[erlang-bugs] Incomplete Elliptic Curve Cipher Suites in R16B01 and R16B02

Ingela Anderton Andin <>
Mon Oct 7 21:43:49 CEST 2013


On 10/07/2013 06:14 PM, Andrew Thompson wrote:
> On Mon, Oct 07, 2013 at 09:47:09AM +0200, Ingela Anderton Andin wrote:
>>    "This section specifies a TLS extension that can be included with the
>>     ServerHello message as described in [4  <http://tools.ietf.org/html/rfc4492#ref-4>], the Supported Point Formats
>>     Extension.
>>     When this extension is sent:
>>     The Supported Point Formats Extension is included in a ServerHello
>>     message in response to a ClientHello message containing the Supported
>>     Point Formats Extension when negotiating an ECC cipher suite."
> Yes, that is for the 'Supported Point Format Extension',
> which the RFC says is fine to send in the ServerHello, but the RFC
> doesn't say anything about the `Supported Elliptic Curves Extension`
> being sent in a ServerHello, only in a ClientHello

Yes  I agree, may patch should remove the sending of that extension in 
the server hello.
The reason why this still could work with openssl I think is because
unknown hello extensions according to the protocol shall be ignored.

> I'll try your patch, although I admit that the complexity of it is a
> little beyond my understanding.
Let me know how it goes and can try to explain it to you later if you 
want to know.

Regards Ingela Erlang/OTP team - Ericcson AB

More information about the erlang-bugs mailing list