Skip to content

strip out options unsupported in TLS1.3 before listening on socket #313

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
adrigonzo wants to merge 5 commits into from
Closed

strip out options unsupported in TLS1.3 before listening on socket #313

Changes from 3 commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
dc8ba08
strip out options unsupported in TLS1.3 before listening on socket
Feb 5, 2021
4c8e58f
Revert "strip out options unsupported in TLS1.3 before listening on s…
Feb 26, 2021
8aef9e6
strip out options unsupported in TLS1.3 before listening on socket (m…
Feb 26, 2021
67d26b4
check for protocol_versions in Socket Options, drop all occurrences o…
Apr 14, 2021
40c11ff
log warning for dropping TLS1.3-only unsupported Socket Options
Apr 14, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
18 changes: 17 additions & 1 deletion src/ranch_ssl.erl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -129,7 +129,8 @@ do_listen(SocketOpts0, Logger) ->
SocketOpts1 = ranch:set_option_default(SocketOpts0, backlog, 1024),
SocketOpts2 = ranch:set_option_default(SocketOpts1, nodelay, true),
SocketOpts3 = ranch:set_option_default(SocketOpts2, send_timeout, 30000),
SocketOpts = ranch:set_option_default(SocketOpts3, send_timeout_close, true),
SocketOpts4 = ranch:set_option_default(SocketOpts3, send_timeout_close, true),
SocketOpts = strip_usupported_options(SocketOpts4),
%% We set the port to 0 because it is given in the Opts directly.
%% The port in the options takes precedence over the one in the
%% first argument.
Expand Down Expand Up @@ -296,3 +297,18 @@ cleanup(#{socket_opts:=SocketOpts}) ->
end;
cleanup(_) ->
ok.

-spec strip_usupported_options(opts()) -> opts().
strip_usupported_options(SocketOpts) ->
Copy link
Copy Markdown
Contributor

@Maria-12648430 Maria-12648430 Mar 9, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Typo? usupported --> unsupported?

Copy link
Copy Markdown
Author

@adrigonzo adrigonzo Mar 9, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

indeed, thank you for spotting that. The downside of autocomplete once it was written wrong.

case lists:keyfind(versions, 1, SocketOpts) of
Copy link
Copy Markdown
Contributor

@Maria-12648430 Maria-12648430 Mar 9, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this is only part of it, ie the versions key in the socket options is not the only place influencing it. According to the ssl docs here, if absent it can also be set by an environment option for the ssl application, and if absent there it defaults to all versions that are supported (which can probably be found out by examining the supported key in the return from ssl:versions()).

Copy link
Copy Markdown
Author

@adrigonzo adrigonzo Mar 9, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't know if you mean that other options could give a value of 'tlsv1.3' for a version number, not only {versions, ['tlsv1.3']}; however, just to clarify, we found that as long as other options are specified in addition to 'tlsv1.3', .e.g. {versions, ['tlsv1.2', 'tlsv1.3']}, then the SSL error does not occur.

Copy link
Copy Markdown
Contributor

@juhlig juhlig Mar 9, 2021
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We mean that the versions could be implicitly ['tlsv1.3'] even if you don't specify them at all in the socket options, namely if they are specified in the ssl application environment. Like, try starting your node with erl -ssl protocol_versions "['tlsv1.3']". If you later give other versions in the socket options, that overrides those environment settings, but if you leave them out, the ssl application environment protocol_versions is taken for versions. If that is not defined either, versions default to all supported versions, which is probably more than only ['tlsv1.3'].
So, I guess what I mean is, if you don't find versions in the socket options, see if there is a protocol_versions key in the application environment of ssl, and if that is set to ['tlsv1.3].

{versions, ['tlsv1.3']} ->
Intermediate1 = lists:keydelete(secure_renegotiate, 1, SocketOpts),
Intermediate2 = lists:keydelete(reuse_sessions, 1, Intermediate1),
Intermediate3 = lists:keydelete(next_protocols_advertised, 1, Intermediate2),
lists:keydelete(alpn_preferred_protocols, 1, Intermediate3);
Copy link
Copy Markdown
Contributor

@Maria-12648430 Maria-12648430 Mar 9, 2021
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Minor detail probably, but this is not exhaustive either. lists:keydelete only removes the first occurrence, but in reality the same option may be given multiple times, pointless as that may be (if it follows the practice used in gen_tcp, not 100% sure for ssl). To be on the safe side, you'll have to lists:filter/2 the socket options.

_ ->
SocketOpts
end;
strip_usupported_options(SocketOpts) ->
Copy link
Copy Markdown
Contributor

@Maria-12648430 Maria-12648430 Mar 9, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This clause is pointless, it will never be reached.

Copy link
Copy Markdown
Author

@adrigonzo adrigonzo Mar 9, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'll remove this. It was inherited from the code, which I'd moved from the acceptors file.

SocketOpts.