[erlang-bugs] Incomplete Elliptic Curve Cipher Suites in R16B01 and R16B02
Ingela Anderton Andin
ingela.anderton.andin@REDACTED
Mon Oct 7 09:47:09 CEST 2013
Hi!
On 10/04/2013 09:55 PM, Andrew Thompson wrote:
> If I use
>
> gnutls-serv -p 5555 --x509keyfile=priv/ssl/server.key
> --x509certfile=priv/ssl/server.crt --x509cafile=priv/ssl/ca.crt
>
> and connect with:
>
> gnutls-cli -VVVVV -p 5555 localhost --x509cafile=priv/ssl/ca.crt
>
> I'm able to successfully negotiate a TLS 1.2 connection. Wireshark shows
> significant differences in the Server Hello that Erlang sends vs the one
> gnutls sends. I am able to get chrome to do a 1.2 handshake with the
> gnutls server using ---http to make gnutls-serv run as a https server.
>
> The main differences that I see in what erlang is doing vs gnutls:
>
> Erlang sends the elliptic_curves extension as part of the server hello,
> gnutls does not. The gnutls *client* does send this extension, however.
>
> According to RFC 4492:
>
> http://tools.ietf.org/html/rfc4492#section-5.1
>
> The elliptic_curves extension is a *client* hello extension and the RFC
> doesn't seem to mention the server sending it.
Section 5.2
"This section specifies a TLS extension that can be included with the
ServerHello message as described in [4 <http://tools.ietf.org/html/rfc4492#ref-4>], the Supported Point Formats
Extension.
When this extension is sent:
The Supported Point Formats Extension is included in a ServerHello
message in response to a ClientHello message containing the Supported
Point Formats Extension when negotiating an ECC cipher suite."
Regards Ingela Erlang/OTP team Ericsson AB
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-bugs/attachments/20131007/be1cdb01/attachment.htm>
More information about the erlang-bugs
mailing list