[erlang-bugs] Incomplete Elliptic Curve Cipher Suites in R16B01 and R16B02

Klaus Trainer <>
Tue Oct 8 01:31:52 CEST 2013


Hi Ingela,

I tried out your 'ia/ssl/ecc-gnutls' branch and now it works fine (both
with Chromium and Firefox).  Chromium tells me that the used cipher
suite is ECDHE-RSA-AES256-SHA.  I'll also do tests with an ECDSA
certificate later and tell you if there's any issue.

Thanks :)


On Mon, 2013-10-07 at 15:27 +0200, Ingela Anderton Andin wrote:
> Hi!
> 
> I have not had time to make any gnutls test yet. But you could try out 
> the following (still works with Openssl) and I think should be the 
> correct solution to the problem.
> 
> I think the problem had three
> parts,
> 
> * An explicit client ECC-curves option was not honored by Erlang server
> 
> * gnutls does not seem to ignore unknown server hello extensions
> 
> * Erlang server sent an option too much in its ECC-extensions.
> 
> https://github.com/IngelaAndin/otp/tree/ia/ssl/ecc-gnutls
> 
> 
> Regards Ingela Erlang/OTP team - Ericsson AB
> 
> 
> On 10/05/2013 06:36 AM, Andrew Thompson wrote:
> > So, for the 23 ciphers that fail, all but one of them also fail under
> > openssl. The one that doesn't fail under OpenSSL is the IDEA-CBC-SHA,
> > which erlang doesn't seem to support.
> >
> > The ECDSA ciphers fail because we're not using ECC keys. I'm not sure
> > why the others fail, but at least it is consistent.
> >
> > The bugs I found earlier only seems to manifest when using a non-openssl
> > client, but that might well explain the issues with chrome because
> > chrome links against gnutls.
> >
> > However, I am now able to connect over HTTPS from both chrome and
> > firefox to the erlang http server that before would not connect.
> >
> > Here's a diff to patch the file:
> >
> > https://gist.github.com/Vagabond/6836706
> >
> > Note that this probably isn't the 'right' thing to do, for example
> > select_curve/1 should probably filter the client provided list  based on
> > what the server supports, and I'm not sure if EcPointFormats needs to be
> > negotiated.
> >
> > However, the patch does seem to fix the immediate problem.
> >
> > Andrew
> > _______________________________________________
> > erlang-bugs mailing list
> > 
> > http://erlang.org/mailman/listinfo/erlang-bugs
> >
> 
> _______________________________________________
> erlang-bugs mailing list
> 
> http://erlang.org/mailman/listinfo/erlang-bugs

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part
URL: <http://erlang.org/pipermail/erlang-bugs/attachments/20131008/6403cbe8/attachment.bin>


More information about the erlang-bugs mailing list