Enabling TLS-PSK issue, Erlang missing Ciphers? How would I add new ones?
18 views
Skip to first unread message
codew...@gmail.com
Jul 7, 2017, 10:28:59 AM7/7/17
to Erlang Questions
Hello everyone,
I am currently working on adding PSK functionality to EMQTT and/or RabbitMQ, and my first goal is to get it working in standard Erlang. I have a client that will connect with public-keys, and I am attempting to modify it to suit my needs.
A problem I have just encountered though is that Erlang does not seem to have any psk-ciphers , when I run rp(ssl:cipher_suites(erlang)). in the erlang terminal, I get a long list of ciphers but none of them are psk ciphers. For example, a cipher I am looking for is {psk, aes_256, sha512}, but none are psk:
[{ecdhe_ecdsa,aes_256_gcm,null},
{ecdhe_rsa,aes_256_gcm,null},
{ecdhe_ecdsa,aes_256_cbc,sha384},
{ecdhe_rsa,aes_256_cbc,sha384},
\...
... etc
When I run rp(ssl:cipher_suites(openssl)). in the terminal, similarly, there are no psk ciphers ------
However, the Erlang documentation for ssl (http://erlang.org/doc/man/ssl.html) clearly states that psk is possible. And my openssl does contain psk ciphers for that matter. When I run openssl ciphers, two psk ciphers are available :
PSK-AES256-CBC-SHA and PSK-RC4-SHA
So, when I run my program, the server doesn't recognize the suite:
HERE is the output when I try to connect:
Is there any way to add any ciphers to erlang?
- I know/think that I also need to use a lookup_fun on my server in ssl:listen to go and match the psk_identity presented by the client to a profile , I received this link: https://github.com/erlang/otp/blob/32a1dca92c0f949ef6ce2c751b23aff82f9d998f/lib/ssl/test/ssl_test_lib.erl#L404
from another thread, pointing me to example implementation of the lookup_fun (sort of, not really). IF anyone can shed more light on this, I would greatly appreciate it. This is the next step once my server begins to recognize the cipher suite.
HERE is my erlang code I am working on to enable psks:
I am currently working on adding PSK functionality to EMQTT and/or RabbitMQ, and my first goal is to get it working in standard Erlang. I have a client that will connect with public-keys, and I am attempting to modify it to suit my needs.
A problem I have just encountered though is that Erlang does not seem to have any psk-ciphers , when I run rp(ssl:cipher_suites(erlang)). in the erlang terminal, I get a long list of ciphers but none of them are psk ciphers. For example, a cipher I am looking for is {psk, aes_256, sha512}, but none are psk:
[{ecdhe_ecdsa,aes_256_gcm,null},
{ecdhe_rsa,aes_256_gcm,null},
{ecdhe_ecdsa,aes_256_cbc,sha384},
{ecdhe_rsa,aes_256_cbc,sha384},
\...
... etc
When I run rp(ssl:cipher_suites(openssl)). in the terminal, similarly, there are no psk ciphers ------
However, the Erlang documentation for ssl (http://erlang.org/doc/man/ssl.html) clearly states that psk is possible. And my openssl does contain psk ciphers for that matter. When I run openssl ciphers, two psk ciphers are available :
PSK-AES256-CBC-SHA and PSK-RC4-SHA
So, when I run my program, the server doesn't recognize the suite:
HERE is the output when I try to connect:
Eshell V7.2 (abort with ^G)
1> c(s).
{ok,s}
2> s:start().
<0.52.0>
3> s:client("hello").
=ERROR REPORT==== 7-Jul-2017::10:20:34 ===
Error in process <0.52.0> with exit value:
{{badmatch,{error,closed}},[{s,accept,1,[{file,"s.erl"},{line,13}]}]}
** exception exit: {badmatch,{error,{options,{ciphers,[{psk,aes_256_cbc,
sha512}]}}}}
in function s:client/1 (s.erl, line 36)
1> c(s).
{ok,s}
2> s:start().
<0.52.0>
3> s:client("hello").
=ERROR REPORT==== 7-Jul-2017::10:20:34 ===
Error in process <0.52.0> with exit value:
{{badmatch,{error,closed}},[{s,accept,1,[{file,"s.erl"},{line,13}]}]}
** exception exit: {badmatch,{error,{options,{ciphers,[{psk,aes_256_cbc,
sha512}]}}}}
in function s:client/1 (s.erl, line 36)
Is there any way to add any ciphers to erlang?
- I know/think that I also need to use a lookup_fun on my server in ssl:listen to go and match the psk_identity presented by the client to a profile , I received this link: https://github.com/erlang/otp/blob/32a1dca92c0f949ef6ce2c751b23aff82f9d998f/lib/ssl/test/ssl_test_lib.erl#L404
from another thread, pointing me to example implementation of the lookup_fun (sort of, not really). IF anyone can shed more light on this, I would greatly appreciate it. This is the next step once my server begins to recognize the cipher suite.
HERE is my erlang code I am working on to enable psks:
1 -module(s).
2 -export([start/0, client/1, accept/1]).
3
4 start() ->
5 ssl:start(),
6 server(4000).
7
8 server(Port) ->
9 {ok, LSocket} = ssl:listen(Port, [{psk_identity, "abcde"}, {reuseaddr, true}]),
10 spawn(fun() -> accept(LSocket) end).
11
12 accept(LSocket) ->
13 {ok, Socket} = ssl:transport_accept(LSocket),
14 ok = ssl:ssl_accept(Socket),
15 Pid = spawn(fun() ->
16 io:format("Connection accepted ~p~n", [Socket]),
17 loop(Socket)
18 end),
19 ssl:controlling_process(Socket, Pid),
20 accept(LSocket).
21
22 loop(Socket) ->
23 ssl:setopts(Socket, [{active, once}]),
24 receive
25 {ssl,Sock, Data} ->
26 io:format("Got packet: ~p~n", [Data]),
27 ssl:send(Sock, Data),
28 loop(Socket);
29 {ssl_closed, Sock} ->
30 io:format("Closing socket: ~p~n", [Sock]);
31 Error ->
32 io:format("Error on socket: ~p~n", [Error])
33 end.
34
35 client(N) ->
36 {ok, Socket} = ssl:connect("localhost", 4000, [{ciphers, [{psk, aes_256_cbc, sha512}]}, {psk_identity, "abcde"}]),
37 io:format("Client opened socket: ~p~n",[Socket]),
38 ok = ssl:send(Socket, N),
39 Value = receive
40 {ssl,{sslsocket,new_ssl,_}, Data} ->
41 io:format("Client received: ~p~n",[Data])
42 after 2000 ->
43 0
44 end,
45 ssl:close(Socket),
46 Value.Reply all
Reply to author
Forward
0 new messages