Avoid misleading error information for delayed TLS 1.3 alerts #341
Comments
|
Can you prepare a small example using only the |
|
You meant how to reproduce right? I made some simple example Example output:
|
|
Yes, thank you. |
|
I don't think we need to do anything about this, as this has been fixed in OTP in erlang/otp#8823 |
|
That doesn't change the above behaviour. There were situations where the alert could be lost.
ssl:send will never return any alert regardless of that fix.
…-------- Original message --------
From: Loïc Hoguin ***@***.***>
Date: 06/11/2024 14:40 (GMT+01:00)
To: ninenines/gun ***@***.***>
Cc: JeppeTh ***@***.***>, Author ***@***.***>
Subject: Re: [ninenines/gun] Avoid misleading error information for delayed TLS 1.3 alerts (Issue #341)
I don't think we need to do anything about this, as this has been fixed in OTP in erlang/otp#8823<erlang/otp#8823>
—
Reply to this email directly, view it on GitHub<#341 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/ABBEXN7MPYRCS2POJX7AASLZ7IL3BAVCNFSM6AAAAABRF6MT5SVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDINJZG44DCNZTGY>.
You are receiving this because you authored the thread.Message ID: ***@***.***>
|
|
Let me see with OTP team if this should be done for more functions. |
|
setopts can fail as well at least.
…-------- Original message --------
From: Loïc Hoguin ***@***.***>
Date: 06/11/2024 15:46 (GMT+01:00)
To: ninenines/gun ***@***.***>
Cc: JeppeTh ***@***.***>, Author ***@***.***>
Subject: Re: [ninenines/gun] Avoid misleading error information for delayed TLS 1.3 alerts (Issue #341)
Let me see with OTP team if this should be done for more functions.
—
Reply to this email directly, view it on GitHub<#341 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/ABBEXN6LWFQZPI7YDDFF523Z7ITTXAVCNFSM6AAAAABRF6MT5SVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDINJZHE2DMMBXGQ>.
You are receiving this because you authored the thread.Message ID: ***@***.***>
|
|
I updated my example a bit - additional example output of some function calls. I also added a receive in the end to check if there's an alert in the queue
|
When it comes to mTLS TLS 1.3 is not very well designed since the client considers the handshake to be successful before the server has performed it's verification of the client.
If that verification fails it means that the client will receive the TLS alert after ssl:connect has successfully returned.
For such case socket operations like send, setopts etc. will return {error, closed | einval} instead of the tls_alert().
This all leads to that the Gun users get misleading failures.
This can be solved by letting gun check it's message queue for {ssl_error, Socket, tls_alert()} when failing with closed | einval.
Needs to be done with a short timeout since the error can be returned before the process receives the alert.
Requires active mode from the start (at least it makes things simpler).
To avoid delay of normal close this can be avoided if TLS 1.3 isn't a candidate, or if the socket has been confirmed (=data received).
The text was updated successfully, but these errors were encountered: