Problem of erlang version when riak-erlang-client connect to riak server with security enabled [JIRA: CLIENTS-564]

[emnvn]

Hello,

Currently, I used riak-erlang-client library to communicate riak server which is in Security enabled mode.

It worked well with erlang version of R15B03, R16B02

But this error will happend when I use Erlang version of 17.x

"exception error: no match of right hand side value {error,{tcp,closed}}"

I traced on server, I found this log: "
2015-09-01 16:27:44.859 [error] <0.1455.0> gen_fsm <0.1455.0> in state hello terminated with reason: no function clause matching tls_v1:enum_to_oid(28) line 404
"

Anyone can help me ?

Thanks :)

[lukebakken]

I have done some investigation since I have run into the same issue with the Python client. It appears that only a subset of ciphers can be used. I used the riak_core_security:print_ciphers(). function to get a list of valid ciphers and am confirming which ones do not cause this error.

[lukebakken]

SSL settings:

tls_protocols.sslv3 = off
tls_protocols.tlsv1 = on
tls_protocols.tlsv1.1 = on
tls_protocols.tlsv1.2 = on
check_crl = off

I ran riak_core_security:print_ciphers(). and, out of the "Valid ciphers" list, only the following did not trigger the tls_v1:enum_to_oid(28) error:

DHE-RSA-AES128-SHA256
DHE-RSA-AES128-SHA
DHE-RSA-AES256-SHA256
DHE-RSA-AES256-SHA
AES128-SHA256
AES128-SHA
AES256-SHA256
AES256-SHA
RC4-SHA

See the "Configuration of TLS and Ciphers" section on this page for configuring ciphers.

[lukebakken]

Searching google for tls_v1:enum_to_oid(28) shows that this is a known issue in R16 Erlang releases.

[paulgray]

After providing a list of R16-supported ciphers to riakc_pb_socket:start_link/3 I managed to successfully connect to Riak using 18.2.1 client:

riakc_pb_socket:start_link(Host, Port, [{credentials, "XXX", "YYY"},
                                        {cacertfile, "/tmp/cacertfile.pem"},
                                        {ssl_opts, [{ciphers, ciphers()]}]).

-spec ciphers() -> [string()].
ciphers() ->
    ["DHE-RSA-AES128-SHA256",
     "DHE-RSA-AES128-SHA",
     "DHE-RSA-AES256-SHA256",
     "DHE-RSA-AES256-SHA",
     "AES128-SHA256",
     "AES128-SHA",
     "AES256-SHA256",
     "AES256-SHA",
     "RC4-SHA"].

[lukebakken]

@paulgray - thank you for the update.

[sandergarretsen]

Hi,

I'm having the same problem. Trying @paulgray 's solution is giving me another error though:

Supervisor riak_api_pb_sup had child undefined started with {riak_api_pb_server,start_link,undefined} at <0.14493.2705> exit with reason {{badarg,[{crypto,rsa_sign_nif,[md5sha,{digest,<<215,...,...>>,...]],...},...]},...} in context child_terminated

Any suggestions?

I'm trying to connect from Erlang/OTP 19 [erts-8.2] by the way

[lukebakken]

@sandergarretsen - check out the badarg error:

crypto,rsa_sign_nif,[md5sha

I searched online for that error, and came up with this thread.

Could you provide the output of openssl ciphers for each TLS version?

Also, in your configuration, why do you have tlsv1 commented out?

[sandergarretsen]

Hi @lukebakken, Thanks for your quick response.

Could you provide the output of openssl ciphers for each TLS version?

$ openssl ciphers -v | grep TLS
ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(256) Mac=AEAD
ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(256) Mac=AEAD
ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(256)  Mac=SHA384
ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AES(256)  Mac=SHA384
DHE-DSS-AES256-GCM-SHA384 TLSv1.2 Kx=DH       Au=DSS  Enc=AESGCM(256) Mac=AEAD
DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH       Au=RSA  Enc=AESGCM(256) Mac=AEAD
DHE-RSA-AES256-SHA256   TLSv1.2 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA256
DHE-DSS-AES256-SHA256   TLSv1.2 Kx=DH       Au=DSS  Enc=AES(256)  Mac=SHA256
ECDH-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AESGCM(256) Mac=AEAD
ECDH-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AESGCM(256) Mac=AEAD
ECDH-RSA-AES256-SHA384  TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AES(256)  Mac=SHA384
ECDH-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AES(256)  Mac=SHA384
AES256-GCM-SHA384       TLSv1.2 Kx=RSA      Au=RSA  Enc=AESGCM(256) Mac=AEAD
AES256-SHA256           TLSv1.2 Kx=RSA      Au=RSA  Enc=AES(256)  Mac=SHA256
ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(128) Mac=AEAD
ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(128) Mac=AEAD
ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(128)  Mac=SHA256
ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AES(128)  Mac=SHA256
DHE-DSS-AES128-GCM-SHA256 TLSv1.2 Kx=DH       Au=DSS  Enc=AESGCM(128) Mac=AEAD
DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH       Au=RSA  Enc=AESGCM(128) Mac=AEAD
DHE-RSA-AES128-SHA256   TLSv1.2 Kx=DH       Au=RSA  Enc=AES(128)  Mac=SHA256
DHE-DSS-AES128-SHA256   TLSv1.2 Kx=DH       Au=DSS  Enc=AES(128)  Mac=SHA256
ECDH-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AESGCM(128) Mac=AEAD
ECDH-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AESGCM(128) Mac=AEAD
ECDH-RSA-AES128-SHA256  TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AES(128)  Mac=SHA256
ECDH-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AES(128)  Mac=SHA256
AES128-GCM-SHA256       TLSv1.2 Kx=RSA      Au=RSA  Enc=AESGCM(128) Mac=AEAD
AES128-SHA256           TLSv1.2 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA256

This is the output on the machine running the client... does it help to also output above command on the riak-node?

Also, in your configuration, why do you have tlsv1 commented out?

To be very honest... I don't really know :s. This was configured quite a while ago by someone who left the team...

[lukebakken]

Can you please re-configure your nodes with these settings, re-start, and see if the issue persists?

tls_protocols.sslv3 = off
tls_protocols.tlsv1 = on
tls_protocols.tlsv1.1 = on
tls_protocols.tlsv1.2 = on
check_crl = off