Apple increasing security of Push service ahead of WWDC

Apple is tightening its push service encryption

Since this morning, Apple has been changing the setting of the push sandbox. This is generally good news, but it means that if your push notification system is written in Erlang, using Erlang stock SSL module, it will not work.

If your are using Erlang SSL to send push notification to Apple, you will need to patch Erlang to avoid the following error:


** {function_clause,[{ssl_cipher,hash_algorithm,"ï",[{file,"ssl_cipher.erl"},{line,1174}]},{ssl_handshake,'-decode_handshake/3-blc$^0/1-0-',1,[{file,"ssl_handshake.erl"},{line,898}]},{ssl_handshake,'-decode_handshake/3-blc$^0/1-0-',1,[{file,"ssl_handshake.erl"},{line,899}]},{ssl_handshake,decode_handshake,3,[{file,"ssl_handshake.erl"},{line,898}]},{tls_handshake,get_tls_handshake_aux,3,[{file,"tls_handshake.erl"},{line,153}]},{tls_connection,next_state,4,[{file,"tls_connection.erl"},{line,454}]},{tls_connection,next_state,4,[{file,"tls_connection.erl"},{line,458}]},{gen_fsm,handle_msg,7,[{file,"gen_fsm.erl"},{line,505}]}]}


The issue is that Erlang SSL implementation crashes on unknown hash and signature algorithms.

We have published a quick workaround for the issue on our own Erlang/OTP repository fork on Github and are hoping to help OTP team reproduce the issue to provide a long term more sustainable patch (as you need to disable completely unknown crypto hashes). In case you need it, the Erlang workaround is there: Do not crash on unknown hash and signature algorithms.

I hope this helps !

Good news for our customers

All our customers are already on the safe side. If you are using ejabberd SaaS, ejabberd Business Edition you are already on the safe side and ready for the production roll out.

It feels good, right ?

Enjoy your week-end !