[erlang-bugs] SSL Client Certificate Request types with EC certificates

[Peter Cooper]

It's entirely possible (even likely) I'm misunderstanding something about how these SSL ciphers are supposed to work, but the behavior I'm seeing looks like an Erlang issue to me. I'm trying to use RabbitMQ on Erlang 17.1 on 64-bit Windows 7, requiring a connection using SSL with a client certificate. All the certificates are using elliptic curve (secp256k1) keys. However, my client (in Java) isn't sending its client certificate because the CertificateRequest message from the RabbitMQ/Erlang server is saying that it's requesting an RSA certificate, whereas all I have is an EC certificate. I'm trying to use cipher suite {ecdhe_ecdsa, aes_128_cbc, sha256} which I think is the correct one, but the place that specifies what types of certificates to request (ssl_handshake's certificate_types function) at
https://github.com/erlang/otp/blob/maint-17/lib/ssl/src/ssl_handshake.erl#L1110
doesn't seem to handle this case correctly and always asks for just RSA rather than ECDSA certificate.

When I connect to the server using the same keys with "openssl s_client", the connection is established and the certificate gets sent fine, which leads me to think that openssl isn't checking for the type in the CertificateRequest message and is just sending the certificate I specify. So it looks like Erlang's SSL module can handle the certificate just fine if the client ignores the list of requested types.

Thanks for any help you could provide.

-- 
Peter Cooper Jr.
Sr. Software Engineer
EFI