[erlang-bugs] Incomplete Elliptic Curve Cipher Suites in R16B01 and R16B02

Ingela Anderton Andin <>
Mon Oct 7 10:19:57 CEST 2013


Hi again!

On 10/05/2013 06:36 AM, Andrew Thompson wrote:
> So, for the 23 ciphers that fail, all but one of them also fail under
> openssl. The one that doesn't fail under OpenSSL is the IDEA-CBC-SHA,
> which erlang doesn't seem to support.

It is correct that Erlang does not support IDEA-ciphers.  We could
easily include support for them but as they have been deprecated by
the latest TLS spec we see no real need to implement them.

> The ECDSA ciphers fail because we're not using ECC keys. I'm not sure
> why the others fail, but at least it is consistent.
>
> The bugs I found earlier only seems to manifest when using a non-openssl
> client, but that might well explain the issues with chrome because
> chrome links against gnutls.
>

Well that would make sense as OpenSSL is the client and serve we use in our
interoperability test  and we have quite a few of those.  Perhaps we 
ought to
create a gnutls test suite as well!

> However, I am now able to connect over HTTPS from both chrome and
> firefox to the erlang http server that before would not connect.
>
> Here's a diff to patch the file:
>
> https://gist.github.com/Vagabond/6836706
>
> Note that this probably isn't the 'right' thing to do, for example
> select_curve/1 should probably filter the client provided list  based on
> what the server supports, and I'm not sure if EcPointFormats needs to be
> negotiated.
>
> However, the patch does seem to fix the immediate problem.
>
Thanks again for all your input!  I Will make sure the problem is fixed. 
TLS is very
flexible which makes it hard to be certain you covered all possible 
combinations of input.

Regards Ingela Erlang OTP team - Ericsson AB



More information about the erlang-bugs mailing list