1

  1. Setup :

    • Erlang cluster with two Erlang nodes, different names, identical SSL setup (certificates, keys, authority)
    • the two nodes are listening for connections on the same port
    • the accept scheme is simple and doesn't have an acceptor pool in front : ListenSocket = ssl:listen() when the app starts -> then, in the children, I do AcceptSock = ssl:transport_accept(ListenSocket) + ssl:ssl_accept(AcceptSock) + mysup:start_child() which will start a new gen_server to listen on ListenSocket (in the gen_server init() I have timeout == 0, btw - to make the gen_server receive a timeout message which will be handled with handle_info(timeout...) which does the accept scheme above).

  2. Expected behavior :

    • I expect all of this to work all the time :)

  3. Observed behavior :

    • from time to time, one or both servers stop accepting ssl connections from the iOS apps. telnet to that port works - and it even passes transport_accept().
    • from the iOS app, I get a "SSLHandshake failed, error -9806" and it doesn't look like transport_accept() was successful (I have error logging before and after that line and I do not see any error messages printed in the log - theoretically, it looked like the iOS app is not trying to connect to that port, but it did try, because it says SSLHandshake failed).

    • I followed this thread - and got the followings : 

      openssl s_client -connect myserver:4321 -servername myserver -ssl3 -tls1 -prexit
CONNECTED(00000003)
write:errno=60
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : 0000
    Session-ID: 
    Session-ID-ctx: 
    Master-Key: 
    Key-Arg   : None
    Start Time: 1460057622
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
---

    • same command executed with the second server (that is still accepting connections) returned a lot more infos and doesn't time out.

Any help is appreciated, thank you.

Community
  • 1
  • 1
ihi
  • 107
  • 1
  • 9
  • `-ssl3 -tls1` makes no sense because the first tries to enforce SSL 3.0 and the second TLS 1.+ which means only one of the options should be used. Also combining `-servername` with `-ssl3` will not work because servername needs SNI extension which is not available with SSL 3.0 – Steffen Ullrich Apr 07 '16 at 21:00
  • I tried all the combinations, but this is the only combination that actually returns something, the rest of them timeout. – ihi Apr 07 '16 at 22:02
  • The output from the openssl command is the same as what I get when I try it with a server that immediately closes the connection (`nc -l 4321 – legoscia Apr 13 '16 at 10:17
  • In my code I have : `lager:info("Listening: ~p:~p ~n", [?FILE, ?LINE]), {ok, AcceptSock} = ssl:transport_accept(LSock), lager:info("got new socket. Before ssl_accept"),` When I do telnet - I see the "Listening ..." message everytime I telnet to that port (because it spawns a new child to listen for an incoming connection). When I use my app, absolutely NO message are prinded on the console. – ihi Apr 15 '16 at 23:06

0 Answers0