[erlang-bugs] Incomplete Elliptic Curve Cipher Suites in R16B01 and R16B02
Tue Oct 8 01:31:52 CEST 2013
I tried out your 'ia/ssl/ecc-gnutls' branch and now it works fine (both
with Chromium and Firefox). Chromium tells me that the used cipher
suite is ECDHE-RSA-AES256-SHA. I'll also do tests with an ECDSA
certificate later and tell you if there's any issue.
On Mon, 2013-10-07 at 15:27 +0200, Ingela Anderton Andin wrote:
> I have not had time to make any gnutls test yet. But you could try out
> the following (still works with Openssl) and I think should be the
> correct solution to the problem.
> I think the problem had three
> * An explicit client ECC-curves option was not honored by Erlang server
> * gnutls does not seem to ignore unknown server hello extensions
> * Erlang server sent an option too much in its ECC-extensions.
> Regards Ingela Erlang/OTP team - Ericsson AB
> On 10/05/2013 06:36 AM, Andrew Thompson wrote:
> > So, for the 23 ciphers that fail, all but one of them also fail under
> > openssl. The one that doesn't fail under OpenSSL is the IDEA-CBC-SHA,
> > which erlang doesn't seem to support.
> > The ECDSA ciphers fail because we're not using ECC keys. I'm not sure
> > why the others fail, but at least it is consistent.
> > The bugs I found earlier only seems to manifest when using a non-openssl
> > client, but that might well explain the issues with chrome because
> > chrome links against gnutls.
> > However, I am now able to connect over HTTPS from both chrome and
> > firefox to the erlang http server that before would not connect.
> > Here's a diff to patch the file:
> > https://gist.github.com/Vagabond/6836706
> > Note that this probably isn't the 'right' thing to do, for example
> > select_curve/1 should probably filter the client provided list based on
> > what the server supports, and I'm not sure if EcPointFormats needs to be
> > negotiated.
> > However, the patch does seem to fix the immediate problem.
> > Andrew
> > _______________________________________________
> > erlang-bugs mailing list
> > http://erlang.org/mailman/listinfo/erlang-bugs
> erlang-bugs mailing list
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 836 bytes
Desc: This is a digitally signed message part
More information about the erlang-bugs