<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">Hi!<br>
<br>
I think your test is a little too naive! I just run your test
against an openssl server ( OpenSSL 1.0.1 14 Mar 2012)<br>
and here is the result:<br>
<br>
works not: ECDHE-RSA-AES256-SHA384<br>
works not: ECDHE-ECDSA-AES256-SHA384<br>
works: ECDHE-RSA-AES256-SHA<br>
works not: ECDHE-ECDSA-AES256-SHA<br>
works not: DHE-RSA-AES256-SHA256<br>
works not: DHE-DSS-AES256-SHA256<br>
works: DHE-RSA-AES256-SHA<br>
works not: DHE-DSS-AES256-SHA<br>
works not: ECDH-RSA-AES256-SHA384<br>
works not: ECDH-ECDSA-AES256-SHA384<br>
works not: ECDH-RSA-AES256-SHA<br>
works not: ECDH-ECDSA-AES256-SHA<br>
works not: AES256-SHA256<br>
works: AES256-SHA<br>
works: ECDHE-RSA-DES-CBC3-SHA<br>
works not: ECDHE-ECDSA-DES-CBC3-SHA<br>
works not: ECDH-RSA-DES-CBC3-SHA<br>
works not: ECDH-ECDSA-DES-CBC3-SHA<br>
works: DES-CBC3-SHA<br>
works not: ECDHE-RSA-AES128-SHA256<br>
works not: ECDHE-ECDSA-AES128-SHA256<br>
works: ECDHE-RSA-AES128-SHA<br>
works not: ECDHE-ECDSA-AES128-SHA<br>
works not: DHE-RSA-AES128-SHA256<br>
works not: DHE-DSS-AES128-SHA256<br>
works: DHE-RSA-AES128-SHA<br>
works not: DHE-DSS-AES128-SHA<br>
works not: ECDH-RSA-AES128-SHA256<br>
works not: ECDH-ECDSA-AES128-SHA256<br>
works not: ECDH-RSA-AES128-SHA<br>
works not: ECDH-ECDSA-AES128-SHA<br>
works not: AES128-SHA256<br>
works: AES128-SHA<br>
works: ECDHE-RSA-RC4-SHA<br>
works not: ECDHE-ECDSA-RC4-SHA<br>
works not: ECDH-RSA-RC4-SHA<br>
works not: ECDH-ECDSA-RC4-SHA<br>
works: RC4-SHA<br>
works: RC4-MD5<br>
works: DES-CBC-SHA<br>
<br>
If you look closer you willl see that the error is: <br>
"140232248637088:error:1408A0C1:SSL
routines:SSL3_GET_CLIENT_HELLO:no shared cipher:s3_srvr.c:1353:"<br>
<br>
After just a quick check of <br>
<br>
your test of erlang: <br>
<pre wrap="">works not: ECDH-RSA-AES256-SHA384
</pre>
<pre><a href="cid:part1.05060104.08000707@erix.ericsson.se">Our test suite: ssl_ECC_SUITE:client_ec_server_ec/1</a>
sucessfully negotiaties ECDH-RSA-AES256-SHA384 with openssl in R16B02
So I think some of your conclusions where a bit premature.
</pre>
The problems you mentioned in R16B01 are probably fixed in R16B02<br>
<br>
"Now handles signature_algorithm field in digitally_signed<br>
properly with proper defaults. Prior to this change<br>
some elliptic curve cipher suites could fail reporting the error
"bad certificate"."<br>
<br>
Also there is at the moment a documented limitation:<br>
"Elliptic Curve cipher suites are supported if crypto supports it
and named curves are used."<br>
<br>
But your welcome to submit a new bug report if you should find a
correct setup that fails.<br>
<br>
Regards Ingela Erlang/OTP team Ericsson AB<br>
<br>
<br>
On 10/01/2013 06:09 PM, Klaus Trainer wrote:<br>
</div>
<blockquote cite="mid:1380643781.4359.8.camel@devil" type="cite">
<pre wrap="">Hey!
The incomplete implementation of elliptic curves in R16B01 and R16B02 is
an annoying issue for people who try to use Erlang/OTP's SSL/TLS
implementation. The issue is not easy to debug, and finding relevant
information on the web is not easy as well. For reference, here's a
list of the few resources that I'm aware of:
* <a class="moz-txt-link-freetext" href="http://erlang.org/pipermail/erlang-questions/2013-June/074349.html">http://erlang.org/pipermail/erlang-questions/2013-June/074349.html</a>
* <a class="moz-txt-link-freetext" href="http://erlang.org/pipermail/erlang-bugs/2013-June/003636.html">http://erlang.org/pipermail/erlang-bugs/2013-June/003636.html</a>
* <a class="moz-txt-link-freetext" href="https://github.com/extend/ranch/commit/c0c09a1311">https://github.com/extend/ranch/commit/c0c09a1311</a>
As noted in the latter resource, which is a respective workaround in
Ranch, most popular browsers (e.g. Firefox, Chromium, and Safari) are
affected by this issue.
In order to see which cipher suites are affected, I wrote an echo server
(using Ranch and its SSL transport) and a shell script that uses
`openssl s_client` in order to test several cipher suites against the
echo server. It can be found at
<a class="moz-txt-link-freetext" href="https://github.com/KlausTrainer/erl_ssl_test">https://github.com/KlausTrainer/erl_ssl_test</a> and you can compile and run
it by executing `make check`. Running it under Debian GNU/Linux 7.1
(x86_64) with R16B02 and OpenSSL 1.0.1e generates the following output:
works: ECDHE-RSA-AES256-SHA384
works not: ECDHE-ECDSA-AES256-SHA384
works: ECDHE-RSA-AES256-SHA
works not: ECDHE-ECDSA-AES256-SHA
works: DHE-RSA-AES256-SHA256
works not: DHE-DSS-AES256-SHA256
works: DHE-RSA-AES256-SHA
works not: DHE-DSS-AES256-SHA
works not: ECDH-RSA-AES256-SHA384
works not: ECDH-ECDSA-AES256-SHA384
works not: ECDH-RSA-AES256-SHA
works not: ECDH-ECDSA-AES256-SHA
works: AES256-SHA256
works: AES256-SHA
works: ECDHE-RSA-DES-CBC3-SHA
works not: ECDHE-ECDSA-DES-CBC3-SHA
works not: ECDH-RSA-DES-CBC3-SHA
works not: ECDH-ECDSA-DES-CBC3-SHA
works: DES-CBC3-SHA
works: ECDHE-RSA-AES128-SHA256
works not: ECDHE-ECDSA-AES128-SHA256
works: ECDHE-RSA-AES128-SHA
works not: ECDHE-ECDSA-AES128-SHA
works: DHE-RSA-AES128-SHA256
works not: DHE-DSS-AES128-SHA256
works: DHE-RSA-AES128-SHA
works not: DHE-DSS-AES128-SHA
works not: ECDH-RSA-AES128-SHA256
works not: ECDH-ECDSA-AES128-SHA256
works not: ECDH-RSA-AES128-SHA
works not: ECDH-ECDSA-AES128-SHA
works: AES128-SHA256
works: AES128-SHA
works: ECDHE-RSA-RC4-SHA
works not: ECDHE-ECDSA-RC4-SHA
works not: ECDH-RSA-RC4-SHA
works not: ECDH-ECDSA-RC4-SHA
works: RC4-SHA
works: RC4-MD5
works: DES-CBC-SHA
I hope this helps.
Regards,
Klaus
</pre>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
erlang-bugs mailing list
<a class="moz-txt-link-abbreviated" href="mailto:erlang-bugs@erlang.org">erlang-bugs@erlang.org</a>
<a class="moz-txt-link-freetext" href="http://erlang.org/mailman/listinfo/erlang-bugs">http://erlang.org/mailman/listinfo/erlang-bugs</a>
</pre>
</blockquote>
<br>
</body>
</html>