[erlang-bugs] Incomplete Elliptic Curve Cipher Suites in R16B01 and R16B02

Andrew Thompson <>
Fri Oct 4 20:49:04 CEST 2013


I'm not sure openssl s_client supports TLS 1.2. If you look at the
errors the s_client spits out (by removing the dev null redirection) I
get:

139688779572880:error:1407742F:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1
alert insufficient security:s23_clnt.c:741:

exactly as many times as I get 'work not' from the output. As I
understand it, this means the server is asking for a ciphersuites that
the client does not support.

Apparently gnutls-cli supports tls 1.2, although I can't get gnutls to
connect to the erl_ssl_test server under R16B02, it only reports

GnuTLS error: An illegal TLS extension was received.

When I try to do:

gnutls-cli -p 5555 localhost --x509cafile=priv/ssl/ca.crt

This does work if I run the server under R15B02.

I have gnutls 3.2.4, the latest stable release. If you run
gnutls-cli-debug against the server, you get this:

Checking for TLS 1.0 support... no
Checking for TLS 1.1 support... no
Checking fallback from TLS 1.1 to... failed
Checking for TLS 1.2 support... no
Checking whether we need to disable TLS 1.2... yes
Checking whether we need to disable TLS 1.1... no
Checking whether we need to disable TLS 1.0... no
Checking for Safe renegotiation support... no

So gnutls doesn't think R16B02 supports tlsv2.

Same output when running under R15B02 (which is what I had handy):

Checking for TLS 1.0 support... yes
Checking for TLS 1.1 support... no
Checking fallback from TLS 1.1 to... TLS 1.0
Checking for TLS 1.2 support... no
Checking whether we need to disable TLS 1.2... no
Checking whether we need to disable TLS 1.1... no
Checking whether we need to disable TLS 1.0... N/A

Andrew


More information about the erlang-bugs mailing list