-
Notifications
You must be signed in to change notification settings - Fork 2.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CLIENT ALERT: Fatal - Handshake Failure
for www.gutenberg.org
#8466
Comments
For the hostname check not to fail you want to use the option {customize_hostname_check, [{match_fun, public_key:pkix_verify_hostname_match_fun(https)} to handle wildcard certs. From doc:
But it seems there is something wrong with the chain as I get this result in OTP-27 with or without the customize_hostname_check. Trace of function checking the chain:
|
Thank you for quick reply. I tried creating the minimum reproduction but I skipped that detail about hostname, thank you for point that out. FWIW a more real world reproduction is this I believe, same result and also on OTP 26.2.5:
|
Yes and my run also ends up with Bad Certificate alert from the ssl application. |
@wojtekmach Hum ... I noticed that the problem with the cert chain is that it has one cert that uses sha (sha1) in its signature algorithm and that is no longer supported by default. So you need to add that. You can allow it just for certificate signatures like this:
|
Is there scope for a more specific error return for this case? Strictly speaking the certificate is not bad. The specific error case is that the certificate's signature algorithm will not be processed due to client configuration. |
We can look into if at least the logging of the error can be more specific. On the top of my head I can not say if it would be possible to give another TLS-alert, it might be, will check when I am back at work. Will leave this open for future enhancement of error handling. |
Make it easier to distinguish between invalid sifnature and unsupported signature Closes erlang#8466
Make it easier to distinguish between a invalid signature and unsupported signature Closes erlang#8466
@mwhitworth I think unsupported certificate alert could be more appropriate for this case. |
Not sure if this is a bug or the server/certificate is misconfigured.
To Reproduce
On OTP 25.3.2.11:
Affected versions
Tested on OTP 25.3.2.11 and 26.2.5.
Additional context
Original report at: elixir-nx/axon#570 (comment)
The text was updated successfully, but these errors were encountered: