[erlang-bugs] Incomplete Elliptic Curve Cipher Suites in R16B01 and R16B02
Ingela Anderton Andin
Mon Oct 7 21:43:49 CEST 2013
On 10/07/2013 06:14 PM, Andrew Thompson wrote:
> On Mon, Oct 07, 2013 at 09:47:09AM +0200, Ingela Anderton Andin wrote:
>> "This section specifies a TLS extension that can be included with the
>> ServerHello message as described in [4 <http://tools.ietf.org/html/rfc4492#ref-4>], the Supported Point Formats
>> When this extension is sent:
>> The Supported Point Formats Extension is included in a ServerHello
>> message in response to a ClientHello message containing the Supported
>> Point Formats Extension when negotiating an ECC cipher suite."
> Yes, that is for the 'Supported Point Format Extension',
> which the RFC says is fine to send in the ServerHello, but the RFC
> doesn't say anything about the `Supported Elliptic Curves Extension`
> being sent in a ServerHello, only in a ClientHello
Yes I agree, may patch should remove the sending of that extension in
the server hello.
The reason why this still could work with openssl I think is because
unknown hello extensions according to the protocol shall be ignored.
> I'll try your patch, although I admit that the complexity of it is a
> little beyond my understanding.
Let me know how it goes and can try to explain it to you later if you
want to know.
Regards Ingela Erlang/OTP team - Ericcson AB
More information about the erlang-bugs