[erlang-bugs] Incomplete Elliptic Curve Cipher Suites in R16B01 and R16B02
Andrew Thompson
andrew@REDACTED
Sat Oct 5 06:36:45 CEST 2013
So, for the 23 ciphers that fail, all but one of them also fail under
openssl. The one that doesn't fail under OpenSSL is the IDEA-CBC-SHA,
which erlang doesn't seem to support.
The ECDSA ciphers fail because we're not using ECC keys. I'm not sure
why the others fail, but at least it is consistent.
The bugs I found earlier only seems to manifest when using a non-openssl
client, but that might well explain the issues with chrome because
chrome links against gnutls.
However, I am now able to connect over HTTPS from both chrome and
firefox to the erlang http server that before would not connect.
Here's a diff to patch the file:
https://gist.github.com/Vagabond/6836706
Note that this probably isn't the 'right' thing to do, for example
select_curve/1 should probably filter the client provided list based on
what the server supports, and I'm not sure if EcPointFormats needs to be
negotiated.
However, the patch does seem to fix the immediate problem.
Andrew
More information about the erlang-bugs
mailing list