[erlang-bugs] Incomplete Elliptic Curve Cipher Suites in R16B01 and R16B02

Ingela Anderton Andin ingela.anderton.andin@REDACTED
Mon Oct 7 09:47:09 CEST 2013


Hi!

On 10/04/2013 09:55 PM, Andrew Thompson wrote:
> If I use
>
> gnutls-serv -p 5555 --x509keyfile=priv/ssl/server.key
> --x509certfile=priv/ssl/server.crt --x509cafile=priv/ssl/ca.crt
>
> and connect with:
>
> gnutls-cli -VVVVV -p 5555 localhost --x509cafile=priv/ssl/ca.crt
>
> I'm able to successfully negotiate a TLS 1.2 connection. Wireshark shows
> significant differences in the Server Hello that Erlang sends vs the one
> gnutls sends. I am able to get chrome to do a 1.2 handshake with the
> gnutls server using ---http to make gnutls-serv run as a https server.
>
> The main differences that I see in what erlang is doing vs gnutls:
>
> Erlang sends the elliptic_curves extension as part of the server hello,
> gnutls does not. The gnutls *client* does send this extension, however.
>
> According to RFC 4492:
>
> http://tools.ietf.org/html/rfc4492#section-5.1
>
> The elliptic_curves extension is a *client* hello extension and the RFC
> doesn't seem to mention the server sending it.
Section 5.2

   "This section specifies a TLS extension that can be included with the
    ServerHello message as described in [4  <http://tools.ietf.org/html/rfc4492#ref-4>], the Supported Point Formats
    Extension.

    When this extension is sent:

    The Supported Point Formats Extension is included in a ServerHello
    message in response to a ClientHello message containing the Supported
    Point Formats Extension when negotiating an ECC cipher suite."


Regards Ingela Erlang/OTP team Ericsson AB
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-bugs/attachments/20131007/be1cdb01/attachment.htm>


More information about the erlang-bugs mailing list