[erlang-bugs] Fwd: Re: Incomplete Elliptic Curve Cipher Suites in R16B01 and R16B02

Ingela Anderton Andin <>
Mon Oct 7 09:52:54 CEST 2013




-------- Original Message --------
Subject: 	Re: [erlang-bugs] Incomplete Elliptic Curve Cipher Suites in 
R16B01 and R16B02
Date: 	Mon, 07 Oct 2013 08:37:56 +0200
From: 	Ingela Anderton Andin <>
To: 	Andrew Thompson <>



On 10/04/2013 08:49 PM, Andrew Thompson wrote:
> I'm not sure openssl s_client supports TLS 1.2.

Not by default only if you configure it to! (-tls1_2)

Regards Ingela Erlang/OTP team - Ericsson AB

> If you look at the
> errors the s_client spits out (by removing the dev null redirection) I
> get:
>
> 139688779572880:error:1407742F:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1
> alert insufficient security:s23_clnt.c:741:
>
> exactly as many times as I get 'work not' from the output. As I
> understand it, this means the server is asking for a ciphersuites that
> the client does not support.
>
> Apparently gnutls-cli supports tls 1.2, although I can't get gnutls to
> connect to the erl_ssl_test server under R16B02, it only reports
>
> GnuTLS error: An illegal TLS extension was received.
>
> When I try to do:
>
> gnutls-cli -p 5555 localhost --x509cafile=priv/ssl/ca.crt
>
> This does work if I run the server under R15B02.
>
> I have gnutls 3.2.4, the latest stable release. If you run
> gnutls-cli-debug against the server, you get this:
>
> Checking for TLS 1.0 support... no
> Checking for TLS 1.1 support... no
> Checking fallback from TLS 1.1 to... failed
> Checking for TLS 1.2 support... no
> Checking whether we need to disable TLS 1.2... yes
> Checking whether we need to disable TLS 1.1... no
> Checking whether we need to disable TLS 1.0... no
> Checking for Safe renegotiation support... no
>
> So gnutls doesn't think R16B02 supports tlsv2.
>
> Same output when running under R15B02 (which is what I had handy):
>
> Checking for TLS 1.0 support... yes
> Checking for TLS 1.1 support... no
> Checking fallback from TLS 1.1 to... TLS 1.0
> Checking for TLS 1.2 support... no
> Checking whether we need to disable TLS 1.2... no
> Checking whether we need to disable TLS 1.1... no
> Checking whether we need to disable TLS 1.0... N/A
>
> Andrew
> _______________________________________________
> erlang-bugs mailing list
> 
> http://erlang.org/mailman/listinfo/erlang-bugs
>



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-bugs/attachments/20131007/c9cd0f0f/attachment.html>


More information about the erlang-bugs mailing list