Client TLS sockets fail with a handshake failure due to missing EC curves

[l1x]

This might be coming from the recent changes of OTP but I cannot get HTTPS to work on CentOS 7.

RPM: https://github.com/rabbitmq/erlang-rpm/releases/download/v21.2.1/erlang-21.2.1-1.el7.centos.x86_64.rpm

CentOS: https://aws.amazon.com/marketplace/pp/B00O7WM7QW

CentOS 7 18.05

[centos@ip-172-172-3-49 helix]$ env MIX_ENV=prod mix release
Could not find Hex, which is needed to build dependency :plug_cowboy
Shall I install Hex? (if running non-interactively, use "mix local.hex --force") [Yn] Y

18:12:32.462 [info]  ['TLS', 32, 'client', 58, 32, 73, 110, 32, 115, 116, 97, 116, 101, 32, 'hello', 32, 'received SERVER ALERT: Fatal - Handshake Failure', 10]
** (Mix) httpc request failed with: {:failed_connect, [{:to_address, {'repo.hex.pm', 443}}, {:inet6, [:inet6], :enetunreach}, {:inet, [:inet], {:tls_alert, 'handshake failure'}}]}

Could not install Hex because Mix could not download metadata at https://repo.hex.pm/installs/hex-1.x.csv.

Is there a workaround to get this working or I need to fix the source code?

Thanks.

[michaelklishin]

Thank you for your time.

Team RabbitMQ uses GitHub issues for specific actionable items engineers can work on. GitHub issues are not used for questions, investigations, root cause analysis, discussions of potential issues, etc (as defined by this team).

We get at least a dozen of questions through various venues every single day, often light on details. At that rate GitHub issues can very quickly turn into a something impossible to navigate and make sense of even for our team. Because GitHub is a tool our team uses heavily nearly every day, the signal/noise ratio of issues is something we care about a lot.

Please post this to rabbitmq-users.

Thank you.

[michaelklishin]

There isn't a whole lot of evidence that the problem is in any way related to the patches applied in this package. We see bugs in Erlang's TLS implementation from time to time, some are introduced by quite a number of internal changes around TLS (e.g. 21.2.1 release notes mention one such case).

You can try building OTP using kerl to compare or try a different host. This package is produced from the official OTP source tarball and the only crypto-related patch is tiny.

[michaelklishin]

I can reproduce with just a TLS socket:

application:ensure_all_started(ssl).

ssl:connect("amazon.com", 443,  [], infinity).

but haven't compared to a kerl-built version or 21.2.1 on a different host. I don't have any working theories as to what in this package could break TLS negotiation but there don't seem to be any new bugs filed for OTP.

[michaelklishin]

A kerl-produced 21.2.1 version connects successfully on a different host and OS.

[michaelklishin]

There are no EC curves with this package:

> crypto:ec_curves().
[]
5> crypto:supports(). 
[{hashs,[sha,sha224,sha256,sha384,sha512,md4,md5,ripemd160]},
 {ciphers,[des3_cbc,des_ede3,des3_cbf,des3_cfb,aes_cbc,
           aes_cbc128,aes_cfb8,aes_cfb128,aes_cbc256,aes_ctr,aes_ecb,
           aes_gcm,aes_ccm,aes_ige256,des_cbc,des_cfb,des_ecb,
           blowfish_cbc,blowfish_cfb64,blowfish_ofb64,blowfish_ecb,
           rc2_cbc,rc4]},
 {public_keys,[rsa,dss,dh,srp]},
 {macs,[hmac,cmac]},
 {curves,[]},
 {rsa_opts,[rsa_pkcs1_pss_padding,rsa_pss_saltlen,
            rsa_mgf1_md,rsa_pkcs1_oaep_padding,signature_md,
            rsa_pkcs1_padding,rsa_x931_padding,rsa_sslv23_padding,
            rsa_no_padding]}]

with

[antares@localhost Downloads]$ openssl version
OpenSSL 1.0.2k-fips  26 Jan 2017
[antares@localhost Downloads]$ openssl ciphers
ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DH-DSS-AES256-GCM-SHA384:DHE-DSS-AES256-GCM-SHA384:DH-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DH-RSA-AES256-SHA256:DH-DSS-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DH-RSA-AES256-SHA:DH-DSS-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:DH-RSA-CAMELLIA256-SHA:DH-DSS-CAMELLIA256-SHA:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:PSK-AES256-CBC-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:DH-DSS-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:DH-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DH-RSA-AES128-SHA256:DH-DSS-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DH-RSA-AES128-SHA:DH-DSS-AES128-SHA:DHE-RSA-SEED-SHA:DHE-DSS-SEED-SHA:DH-RSA-SEED-SHA:DH-DSS-SEED-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:DH-RSA-CAMELLIA128-SHA:DH-DSS-CAMELLIA128-SHA:ECDH-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES128-SHA256:ECDH-RSA-AES128-SHA:ECDH-ECDSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:SEED-SHA:CAMELLIA128-SHA:PSK-AES128-CBC-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:DH-RSA-DES-CBC3-SHA:DH-DSS-DES-CBC3-SHA:ECDH-RSA-DES-CBC3-SHA:ECDH-ECDSA-DES-CBC3-SHA:DES-CBC3-SHA:IDEA-CBC-SHA:PSK-3DES-EDE-CBC-SHA:KRB5-IDEA-CBC-SHA:KRB5-DES-CBC3-SHA:KRB5-IDEA-CBC-MD5:KRB5-DES-CBC3-MD5:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:RC4-SHA:RC4-MD5:PSK-RC4-SHA:KRB5-RC4-SHA:KRB5-RC4-MD5

[michaelklishin]

@Gsantomaggio this starts to look like a side effect of https://github.com/rabbitmq/erlang-rpm/pull/65. I'd need to produce a version without it to compare (in a day or two).

[Gsantomaggio]

Yes, going to rollback it

[michaelklishin]

With 21.2.2 I can successfully open a TLS-enabled client socket and EC cipher suites are available again:

1> application:ensure_all_started(ssl).
{ok,[crypto,asn1,public_key,ssl]}
2> 
2> ssl:connect("amazon.com", 443,  [], infinity).
{ok,{sslsocket,{gen_tcp,#Port<0.6>,tls_connection,undefined},
               [<0.104.0>,<0.103.0>]}}
3> crypto:supports().
[{hashs,[sha,sha224,sha256,sha384,sha512,md4,md5,ripemd160]},
 {ciphers,[des3_cbc,des_ede3,des3_cbf,des3_cfb,aes_cbc,
           aes_cbc128,aes_cfb8,aes_cfb128,aes_cbc256,aes_ctr,aes_ecb,
           aes_gcm,aes_ccm,aes_ige256,des_cbc,des_cfb,des_ecb,
           blowfish_cbc,blowfish_cfb64,blowfish_ofb64,blowfish_ecb,
           rc2_cbc,rc4]},
 {public_keys,[rsa,dss,dh,ecdsa,ecdh,srp]},
 {macs,[hmac,cmac]},
 {curves,[secp160k1,secp160r1,secp160r2,secp192r1,secp192k1,
          secp224k1,secp224r1,secp256k1,secp256r1,secp384r1,secp521r1,
          prime192v1,prime192v2,prime192v3,prime239v1,prime239v2,
          prime239v3,prime256v1,wtls7,wtls9,wtls12,brainpoolP160r1|...]},
 {rsa_opts,[rsa_pkcs1_pss_padding,rsa_pss_saltlen,
            rsa_mgf1_md,rsa_pkcs1_oaep_padding,signature_md,
            rsa_pkcs1_padding,rsa_x931_padding,rsa_sslv23_padding,
            rsa_no_padding]}]

[l1x]

You guys are amazing! Thanks.