, Host, Port, Options, Timeout) ->
 %    {ok, S} = gen_tcp:connect(Host, Port, [{active, false}|ForConnection], Timeout),
 %    ssl:connect(S, ForSSL, Timeout).
 %   ?LOGF("Connect ~p", [ForSSL], ?ERR),
-     ssl:connect(Host, Port, [{ssl_imp, new}|Options], Timeout).
+     ssl:connect(Host, Port, [{ssl_imp, new}|Options] ++ [{verify, verify_none}], Timeout).

 socket_send(tcp, Socket, Data) ->
diff --git a/src/tsung/ts_server_websocket_ssl.erl b/src/tsung/ts_server_websocket_ssl.erl
index 2c4ef27..d224e30 100644
--- a/src/tsung/ts_server_websocket_ssl.erl
+++ b/src/tsung/ts_server_websocket_ssl.erl
@@ -60,7 +60,7 @@ connect(Host, Port, Opts, Timeout) ->
     Protocol = WSConfig#ws_config.subprotos,
     Origin = WSConfig#ws_config.origin,

-    case ssl:connect(Host, Port, opts_to_tcp_opts(TcpOpts),Timeout) of
+    case ssl:connect(Host, Port, opts_to_tcp_opts(TcpOpts) ++ [{verify, verify_none}],Timeout) of
         {ok, Socket} ->
             Pid = spawn_link(
                     fun() ->
diff --git a/src/tsung/ts_ssl.erl b/src/tsung/ts_ssl.erl
index 6f90172..7cee106 100644
--- a/src/tsung/ts_ssl.erl
+++ b/src/tsung/ts_ssl.erl
@@ -37,10 +37,10 @@ connect(Host, Port, Opts) when is_list(Host) ->
     connect(Host, Port, opts_to_tcp_opts(Opts), infinity);

 connect(Socket, Opts, ConnectTimeout) ->
-    ssl:connect(Socket, opts_to_tcp_opts(Opts), ConnectTimeout).
+    ssl:connect(Socket, opts_to_tcp_opts(Opts) ++ [{verify, verify_none}], ConnectTimeout).

 connect(Host, Port, Opts, ConnectTimeout) ->
-    ssl:connect(Host, Port, opts_to_tcp_opts(Opts), ConnectTimeout).
+    ssl:connect(Host, Port, opts_to_tcp_opts(Opts) ++ [{verify, verify_none}], ConnectTimeout).

 connect(Socket, Opts) ->
     connect(Socket, Opts, infinity).
diff --git a/src/tsung/ts_ssl6.erl b/src/tsung/ts_ssl6.erl
index f0d5bf3..223b8aa 100644
--- a/src/tsung/ts_ssl6.erl
+++ b/src/tsung/ts_ssl6.erl
@@ -42,10 +42,10 @@ connect(Host, Port, Opts) when is_list(Host) ->
     connect(Host, Port, Opts, infinity);

 connect(Socket, Opts, ConnectTimeout) ->
-    ssl:connect(Socket, Opts, ConnectTimeout).
+    ssl:connect(Socket, Opts ++ [{verify, verify_none}], ConnectTimeout).

 connect(Host, Port, Opts, ConnectTimeout) ->
-    ssl:connect(Host, Port, Opts, ConnectTimeout).
+    ssl:connect(Host, Port, Opts ++ [{verify, verify_none}], ConnectTimeout).

 connect(Socket, Opts) ->
     connect(Socket, Opts, infinity).
diff --git a/src/tsung_recorder/ts_proxy_http.erl b/src/tsung_recorder/ts_proxy_http.erl
index ca23646..484809f 100644
--- a/src/tsung_recorder/ts_proxy_http.erl
+++ b/src/tsung_recorder/ts_proxy_http.erl
@@ -260,7 +260,7 @@ connect(Scheme, Host, Port)->
     case Scheme of
         https ->
             {ok, _} = ssl:connect(Host,Port,
-                                 [{active, once}]);
+                                 [{active, once}] ++ [{verify, verify_none}]);
         _  ->
             {ok, _} = gen_tcp:connect(Host,Port,
                                       [{active, once},

SkyZySR commented 4 months ago

I have same problem.

RomaniukVadim commented 11 hours ago

Same problem here, but i think it will be better to add option like <set_option name="ssl_verify" value="verify_none"/> Forcing verify_none is bad, but user should have option to disable this verification.

processone / tsung

Erlang OTP 26 ssl defaults #405