[erlang-bugs] Incomplete Elliptic Curve Cipher Suites in R16B01 and R16B02
Ingela Anderton Andin
Mon Oct 7 15:27:35 CEST 2013
I have not had time to make any gnutls test yet. But you could try out
the following (still works with Openssl) and I think should be the
correct solution to the problem.
I think the problem had three
* An explicit client ECC-curves option was not honored by Erlang server
* gnutls does not seem to ignore unknown server hello extensions
* Erlang server sent an option too much in its ECC-extensions.
Regards Ingela Erlang/OTP team - Ericsson AB
On 10/05/2013 06:36 AM, Andrew Thompson wrote:
> So, for the 23 ciphers that fail, all but one of them also fail under
> openssl. The one that doesn't fail under OpenSSL is the IDEA-CBC-SHA,
> which erlang doesn't seem to support.
> The ECDSA ciphers fail because we're not using ECC keys. I'm not sure
> why the others fail, but at least it is consistent.
> The bugs I found earlier only seems to manifest when using a non-openssl
> client, but that might well explain the issues with chrome because
> chrome links against gnutls.
> However, I am now able to connect over HTTPS from both chrome and
> firefox to the erlang http server that before would not connect.
> Here's a diff to patch the file:
> Note that this probably isn't the 'right' thing to do, for example
> select_curve/1 should probably filter the client provided list based on
> what the server supports, and I'm not sure if EcPointFormats needs to be
> However, the patch does seem to fix the immediate problem.
> erlang-bugs mailing list
More information about the erlang-bugs