[erlang-bugs] Fwd: Re: Incomplete Elliptic Curve Cipher Suites in R16B01 and R16B02

Klaus Trainer <>
Mon Oct 7 10:58:43 CEST 2013


Ah, thanks, I've missed that!

If I add -tls1_2 in my erl_ssl_check check-ciphers.sh script the test
passes for all cipher suites.


On Mon, 2013-10-07 at 09:52 +0200, Ingela Anderton Andin wrote:
> 
> 
> 
> -------- Original Message -------- 
>                           Subject: 
> Re: [erlang-bugs] Incomplete
> Elliptic Curve Cipher Suites in
> R16B01 and R16B02
>                              Date: 
> Mon, 07 Oct 2013 08:37:56 +0200
>                              From: 
> Ingela Anderton Andin
> <>
>                                To: 
> Andrew Thompson
> <>
> 
> 
> On 10/04/2013 08:49 PM, Andrew Thompson wrote:
> > I'm not sure openssl s_client supports TLS 1.2.
> 
> Not by default only if you configure it to! (-tls1_2)
> 
> Regards Ingela Erlang/OTP team - Ericsson AB
> 
> > If you look at the
> > errors the s_client spits out (by removing the dev null redirection) I
> > get:
> >
> > 139688779572880:error:1407742F:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1
> > alert insufficient security:s23_clnt.c:741:
> >
> > exactly as many times as I get 'work not' from the output. As I
> > understand it, this means the server is asking for a ciphersuites that
> > the client does not support.
> >
> > Apparently gnutls-cli supports tls 1.2, although I can't get gnutls to
> > connect to the erl_ssl_test server under R16B02, it only reports
> >
> > GnuTLS error: An illegal TLS extension was received.
> >
> > When I try to do:
> >
> > gnutls-cli -p 5555 localhost --x509cafile=priv/ssl/ca.crt
> >
> > This does work if I run the server under R15B02.
> >
> > I have gnutls 3.2.4, the latest stable release. If you run
> > gnutls-cli-debug against the server, you get this:
> >
> > Checking for TLS 1.0 support... no
> > Checking for TLS 1.1 support... no
> > Checking fallback from TLS 1.1 to... failed
> > Checking for TLS 1.2 support... no
> > Checking whether we need to disable TLS 1.2... yes
> > Checking whether we need to disable TLS 1.1... no
> > Checking whether we need to disable TLS 1.0... no
> > Checking for Safe renegotiation support... no
> >
> > So gnutls doesn't think R16B02 supports tlsv2.
> >
> > Same output when running under R15B02 (which is what I had handy):
> >
> > Checking for TLS 1.0 support... yes
> > Checking for TLS 1.1 support... no
> > Checking fallback from TLS 1.1 to... TLS 1.0
> > Checking for TLS 1.2 support... no
> > Checking whether we need to disable TLS 1.2... no
> > Checking whether we need to disable TLS 1.1... no
> > Checking whether we need to disable TLS 1.0... N/A
> >
> > Andrew
> > _______________________________________________
> > erlang-bugs mailing list
> > 
> > http://erlang.org/mailman/listinfo/erlang-bugs
> >
> 
> 
> 
> 
> _______________________________________________
> erlang-bugs mailing list
> 
> http://erlang.org/mailman/listinfo/erlang-bugs

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part
URL: <http://erlang.org/pipermail/erlang-bugs/attachments/20131007/a90bb875/attachment-0001.bin>


More information about the erlang-bugs mailing list