[erlang-bugs] Incomplete Elliptic Curve Cipher Suites in R16B01 and R16B02
Ingela Anderton Andin
Ingela.Anderton.Andin@REDACTED
Thu Oct 3 09:56:14 CEST 2013
Hi Klaus!
On 10/02/2013 05:48 PM, Klaus Trainer wrote:
> Thanks. I'm not too confident about that test either. I checked with
> an oldish OpenSSL version (1.0.1c) as well and suddenly also had lots of
> cipher suites fail that worked well when testing with OpenSSL 1.0.1.e
> previously.
>
>> If you look closer you willl see that the error is:
>> "140232248637088:error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no
>> shared cipher:s3_srvr.c:1353:"
>>
>> After just a quick check of
>>
>> your test of erlang:
>> works not: ECDH-RSA-AES256-SHA384
>> Our test suite: ssl_ECC_SUITE:client_ec_server_ec/1
>>
>> sucessfully negotiaties ECDH-RSA-AES256-SHA384 with openssl in R16B02
>>
>> So I think some of your conclusions where a bit premature.
>> The problems you mentioned in R16B01 are probably fixed in R16B02
>>
> I did see that lots of related fixes went into R16B02. However I still
> have the same problems as with R16B01, i.e., the TLS handshake fails
> both in Chromium (version 28.0 GNU/Linux x86_64) and Firefox (version
> 24.0 GNU/Linux x86_64) as long as I don't disable ecdh cipher suites.
>> Also there is at the moment a documented limitation:
>> "Elliptic Curve cipher suites are supported if crypto supports it and
>> named curves are used."
>>
> I don't know for sure, but maybe this is exactly the problem with some
> browsers.
Does this mean that you can connect to your server with other browsers
without disabling ecdh-suites?
Openssl for instance has a known bug in versions 1.0.0 and 1.0.1a
that will make ecdh-suites fail.
I think its unlikely your server cert does not use a named curve, but
possible of course, you can use the public_key application to inspect
your certificate and check that.
> Please let me know if you think I can provide additional help on that
> issue!
Can you connect to your server using erlang shell as a client
(ssl:connect) ?
Can you connect to your server using openssl s_client from a shell?
If not what errors do you get?
Regards Ingela Erlang/OTP Team - Ericsson AB
More information about the erlang-bugs
mailing list